Closed Bug 1321186 Opened 9 years ago Closed 9 years ago

Intermittent LeakSanitizer | leak at js_pod_malloc, maybe_pod_malloc, js::DebuggerFrame::onPopSetter, CallJSNative

Categories

(DevTools :: General, defect, P3)

Product:
DevTools
Component:
General
Type:
defect

Tracking

(firefox51 unaffected, firefox52 unaffected, firefox53 fixed)

Status:
RESOLVED FIXED
Milestone:
Firefox 53
Tracking Flags:
Tracking Status
firefox51 --- unaffected
firefox52 --- unaffected
firefox53 --- fixed

People

(Reporter: intermittent-bug-filer, Assigned: jimb)

References

Details

(Keywords: intermittent-failure)

Attachments

(1 file)

Bother to free old onPopHandler when we set a new one.
1011 bytes, patch
fitzgen
: review+
Details | Diff | Splinter Review
:jimb, perhaps you are interested in this report. Marking as P3 for now until we know more.
Flags: needinfo?(jimb)
Priority: -- → P3
Yes, I am, thank you very much!
Assignee: nobody → jimb
Flags: needinfo?(jimb)
I'm pretty sure this is another instance of a bug we've already fixed elsewhere... jeez
("Experience keeps a dear school...")
For ease of reference, here's the stack at which the leaked values were allocated: With: SRC=/home/worker/workspace/build/src ==1287==ERROR: LeakSanitizer: detected memory leaks Direct leak of 240 byte(s) in 15 object(s) allocated from: #0 0x4b24ab in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3 #1 0x7f05c7bce16b in js_malloc $SRC/obj-firefox/dist/include/js/Utility.h:229:12 #2 0x7f05c7bce16b in js_pod_malloc<unsigned char> $SRC/obj-firefox/dist/include/js/Utility.h:420 #3 0x7f05c7bce16b in maybe_pod_malloc<unsigned char> $SRC/js/src/vm/MallocProvider.h:57 #4 0x7f05c7bce16b in unsigned char* js::MallocProvider<js::ExclusiveContext>::pod_malloc<unsigned char>(unsigned long) $SRC/js/src/vm/MallocProvider.h:90 #5 0x7f05c8857873 in new_<js::ScriptedOnPopHandler, JSObject *> $SRC/js/src/vm/MallocProvider.h:190:5 #6 0x7f05c8857873 in js::DebuggerFrame::onPopSetter(JSContext*, unsigned int, JS::Value*) $SRC/js/src/vm/Debugger.cpp:8336 #7 0x7f05c8a48e11 in CallJSNative $SRC/js/src/jscntxtinlines.h:239:15 #8 0x7f05c8a48e11 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) $SRC/js/src/vm/Interpreter.cpp:457 #9 0x7f05c8a4ada8 in Call $SRC/js/src/vm/Interpreter.cpp:521:10 #10 0x7f05c8a4ada8 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) $SRC/js/src/vm/Interpreter.cpp:648
I can reproduce this leak under valgrind: $ valgrind --leak-check=full '/home/jimb/moz/dbg/js/src/obj~/js/src/js' -f /home/jimb/moz/dbg/js/src/jit-test/lib/prologue.js --js-cache /home/jimb/moz/dbg/js/src/jit-test/.js-cache -e 'const platform='"'"'linux2'"'"'; const libdir='"'"'/home/jimb/moz/dbg/js/src/jit-test/lib/'"'"'; const scriptdir='"'"'/home/jimb/moz/dbg/js/src/jit-test/tests/debug/'"'"'' -f /home/jimb/moz/dbg/js/src/jit-test/tests/debug/Frame-onPop-02.js ==20669== 16 bytes in 1 blocks are definitely lost in loss record 2 of 4 ==20669== at 0x4C28BF6: malloc (vg_replace_malloc.c:299) ==20669== by 0x42ED15: js_malloc(unsigned long) (Utility.h:229) ==20669== by 0x4535C3: unsigned char* js_pod_malloc<unsigned char>(unsigned long) (Utility.h:420) ==20669== by 0x4780EA: unsigned char* js::MallocProvider<js::ExclusiveContext>::maybe_pod_malloc<unsigned char>(unsigned long) (MallocProvider.h:57) ==20669== by 0x46FF8F: unsigned char* js::MallocProvider<js::ExclusiveContext>::pod_malloc<unsigned char>(unsigned long) (MallocProvider.h:90) ==20669== by 0xC322B9: js::ScriptedOnPopHandler* js::MallocProvider<js::ExclusiveContext>::new_<js::ScriptedOnPopHandler, JSObject*>(JSObject*&&) (MallocProvider.h:190) ==20669== by 0xBF005A: js::DebuggerFrame::onPopSetter(JSContext*, unsigned int, JS::Value*) (Debugger.cpp:8336) ==20669== by 0xD05D6D: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (jscntxtinlines.h:239) ==20669== by 0xCDCA9E: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (Interpreter.cpp:457) ==20669== by 0xCDCE0C: InternalCall(JSContext*, js::AnyInvokeArgs const&) (Interpreter.cpp:502) ==20669== by 0xCDCEA3: js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) (Interpreter.cpp:521) ==20669== by 0xCDD914: js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) (Interpreter.cpp:648)
Commit message says it all.
Attachment #8820592 - Flags: review?(nfitzgerald)
Blocks: 1271650
Comment on attachment 8820592 [details] [diff] [review] Bother to free old onPopHandler when we set a new one. Review of attachment 8820592 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/vm/Debugger.cpp @@ +7770,5 @@ > MOZ_ASSERT(isLive()); > > + OnPopHandler* prior = onPopHandler(); > + if (prior && prior != handler) > + prior->drop(); This is the polite thing to do, isn't it?
Attachment #8820592 - Flags: review?(nfitzgerald) → review+
Flags: in-testsuite-
Keywords: checkin-needed
OS: Unspecified → All
Hardware: Unspecified → All
Target Milestone: --- → Firefox 52
Version: unspecified → Trunk
Pushed by ihsiao@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/34b75871dd7e Bother to free old onPopHandler when we set a new one. r=nfitzgerald.
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/34b75871dd7e
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox53: --- → fixed
Resolution: --- → FIXED
status-firefox51: --- → unaffected
status-firefox52: --- → unaffected
Target Milestone: Firefox 52 → Firefox 53
Product: Firefox → DevTools
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: