Closed Bug 1321186 Opened 7 years ago Closed 7 years ago

Intermittent LeakSanitizer | leak at js_pod_malloc, maybe_pod_malloc, js::DebuggerFrame::onPopSetter, CallJSNative

Categories

(DevTools :: General, defect, P3)

defect

Tracking

(firefox51 unaffected, firefox52 unaffected, firefox53 fixed)

RESOLVED FIXED
Firefox 53
Tracking Status
firefox51 --- unaffected
firefox52 --- unaffected
firefox53 --- fixed

People

(Reporter: intermittent-bug-filer, Assigned: jimb)

References

Details

(Keywords: intermittent-failure)

Attachments

(1 file)

:jimb, perhaps you are interested in this report.  Marking as P3 for now until we know more.
Flags: needinfo?(jimb)
Priority: -- → P3
Yes, I am, thank you very much!
Assignee: nobody → jimb
Flags: needinfo?(jimb)
I'm pretty sure this is another instance of a bug we've already fixed elsewhere... jeez
("Experience keeps a dear school...")
For ease of reference, here's the stack at which the leaked values were allocated:

With:
SRC=/home/worker/workspace/build/src

==1287==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 240 byte(s) in 15 object(s) allocated from:
#0 0x4b24ab in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
#1 0x7f05c7bce16b in js_malloc
                     $SRC/obj-firefox/dist/include/js/Utility.h:229:12
#2 0x7f05c7bce16b in js_pod_malloc<unsigned char>
                     $SRC/obj-firefox/dist/include/js/Utility.h:420
#3 0x7f05c7bce16b in maybe_pod_malloc<unsigned char>
                     $SRC/js/src/vm/MallocProvider.h:57
#4 0x7f05c7bce16b in unsigned char* js::MallocProvider<js::ExclusiveContext>::pod_malloc<unsigned char>(unsigned long)
                     $SRC/js/src/vm/MallocProvider.h:90
#5 0x7f05c8857873 in new_<js::ScriptedOnPopHandler, JSObject *>
                     $SRC/js/src/vm/MallocProvider.h:190:5
#6 0x7f05c8857873 in js::DebuggerFrame::onPopSetter(JSContext*, unsigned int, JS::Value*)
                     $SRC/js/src/vm/Debugger.cpp:8336
#7 0x7f05c8a48e11 in CallJSNative
                     $SRC/js/src/jscntxtinlines.h:239:15
#8 0x7f05c8a48e11 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)
                     $SRC/js/src/vm/Interpreter.cpp:457
#9 0x7f05c8a4ada8 in Call
                     $SRC/js/src/vm/Interpreter.cpp:521:10
#10 0x7f05c8a4ada8 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>)
                     $SRC/js/src/vm/Interpreter.cpp:648
I can reproduce this leak under valgrind:

$ valgrind --leak-check=full '/home/jimb/moz/dbg/js/src/obj~/js/src/js' -f /home/jimb/moz/dbg/js/src/jit-test/lib/prologue.js --js-cache /home/jimb/moz/dbg/js/src/jit-test/.js-cache -e 'const platform='"'"'linux2'"'"'; const libdir='"'"'/home/jimb/moz/dbg/js/src/jit-test/lib/'"'"'; const scriptdir='"'"'/home/jimb/moz/dbg/js/src/jit-test/tests/debug/'"'"'' -f /home/jimb/moz/dbg/js/src/jit-test/tests/debug/Frame-onPop-02.js

==20669== 16 bytes in 1 blocks are definitely lost in loss record 2 of 4
==20669==    at 0x4C28BF6: malloc (vg_replace_malloc.c:299)
==20669==    by 0x42ED15: js_malloc(unsigned long) (Utility.h:229)
==20669==    by 0x4535C3: unsigned char* js_pod_malloc<unsigned char>(unsigned long) (Utility.h:420)
==20669==    by 0x4780EA: unsigned char* js::MallocProvider<js::ExclusiveContext>::maybe_pod_malloc<unsigned char>(unsigned long) (MallocProvider.h:57)
==20669==    by 0x46FF8F: unsigned char* js::MallocProvider<js::ExclusiveContext>::pod_malloc<unsigned char>(unsigned long) (MallocProvider.h:90)
==20669==    by 0xC322B9: js::ScriptedOnPopHandler* js::MallocProvider<js::ExclusiveContext>::new_<js::ScriptedOnPopHandler, JSObject*>(JSObject*&&) (MallocProvider.h:190)
==20669==    by 0xBF005A: js::DebuggerFrame::onPopSetter(JSContext*, unsigned int, JS::Value*) (Debugger.cpp:8336)
==20669==    by 0xD05D6D: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (jscntxtinlines.h:239)
==20669==    by 0xCDCA9E: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (Interpreter.cpp:457)
==20669==    by 0xCDCE0C: InternalCall(JSContext*, js::AnyInvokeArgs const&) (Interpreter.cpp:502)
==20669==    by 0xCDCEA3: js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) (Interpreter.cpp:521)
==20669==    by 0xCDD914: js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) (Interpreter.cpp:648)
Commit message says it all.
Attachment #8820592 - Flags: review?(nfitzgerald)
Blocks: 1271650
Comment on attachment 8820592 [details] [diff] [review]
Bother to free old onPopHandler when we set a new one.

Review of attachment 8820592 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/vm/Debugger.cpp
@@ +7770,5 @@
>      MOZ_ASSERT(isLive());
>  
> +    OnPopHandler* prior = onPopHandler();
> +    if (prior && prior != handler)
> +        prior->drop();

This is the polite thing to do, isn't it?
Attachment #8820592 - Flags: review?(nfitzgerald) → review+
Flags: in-testsuite-
Keywords: checkin-needed
OS: Unspecified → All
Hardware: Unspecified → All
Target Milestone: --- → Firefox 52
Version: unspecified → Trunk
Pushed by ihsiao@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/34b75871dd7e
Bother to free old onPopHandler when we set a new one. r=nfitzgerald.
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/34b75871dd7e
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: Firefox 52 → Firefox 53
Product: Firefox → DevTools
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: