Closed Bug 1467272 Opened 7 years ago Closed 7 years ago

Memory leak with OOM in js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*)

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla64
Tracking Status
firefox62 --- wontfix
firefox63 --- wontfix
firefox64 --- fixed

People

(Reporter: anba, Assigned: jorendorff)

Details

Attachments

(1 file)

|IonTrackedTypeVector* allTypes| is not deleted when |generateCompactTrackedOptimizationsMap(...)| in this line [1] returns false. [1] https://searchfox.org/mozilla-central/rev/cf464eabfeba64e866c1fa36b9fefd674dca9c51/js/src/jit/CodeGenerator.cpp#10401 Test case: --- enableGeckoProfiling(); setJitCompilerOption("jit.track-optimizations", 1); oomAtAllocation(4484 - 75, 1); print("START"); t(); function t() { function f() { var xs = [0, 1]; var q = 0; for (var i = 0; i < 10000; ++i) { q += String.fromCodePoint(xs[i & 1]).length; } return q; } for (var i = 0; i < 10; ++i) print(f()); } --- Configure flags: --enable-debug --disable-optimize --disable-tests --enable-valgrind --disable-jemalloc Run with: valgrind --tool=memcheck --leak-check=yes ~/hg/mozilla-inbound/js/src/build-valgrind-debug-obj/dist/bin/js --ion-eager --no-threads /tmp/t.js Output: --- ==10362== Memcheck, a memory error detector ==10362== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==10362== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==10362== Command: /home/andre/hg/mozilla-inbound/js/src/build-valgrind-debug-obj/dist/bin/js --ion-eager --no-threads /tmp/t.js ==10362== ==10362== Warning: set address range perms: large range [0x64932b78000, 0x64972b78000) (noaccess) START 10000 10000 10000 10000 10000 10000 10000 10000 10000 10000 ==10362== Warning: set address range perms: large range [0x64932b78000, 0x64972b78000) (noaccess) ==10362== ==10362== HEAP SUMMARY: ==10362== in use at exit: 72,915 bytes in 5 blocks ==10362== total heap usage: 10,668 allocs, 10,663 frees, 10,182,203 bytes allocated ==10362== ==10362== 136 (72 direct, 64 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 5 ==10362== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==10362== by 0x491E24: SystemMalloc::malloc(unsigned long) (malloc_decls.h:37) ==10362== by 0x491D58: DummyArenaAllocator<SystemMalloc>::moz_arena_malloc(unsigned long, unsigned long) (malloc_decls.h:37) ==10362== by 0x491C4C: moz_arena_malloc (malloc_decls.h:115) ==10362== by 0x41E632: js_malloc(unsigned long) (Utility.h:388) ==10362== by 0x4291C1: unsigned char* js_pod_malloc<unsigned char>(unsigned long) (Utility.h:578) ==10362== by 0x45C073: unsigned char* js::MallocProvider<JSContext>::maybe_pod_malloc<unsigned char>(unsigned long) (MallocProvider.h:54) ==10362== by 0x45BF2E: unsigned char* js::MallocProvider<JSContext>::pod_malloc<unsigned char>(unsigned long) (MallocProvider.h:87) ==10362== by 0x8C884B: mozilla::Vector<js::jit::IonTrackedTypeWithAddendum, 1ul, js::SystemAllocPolicy>* js::MallocProvider<JSContext>::new_<mozilla::Vector<js::jit::IonTrackedTypeWithAddendum, 1ul, js::SystemAllocPolicy>>() (in /home/andre/hg/mozilla-inbound/js/src/build-valgrind-debug-obj/dist/bin/js) ==10362== by 0x887182: js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*) (CodeGenerator.cpp:10400) ==10362== by 0x98E68A: LinkCodeGen(JSContext*, js::jit::IonBuilder*, js::jit::CodeGenerator*) (Ion.cpp:521) ==10362== by 0x98FE64: js::jit::IonCompile(JSContext*, JSScript*, js::jit::BaselineFrame*, unsigned char*, bool, js::jit::OptimizationLevel) (Ion.cpp:2197) ==10362== ==10362== LEAK SUMMARY: ==10362== definitely lost: 72 bytes in 1 blocks ==10362== indirectly lost: 64 bytes in 1 blocks ==10362== possibly lost: 0 bytes in 0 blocks ==10362== still reachable: 72,779 bytes in 3 blocks ==10362== suppressed: 0 bytes in 0 blocks ==10362== Reachable blocks (those to which a pointer was found) are not shown. ==10362== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==10362== ==10362== For counts of detected and suppressed errors, rerun with: -v ==10362== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) ---
(In reply to André Bargull [:anba] from comment #0) > Run with: valgrind --tool=memcheck --leak-check=yes > ~/hg/mozilla-inbound/js/src/build-valgrind-debug-obj/dist/bin/js --ion-eager > --no-threads /tmp/t.js When running valgrind with the JIT enabled, you should also add the following valgrind option to ensure that valgrind run properly: --smc-check=all-non-file --vex-iropt-register-updates=allregs-at-mem-access
Priority: -- → P1
Assignee: nobody → jorendorff
Status: NEW → ASSIGNED
Attachment #9005667 - Flags: review?(nicolas.b.pierron) → review+
Keywords: checkin-needed
Pushed by apavel@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/ef3bab52fbd0 Memory leak with OOM in js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*). r=nbp
Keywords: checkin-needed
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
(In reply to Jason Orendorff [:jorendorff] from comment #2) > Created attachment 9005667 [details] [diff] [review] > Memory leak with OOM in js::jit::CodeGenerator::link(JSContext*, > js::CompilerConstraintList*) Jason, that looks like a good candidate for a backport to the 63 branch, could you uplift your patch please? Thanks
Flags: needinfo?(jorendorff)
I don't think we should backport this. OOM is very rare in practice.
Flags: needinfo?(jorendorff)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: