Closed Bug 1080462 Opened 10 years ago Closed 10 years ago

Valgrind detects leaks involving enableSPSProfilingWithSlowAssertions and js::jit::CodeGeneratorShared::generateCompactNativeToBytecodeMap

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla36
Tracking Flags:
Tracking Status
firefox35 --- affected

People

(Reporter: gkw, Assigned: djvj)

References

(Blocks 1 open bug)

Details

(Keywords: regression, testcase, valgrind)

Attachments

(3 files, 3 obsolete files)

log
5.70 KB, text/plain
Details
log
2.59 KB, text/plain
Details
bug-1081374.patch
3.27 KB, patch
h4writer
: review+
Details | Diff | Splinter Review
(function() { enableSPSProfilingWithSlowAssertions() for (z in [0]) {} })() causes the following leaks on m-c changeset f0bb13ef0ee4 with --ion-eager --no-threads at js::jit::CodeGeneratorShared::generateCompactNativeToBytecodeMap. ==32489== 8 bytes in 1 blocks are definitely lost in loss record 14 of 63 ==32489== at 0x4C2ABBD: malloc (vg_replace_malloc.c:296) ==32489== by 0x687F5E: js_malloc (Utility.h:98) ==32489== by 0x687F5E: js_pod_malloc<JSScript*> (Utility.h:559) ==32489== by 0x687F5E: pod_malloc<JSScript*> (MallocProvider.h:62) ==32489== by 0x687F5E: js::jit::CodeGeneratorShared::createNativeToBytecodeScriptList(JSContext*) (CodeGenerator-shared.cpp:569) ==32489== by 0x688087: js::jit::CodeGeneratorShared::generateCompactNativeToBytecodeMap(JSContext*, js::jit::JitCode*) (CodeGenerator-shared.cpp:600) /snip ==32489== 60 bytes in 1 blocks are definitely lost in loss record 37 of 63 ==32489== at 0x4C2ABBD: malloc (vg_replace_malloc.c:296) ==32489== by 0x688115: js_malloc (Utility.h:98) ==32489== by 0x688115: js_pod_malloc<unsigned char> (Utility.h:559) ==32489== by 0x688115: pod_malloc<unsigned char> (MallocProvider.h:62) ==32489== by 0x688115: js::jit::CodeGeneratorShared::generateCompactNativeToBytecodeMap(JSContext*, js::jit::JitCode*) (CodeGenerator-shared.cpp:623) ==32489== by 0x5731F4: js::jit::CodeGenerator::link(JSContext*, js::types::CompilerConstraintList*) (CodeGenerator.cpp:7541) /snip Debug configure options: AR=ar sh /home/fuzz2lin/trees/mozilla-central/js/src/configure --disable-debug --enable-optimize=-O1 --enable-nspr-build --enable-more-deterministic --enable-valgrind --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/0f71056d9b6f user: Kannan Vijayan date: Wed Aug 13 11:59:52 2014 -0400 summary: Bug 1004831 - Part 2 - Add compact map representation for native to bytecode mappings. r=luke,h4writer Kannan, is bug 1004831 a possible regressor?
Flags: needinfo?(kvijayan)
Attached patch fix-bug-1080462.patch (obsolete) — Splinter Review
Hey Gary, can you tell me if this fixes it? It should.
Attachment #8502573 - Flags: feedback?(gary)
Flags: needinfo?(kvijayan)
Comment on attachment 8502573 [details] [diff] [review] fix-bug-1080462.patch No, it does not fix all of the issues. Log coming up.
Attachment #8502573 - Flags: feedback?(gary) → feedback-
Attached file log (obsolete) —
Here is the log when run against a binary compiled with the patch.
Attached patch bug-1080462.patch (obsolete) — Splinter Review
This should fix that.
Attachment #8502573 - Attachment is obsolete: true
Attachment #8509596 - Flags: feedback?(gary)
Comment on attachment 8509596 [details] [diff] [review] bug-1080462.patch Nope. Btw, you can install Valgrind 3.10.0 on Linux and run: valgrind --smc-check=all-non-file --vex-iropt-register-updates=allregs-at-mem-access --leak-check=full --errors-for-leak-kinds=definite --show-leak-kinds=definite ./js --ion-eager --no-threads 1080462.js
Attachment #8509596 - Flags: feedback?(gary) → feedback-
Attached file log
Attachment #8503971 - Attachment is obsolete: true
Found it. Memory leak due to not properly destroying native2bytecode mapping table entries when they are removed. Cleaned up leaks in a couple of error paths as well.
Attachment #8509596 - Attachment is obsolete: true
Attachment #8510534 - Flags: review?(hv1989)
Comment on attachment 8510534 [details] [diff] [review] bug-1081374.patch Review of attachment 8510534 [details] [diff] [review]: ----------------------------------------------------------------- Instead of doing "js_free(nativeToBytecodeScriptList_);" everywhere. Can we make nativeToBytecodeScriptList_ an UniquePtr. As a result when UniquePtr is removed it will automatically free the content? This would remove the need of js_free to be correctly placed. What is the reason to put nativeToBytecodeScriptList_ and nativeToBytecodeMap_ are item in CodeGeneratorShared. Wouldn't it make more sense the function generateCompactNativeToBytecodeMap returns this as outparams?
