Closed Bug 1467276 Opened 7 years ago Closed 7 years ago

Memory leak with OOM in DecompileAtPCForStackDump(JSContext*, JS::Handle<JSScript*>, OffsetAndDefIndex const&, js::Sprinter*)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla62
Tracking Flags:
Tracking Status
firefox62 --- fixed

People

(Reporter: anba, Assigned: Waldo)

Details

Attachments

(1 file)

Patch
1.05 KB, patch
anba
: review+
Details | Diff | Splinter Review
|result| is not freed when |sp->put(result)| in this line [1] returns false. [1] https://searchfox.org/mozilla-central/rev/cf464eabfeba64e866c1fa36b9fefd674dca9c51/js/src/vm/BytecodeUtil.cpp#2190 Test case: --- dis(function() { return; }); --- Configure flags: --enable-debug --disable-optimize --disable-tests --enable-valgrind --disable-jemalloc Run with: valgrind --tool=memcheck --leak-check=yes ~/hg/mozilla-inbound/js/src/build-valgrind-debug-obj/dist/bin/js /tmp/t.js Output: --- ==4510== Memcheck, a memory error detector ==4510== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==4510== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==4510== Command: /home/andre/hg/mozilla-inbound/js/src/build-valgrind-debug-obj/dist/bin/js /tmp/t.js ==4510== ==4510== Warning: set address range perms: large range [0x2f5eb162d000, 0x2f5ef162d000) (noaccess) flags: LAMBDA CONSTRUCTOR loc op ----- -- main: 00000: undefined # undefined 00001: return # 00002: retrval # !!! UNREACHABLE !!! Source notes: ofs line pc delta desc args ---- ---- ----- ------ -------- ------ 0: 1 0 [ 0] newline 1: 2 0 [ 0] colspan 4 3: 2 1 [ 1] newline ==4510== Warning: set address range perms: large range [0x2f5eb162d000, 0x2f5ef162d000) (noaccess) ==4510== ==4510== HEAP SUMMARY: ==4510== in use at exit: 72,789 bytes in 4 blocks ==4510== total heap usage: 8,926 allocs, 8,922 frees, 6,038,108 bytes allocated ==4510== ==4510== 10 bytes in 1 blocks are definitely lost in loss record 1 of 4 ==4510== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==4510== by 0x491E24: SystemMalloc::malloc(unsigned long) (malloc_decls.h:37) ==4510== by 0x491D58: DummyArenaAllocator<SystemMalloc>::moz_arena_malloc(unsigned long, unsigned long) (malloc_decls.h:37) ==4510== by 0x491C4C: moz_arena_malloc (malloc_decls.h:115) ==4510== by 0x41E632: js_malloc(unsigned long) (Utility.h:388) ==4510== by 0x429D81: char* js_pod_malloc<char>(unsigned long) (Utility.h:578) ==4510== by 0x489873: char* js::MallocProvider<JSContext>::maybe_pod_malloc<char>(unsigned long) (MallocProvider.h:54) ==4510== by 0x4896AE: char* js::MallocProvider<JSContext>::pod_malloc<char>(unsigned long) (MallocProvider.h:87) ==4510== by 0xE33B88: (anonymous namespace)::ExpressionDecompiler::getOutput(char**) (BytecodeUtil.cpp:2162) ==4510== by 0xE33778: DecompileAtPCForStackDump(JSContext*, JS::Handle<JSScript*>, OffsetAndDefIndex const&, js::Sprinter*) (BytecodeUtil.cpp:2186) ==4510== by 0xE33035: Disassemble1(JSContext*, JS::Handle<JSScript*>, unsigned char*, unsigned int, bool, (anonymous namespace)::BytecodeParser*, js::Sprinter*)::$_1::operator()() const (BytecodeUtil.cpp:1359) ==4510== by 0xE29A80: Disassemble1(JSContext*, JS::Handle<JSScript*>, unsigned char*, unsigned int, bool, (anonymous namespace)::BytecodeParser*, js::Sprinter*) (BytecodeUtil.cpp:1568) ==4510== ==4510== LEAK SUMMARY: ==4510== definitely lost: 10 bytes in 1 blocks ==4510== indirectly lost: 0 bytes in 0 blocks ==4510== possibly lost: 0 bytes in 0 blocks ==4510== still reachable: 72,779 bytes in 3 blocks ==4510== suppressed: 0 bytes in 0 blocks ==4510== Reachable blocks (those to which a pointer was found) are not shown. ==4510== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==4510== ==4510== For counts of detected and suppressed errors, rerun with: -v ==4510== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) ---
Attached patch PatchSplinter Review
Attachment #8985416 - Flags: review?(andrebargull)
Assignee: andrebargull → jwalden+bmo
Attachment #8985416 - Flags: review?(andrebargull) → review+
Pushed by jwalden@mit.edu: https://hg.mozilla.org/integration/mozilla-inbound/rev/6625e63ecaf5 Properly free |result| in DecompileAtPCForStackDump after its use, including when that use fails. r=anba
https://hg.mozilla.org/mozilla-central/rev/6625e63ecaf5
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox62: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: