Closed Bug 829421 Opened 11 years ago Closed 11 years ago

ArgumentObjects memory leak

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla21

Tracking Flags:

Tracking

Status

firefox18

---

wontfix

firefox19

---

fixed

firefox20

---

fixed

firefox21

---

fixed

firefox-esr17

---

fixed

b2g18

---

wontfix

People

(Reporter: darkxst, Assigned: darkxst)

Details

(Whiteboard: [MemShrink])

Attachments

(2 files)

fix leak of data when jsobject fails. 11 years ago darkxst 634 bytes, patch	nbp : review+ akeybl : approval-mozilla-aurora+ akeybl : approval-mozilla-beta+ akeybl : approval-mozilla-release- akeybl : approval-mozilla-esr17+ akeybl : approval-mozilla-b2g18-	Details \| Diff \| Splinter Review
tbpl log 11 years ago Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) 34.73 KB, text/plain		Details

darkxst

Assignee

Description

•

11 years ago

Been seeing this leak for some time. This particular trace is from gjs built against the ESR17 engine.

==32610== 340,672 bytes in 6,084 blocks are definitely lost in loss record 21,799 of 21,837
==32610==    at 0x4C2CD7B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==32610==    by 0x7D584D1: js::ArgumentsObject::create(JSContext*, js::StackFrame*) (Utility.h:157)
==32610==    by 0x7D58D08: js::ArgumentsObject::createExpected(JSContext*, js::StackFrame*) (ArgumentsObject.cpp:103)
==32610==    by 0x7C85F92: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2721)
==32610==    by 0x7C88D1C: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:309)
==32610==    by 0x7C8969C: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsinterp.cpp:363)
==32610==    by 0x7C50720: js_fun_apply(JSContext*, unsigned int, JS::Value*) (jsinterp.h:119)
==32610==    by 0x7C89537: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:372)
==32610==    by 0x7C82778: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2414)
==32610==    by 0x7C88D1C: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:309)
==32610==    by 0x7C8969C: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsinterp.cpp:363)
==32610==    by 0x7C50720: js_fun_apply(JSContext*, unsigned int, JS::Value*) (jsinterp.h:119)

darkxst

Assignee

Updated

•

11 years ago

Summary: memory leak → ArgumentObjects memory leak

darkxst

Assignee

Comment 1

•

11 years ago

Attached patch fix leak of data when jsobject fails. — Details — Splinter Review

Nicolas B. Pierron [:nbp]

Comment 2

•

11 years ago

Comment on attachment 701528 [details] [diff] [review]
fix leak of data when jsobject fails.

Review of attachment 701528 [details] [diff] [review]:
-----------------------------------------------------------------

Good catch!

Attachment #701528 - Flags: review+

Nicholas Nethercote [inactive]

Comment 3

•

11 years ago

Comment on attachment 701528 [details] [diff] [review]
fix leak of data when jsobject fails.

Review of attachment 701528 [details] [diff] [review]:
-----------------------------------------------------------------

Please use eight lines of context in your diffs! :)

Nicolas B. Pierron [:nbp]

Comment 4

•

11 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/e7e4224b8c8d

Marco Bonardo [:mak] (Away Apr 25 - May 5)

Comment 5

•

11 years ago

backed out for butage on all platforms

https://hg.mozilla.org/integration/mozilla-inbound/rev/dbaf061c64fb

e:/builds/moz2_slave/m-in-w32/build/js/src/vm/ArgumentsObject.cpp(165) : error C2039: 'free_' : is not a member of 'JSContext'

Assignee: general → darkxst

Status: UNCONFIRMED → ASSIGNED

Ever confirmed: true

Nicolas B. Pierron [:nbp]

Comment 6

•

11 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/9f56d7e548f1

Apparently at one point, we changed from cx->free_ to js_free.  I just updated the patch accordingly to push it to inbound.

:Ms2ger (he/him; ⌚ UTC+1/+2)

Comment 7

•

11 years ago

https://hg.mozilla.org/mozilla-central/rev/9f56d7e548f1

Status: ASSIGNED → RESOLVED

Closed: 11 years ago

Resolution: --- → FIXED

Target Milestone: --- → mozilla21

darkxst

Assignee

Comment 8

•

11 years ago

Would it be possible to get this backported to the 17 branch, sometime before the next release of standalone spidermonkey happens.

This leak appears to have quite a large impact on memory usage in gnome-shell, and is in fact one of the larger remaining leaks from the valgrind logs.

Nicolas B. Pierron [:nbp]

Comment 9

•

11 years ago

Comment on attachment 701528 [details] [diff] [review]
fix leak of data when jsobject fails.

[Approval Request Comment]
Bug caused by (feature/regressing bug #):
  Bug 684507, by moving the object allocation after the ArgumentsData structure.

User impact if declined: (same as below)
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  Leak, apparently important in the gnome-shell which rely on ESR versions.

