Closed
Bug 1081374
Opened 9 years ago
Closed 9 years ago
|BaselineCompiler::compile| can leak |baselineScript|
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
FIXED
mozilla36
People
(Reporter: erahm, Assigned: djvj)
References
(Blocks 1 open bug)
Details
(Keywords: coverity, Whiteboard: [MemShrink:P3][CID 1244806])
Attachments
(1 file, 1 obsolete file)
|
4.33 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
|BaselineCompiler::compile| [1] can leak |baselineScript| [2] when it early returns [3] if |globalTable->addEntry(entry)| fails. [1] http://hg.mozilla.org/mozilla-central/annotate/e4cfacb76830/js/src/jit/BaselineCompiler.cpp#l73 [2] http://hg.mozilla.org/mozilla-central/annotate/e4cfacb76830/js/src/jit/BaselineCompiler.cpp#l182 [3] http://hg.mozilla.org/mozilla-central/annotate/e4cfacb76830/js/src/jit/BaselineCompiler.cpp#l258
|
||
Comment 1•9 years ago
|
||
Regression from bug 1004831. Maybe we can use mozilla::UniquePtr with a policy that calls BaselineScript::Destroy...
Flags: needinfo?(kvijayan)
|
||
Updated•9 years ago
|
Whiteboard: [MemShrink][CID 1244806] → [MemShrink:P3][CID 1244806]
|
Assignee | |
Comment 2•9 years ago
|
||
Test patch. Passes jit-tests with --ion-eager. Try run: https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=a9918300e631
Flags: needinfo?(kvijayan)
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → kvijayan
|
|
Assignee | |
Comment 3•9 years ago
|
||
Rebased patch. Running in try.
Attachment #8509815 -
Attachment is obsolete: true
Attachment #8521519 -
Flags: review?(jdemooij)
|
|
||
Comment 4•9 years ago
|
||
Comment on attachment 8521519 [details] [diff] [review] bug-1081374.patch Review of attachment 8521519 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/BaselineCompiler.cpp @@ +4,5 @@ > * License, v. 2.0. If a copy of the MPL was not distributed with this > * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ > > #include "jit/BaselineCompiler.h" > +#include "mozilla/UniquePtr.h" Nit: add a blank line before this one. @@ +180,5 @@ > > // Note: There is an extra entry in the bytecode type map for the search hint, see below. > size_t bytecodeTypeMapEntries = script->nTypeSets() + 1; > > + mozilla::UniquePtr<BaselineScript, JS::FreePolicy> baselineScript( This should be DeletePolicy: BaselineScript has a LifoAlloc for IC stubs and we should run its destructor.
Attachment #8521519 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 5•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/d146f4b9606d
|
||
Comment 6•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/d146f4b9606d
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
|
||
Updated•5 years ago
|
Blocks: coverity-analysis
You need to log in
before you can comment on or make changes to this bug.
Description
•