Memory leak with OOM in ReadGeckoProfilingStack(JSContext*, unsigned int, JS::Value*)

RESOLVED FIXED in Firefox 62

Status

()

RESOLVED FIXED
6 months ago
6 months ago

People

(Reporter: anba, Assigned: Waldo)

Tracking

Trunk
mozilla62
Points:
---

Firefox Tracking Flags

(firefox62 fixed)

Details

Attachments

(1 attachment)

(Reporter)

Description

6 months ago
|NewString<CanGC>(...)| doesn't take ownership of the passed char* on OOM, which means releasing the UniquePtr in |inlineFrame.label.release()| can lead to a leak [1].


[1] https://searchfox.org/mozilla-central/rev/c621276fbdd9591f52009042d959b9e19b66d49f/js/src/builtin/TestingFunctions.cpp#2463-2464


Test case:
---
enableGeckoProfiling();

function f() {
    var q = 0;
    for (var i = 0; i < 10000; ++i) {
        q += String.fromCharCode(i & 0xff).length;
    }
    return q;
}
for (var i = 0; i < 2; ++i) f();

oomAtAllocation(17);

readGeckoProfilingStack();
---


Configure flags: --enable-debug --disable-optimize --disable-tests --enable-valgrind --disable-jemalloc

Run with: valgrind --tool=memcheck --leak-check=yes ~/hg/mozilla-inbound/js/src/build-valgrind-debug-obj/dist/bin/js --baseline-eager --no-threads --no-ion /tmp/t.js


Output:
---
==15981== Memcheck, a memory error detector
==15981== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==15981== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==15981== Command: /home/andre/hg/mozilla-inbound/js/src/build-valgrind-debug-obj/dist/bin/js --baseline-eager --no-threads --no-ion /tmp/t.js
==15981== 
==15981== Warning: set address range perms: large range [0x39b802aff000, 0x39b842aff000) (noaccess)
uncaught exception: out of memory
(Unable to print stack trace)
==15981== Warning: set address range perms: large range [0x39b802aff000, 0x39b842aff000) (noaccess)
==15981== 
==15981== HEAP SUMMARY:
==15981==     in use at exit: 72,789 bytes in 4 blocks
==15981==   total heap usage: 9,045 allocs, 9,041 frees, 8,448,319 bytes allocated
==15981== 
==15981== 10 bytes in 1 blocks are definitely lost in loss record 1 of 4
==15981==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15981==    by 0x492024: SystemMalloc::malloc(unsigned long) (malloc_decls.h:37)
==15981==    by 0x491F58: DummyArenaAllocator<SystemMalloc>::moz_arena_malloc(unsigned long, unsigned long) (malloc_decls.h:37)
==15981==    by 0x491E4C: moz_arena_malloc (malloc_decls.h:115)
==15981==    by 0x41E7D2: js_malloc(unsigned long) (Utility.h:387)
==15981==    by 0x429FC1: char* js_pod_malloc<char>(unsigned long) (Utility.h:584)
==15981==    by 0x489B23: char* js::MallocProvider<JSContext>::maybe_pod_malloc<char>(unsigned long) (MallocProvider.h:54)
==15981==    by 0x4899DE: char* js::MallocProvider<JSContext>::pod_malloc<char>(unsigned long) (MallocProvider.h:87)
==15981==    by 0xDF576A: mozilla::UniquePtr<char [], JS::FreePolicy> js::MallocProvider<JSContext>::make_pod_array<char>(unsigned long) (in /home/andre/hg/mozilla-inbound/js/src/build-valgrind-debug-obj/dist/bin/js)
==15981==    by 0xDEC956: js::DuplicateString(JSContext*, char const*) (Text.cpp:54)
==15981==    by 0xBDEEDF: ReadGeckoProfilingStack(JSContext*, unsigned int, JS::Value*) (TestingFunctions.cpp:2432)
==15981==    by 0x6720B3: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (JSContext-inl.h:274)
==15981== 
==15981== LEAK SUMMARY:
==15981==    definitely lost: 10 bytes in 1 blocks
==15981==    indirectly lost: 0 bytes in 0 blocks
==15981==      possibly lost: 0 bytes in 0 blocks
==15981==    still reachable: 72,779 bytes in 3 blocks
==15981==         suppressed: 0 bytes in 0 blocks
==15981== Reachable blocks (those to which a pointer was found) are not shown.
==15981== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==15981== 
==15981== For counts of detected and suppressed errors, rerun with: -v
==15981== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
---
(Assignee)

Comment 1

6 months ago
Created attachment 8985424 [details] [diff] [review]
Patch
Attachment #8985424 - Flags: review?(andrebargull)
(Assignee)

Updated

6 months ago
Assignee: nobody → jwalden+bmo
Status: NEW → ASSIGNED
(Reporter)

Updated

6 months ago
Attachment #8985424 - Flags: review?(andrebargull) → review+

Comment 2

6 months ago
Pushed by jwalden@mit.edu:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a66a884fb46f
Don't leak in ReadGeckoProfilingStack if OOM occurs while creating a new string from a manually released UniquePtr.  r=anba

Comment 3

6 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/a66a884fb46f
Status: ASSIGNED → RESOLVED
Last Resolved: 6 months ago
status-firefox62: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
You need to log in before you can comment on or make changes to this bug.