Fix Landed on Version:
  Nightly 9f56d7e548f1

Risk to taking this patch (and alternatives if risky):
  None, just need to take care to use cx->free_ on oldest version and use js_free on recent one.

String or UUID changes made by this patch:
  N/A

Attachment #701528 - Flags: approval-mozilla-release?

Attachment #701528 - Flags: approval-mozilla-esr17?

Attachment #701528 - Flags: approval-mozilla-beta?

Attachment #701528 - Flags: approval-mozilla-b2g18?

Attachment #701528 - Flags: approval-mozilla-aurora?

Alex Keybl [:akeybl]

Comment 10

•

11 years ago

Comment on attachment 701528 [details] [diff] [review]
fix leak of data when jsobject fails.

Approving for ESR and Aurora/Beta given where we are in the cycle and the risk profile here. It's not clear that this fix is needed on the B2G branch for the time being.

Attachment #701528 - Flags: approval-mozilla-release?

Attachment #701528 - Flags: approval-mozilla-release-

Attachment #701528 - Flags: approval-mozilla-esr17?

Attachment #701528 - Flags: approval-mozilla-esr17+

Attachment #701528 - Flags: approval-mozilla-beta?

Attachment #701528 - Flags: approval-mozilla-beta+

Attachment #701528 - Flags: approval-mozilla-b2g18?

Attachment #701528 - Flags: approval-mozilla-b2g18-

Attachment #701528 - Flags: approval-mozilla-aurora?

Attachment #701528 - Flags: approval-mozilla-aurora+

Ryan VanderMeulen [:RyanVM]

Comment 11

•

11 years ago

https://hg.mozilla.org/releases/mozilla-aurora/rev/d8040799b82a
https://hg.mozilla.org/releases/mozilla-beta/rev/c1b4639bd3b8
https://hg.mozilla.org/releases/mozilla-esr17/rev/fbd17599c5e5

status-b2g18: --- → wontfix

status-firefox18: --- → wontfix

status-firefox19: --- → fixed

status-firefox20: --- → fixed

status-firefox21: --- → fixed

status-firefox-esr17: --- → fixed

Ryan VanderMeulen [:RyanVM]

Comment 12

•

11 years ago

Backed out on esr17 for bustage:
https://hg.mozilla.org/releases/mozilla-esr17/rev/95405d6f2621

Re-landed, this time with feeling:
https://hg.mozilla.org/releases/mozilla-esr17/rev/946a0d000fbe

Mihai Morar, (:MihaiMorar)

Comment 13

•

11 years ago

(In reply to darkxst from comment #0)

Can this bug fix be verified on released beta builds? How?

Nicolas B. Pierron [:nbp]

Comment 14

•

11 years ago

(In reply to MarioMi from comment #13)
> (In reply to darkxst from comment #0)
> 
> Can this bug fix be verified on released beta builds? How?

Run tbpl valgrind builds with the modification of the suppression file (ask gkw for details about both) to see if this function signature appears or not.

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Comment 15

•

11 years ago

(In reply to Nicolas B. Pierron [:pierron] [:nbp] from comment #14)
> (In reply to MarioMi from comment #13)
> > (In reply to darkxst from comment #0)
> > 
> > Can this bug fix be verified on released beta builds? How?
> 
> Run tbpl valgrind builds with the modification of the suppression file (ask
> gkw for details about both) to see if this function signature appears or not.

I removed the suppression in bug 812423 and it seems like this is still happening:

https://tbpl.mozilla.org/php/getParsedLog.php?id=19127812&tree=Firefox&full=1

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Comment 16

•

11 years ago

Attached file tbpl log — Details

Unable to verify. (Unless this tbpl bug is a different one)

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Comment 17

•

11 years ago

To track the tbpl bug, I've reopened bug 812423.

Nicholas Nethercote [inactive]

Updated

•

11 years ago

Whiteboard: [MemShrink]

Mihai Morar, (:MihaiMorar)

Comment 18

•

11 years ago

(In reply to Nicolas B. Pierron [:pierron] [:nbp] from comment #14)
> (In reply to MarioMi from comment #13)
> Run tbpl valgrind builds with the modification of the suppression file (ask
> gkw for details about both) to see if this function signature appears or not.

Where can I find support in running tbpl valgrind builds because I haven't worked with it yet but I'm interested in doing that.

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Comment 19

•

11 years ago

The tbpl listing for Valgrind builds is at https://tbpl.mozilla.org/?noignore=1&jobname=valgrind

Nicholas Nethercote [inactive]

Comment 20

•

11 years ago

https://developer.mozilla.org/en-US/docs/Debugging_Mozilla_with_Valgrind may also be helpful.

yoshi yokotani

Comment 21

•

11 years ago

could anybody please describe a procedure to get the valgrind log? Thank you in advance=)

You need to log in before you can comment on or make changes to this bug.