1467272 - Memory leak with OOM in js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*)

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect, P1)

Description

[André Bargull [:anba]]

|IonTrackedTypeVector* allTypes| is not deleted when |generateCompactTrackedOptimizationsMap(...)| in this line [1] returns false.


[1] https://searchfox.org/mozilla-central/rev/cf464eabfeba64e866c1fa36b9fefd674dca9c51/js/src/jit/CodeGenerator.cpp#10401


Test case:
---
enableGeckoProfiling();
setJitCompilerOption("jit.track-optimizations", 1);

oomAtAllocation(4484 - 75, 1);

print("START");

t();

function t() {
    function f() {
        var xs = [0, 1];
        var q = 0;
        for (var i = 0; i < 10000; ++i) {
            q += String.fromCodePoint(xs[i & 1]).length;
        }
        return q;
    }
    for (var i = 0; i < 10; ++i) print(f());
}
---


Configure flags: --enable-debug --disable-optimize --disable-tests --enable-valgrind --disable-jemalloc

Run with: valgrind --tool=memcheck --leak-check=yes ~/hg/mozilla-inbound/js/src/build-valgrind-debug-obj/dist/bin/js --ion-eager --no-threads /tmp/t.js


Output:
---
==10362== Memcheck, a memory error detector
==10362== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==10362== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==10362== Command: /home/andre/hg/mozilla-inbound/js/src/build-valgrind-debug-obj/dist/bin/js --ion-eager --no-threads /tmp/t.js
==10362== 
==10362== Warning: set address range perms: large range [0x64932b78000, 0x64972b78000) (noaccess)
START
10000
10000
10000
10000
10000
10000
10000
10000
10000
10000
==10362== Warning: set address range perms: large range [0x64932b78000, 0x64972b78000) (noaccess)
==10362== 
==10362== HEAP SUMMARY:
==10362==     in use at exit: 72,915 bytes in 5 blocks
==10362==   total heap usage: 10,668 allocs, 10,663 frees, 10,182,203 bytes allocated
==10362== 
==10362== 136 (72 direct, 64 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 5
==10362==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10362==    by 0x491E24: SystemMalloc::malloc(unsigned long) (malloc_decls.h:37)
==10362==    by 0x491D58: DummyArenaAllocator<SystemMalloc>::moz_arena_malloc(unsigned long, unsigned long) (malloc_decls.h:37)
==10362==    by 0x491C4C: moz_arena_malloc (malloc_decls.h:115)
==10362==    by 0x41E632: js_malloc(unsigned long) (Utility.h:388)
==10362==    by 0x4291C1: unsigned char* js_pod_malloc<unsigned char>(unsigned long) (Utility.h:578)
==10362==    by 0x45C073: unsigned char* js::MallocProvider<JSContext>::maybe_pod_malloc<unsigned char>(unsigned long) (MallocProvider.h:54)
==10362==    by 0x45BF2E: unsigned char* js::MallocProvider<JSContext>::pod_malloc<unsigned char>(unsigned long) (MallocProvider.h:87)
==10362==    by 0x8C884B: mozilla::Vector<js::jit::IonTrackedTypeWithAddendum, 1ul, js::SystemAllocPolicy>* js::MallocProvider<JSContext>::new_<mozilla::Vector<js::jit::IonTrackedTypeWithAddendum, 1ul, js::SystemAllocPolicy>>() (in /home/andre/hg/mozilla-inbound/js/src/build-valgrind-debug-obj/dist/bin/js)
==10362==    by 0x887182: js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*) (CodeGenerator.cpp:10400)
==10362==    by 0x98E68A: LinkCodeGen(JSContext*, js::jit::IonBuilder*, js::jit::CodeGenerator*) (Ion.cpp:521)
==10362==    by 0x98FE64: js::jit::IonCompile(JSContext*, JSScript*, js::jit::BaselineFrame*, unsigned char*, bool, js::jit::OptimizationLevel) (Ion.cpp:2197)
==10362== 
==10362== LEAK SUMMARY:
==10362==    definitely lost: 72 bytes in 1 blocks
==10362==    indirectly lost: 64 bytes in 1 blocks
==10362==      possibly lost: 0 bytes in 0 blocks
==10362==    still reachable: 72,779 bytes in 3 blocks
==10362==         suppressed: 0 bytes in 0 blocks
==10362== Reachable blocks (those to which a pointer was found) are not shown.
==10362== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==10362== 
==10362== For counts of detected and suppressed errors, rerun with: -v
==10362== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
---

Comment 1

[Nicolas B. Pierron [:nbp]]

(In reply to André Bargull [:anba] from comment #0)
> Run with: valgrind --tool=memcheck --leak-check=yes
> ~/hg/mozilla-inbound/js/src/build-valgrind-debug-obj/dist/bin/js --ion-eager
> --no-threads /tmp/t.js

When running valgrind with the JIT enabled, you should also add the following valgrind option to ensure that valgrind run properly:

  --smc-check=all-non-file --vex-iropt-register-updates=allregs-at-mem-access

Comment 2

[Jason Orendorff [:jorendorff]]

Attachment: Memory leak with OOM in js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*)

Comment 3

[Pulsebot]

Pushed by apavel@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ef3bab52fbd0
Memory leak with OOM in js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*). r=nbp

Comment 4

[Daniel Varga [:dvarga]]

https://hg.mozilla.org/mozilla-central/rev/ef3bab52fbd0

Comment 5

[Pascal Chevrel:pascalc]

(In reply to Jason Orendorff [:jorendorff] from comment #2)
> Created attachment 9005667 [details] [diff] [review]
> Memory leak with OOM in js::jit::CodeGenerator::link(JSContext*,
> js::CompilerConstraintList*)

Jason, that looks like a good candidate for a backport to the 63 branch, could you uplift your patch please? Thanks

Comment 6

[Jason Orendorff [:jorendorff]]

I don't think we should backport this. OOM is very rare in practice.