@Djvj: can you elaborate on the two questions above, before I finish the review?
Flags: needinfo?(kvijayan)
(In reply to Hannes Verschore [:h4writer] from comment #9) > Comment on attachment 8510534 [details] [diff] [review] > bug-1081374.patch > > Review of attachment 8510534 [details] [diff] [review]: > ----------------------------------------------------------------- > > Instead of doing "js_free(nativeToBytecodeScriptList_);" everywhere. Can we > make nativeToBytecodeScriptList_ an UniquePtr. As a result when UniquePtr is > removed it will automatically free the content? This would remove the need > of js_free to be correctly placed. I didn't think the number of places where js_free got introduced was that much. I don't mind going the UniquePtr route, though.. just didn't feel it necessary to use it here. I can change this. > > What is the reason to put nativeToBytecodeScriptList_ and > nativeToBytecodeMap_ are item in CodeGeneratorShared. Wouldn't it make more > sense the function generateCompactNativeToBytecodeMap returns this as > outparams? There are several pieces of info generated by generateCompactNativeToBytecodeMap - the compact map, the script list, the list's size, the map size, and the offset into the map where the table is located (the ultimate "region pointer" that is extracted from the map points into the middle of the map data - specifically at the nativeToBytecodeTableOffset_). One option is to stick all of these into a struct and have that be filled-in as an outparam to this function.
Flags: needinfo?(kvijayan)
(In reply to Hannes Verschore [:h4writer] from comment #10) > @Djvj: can you elaborate on the two questions above, before I finish the > review? Was the response in comment 11 sufficient?
Flags: needinfo?(hv1989)
Comment on attachment 8510534 [details] [diff] [review] bug-1081374.patch Review of attachment 8510534 [details] [diff] [review]: ----------------------------------------------------------------- (In reply to Kannan Vijayan [:djvj] from comment #11) > (In reply to Hannes Verschore [:h4writer] from comment #9) > > Comment on attachment 8510534 [details] [diff] [review] > > bug-1081374.patch > > > > Review of attachment 8510534 [details] [diff] [review]: > > ----------------------------------------------------------------- > > > > Instead of doing "js_free(nativeToBytecodeScriptList_);" everywhere. Can we > > make nativeToBytecodeScriptList_ an UniquePtr. As a result when UniquePtr is > > removed it will automatically free the content? This would remove the need > > of js_free to be correctly placed. > > I didn't think the number of places where js_free got introduced was that > much. I don't mind going the UniquePtr route, though.. just didn't feel it > necessary to use it here. I can change this. > > > > > What is the reason to put nativeToBytecodeScriptList_ and > > nativeToBytecodeMap_ are item in CodeGeneratorShared. Wouldn't it make more > > sense the function generateCompactNativeToBytecodeMap returns this as > > outparams? > > There are several pieces of info generated by > generateCompactNativeToBytecodeMap - the compact map, the script list, the > list's size, the map size, and the offset into the map where the table is > located (the ultimate "region pointer" that is extracted from the map points > into the middle of the map data - specifically at the > nativeToBytecodeTableOffset_). > > One option is to stick all of these into a struct and have that be filled-in > as an outparam to this function. Yeah! A struct output with UniquePtr would definitely make this more safe. As in: make it harder to regress this again by not adding the right js_free's. It would get free'd by default. Can you add a follow-up bug to do this? I'll r+ in the meantime. I'm not sure if this need to get backported, but the changes in this patch is smaller than the follow-up bug. So might be easier to backport (if needed?).
Attachment #8510534 - Flags: review?(hv1989) → review+
Blocks: 1097807
Backed out for crashes during startup cache precompilation during the build packaging step, which usually points to xpcshell bustage. https://hg.mozilla.org/integration/mozilla-inbound/rev/e78f5069f7c2 https://treeherder.mozilla.org/ui/logviewer.html#?job_id=3823280&repo=mozilla-inbound
Assignee: nobody → kvijayan
https://hg.mozilla.org/mozilla-central/rev/d4352c2b4fc4
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: