Closed Bug 1559062 Opened 2 years ago Closed 2 years ago

LeakSanitizer: [@ js::DebuggerFrame::onStepSetter] with Debugger

Categories

(Core :: JavaScript Engine, defect, P1)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla69
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- unaffected
firefox68 --- unaffected
firefox69 --- fixed

People

(Reporter: gkw, Assigned: jimb)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 4a63f0a3a1f2 (build with --enable-address-sanitizer, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/jit-test/tests/debug/testEarlyReturnOnCall.js
var g = newGlobal({
    newCompartment: true
});
g.eval("function f(){}");
var dbg = new Debugger(g);
dbg.onEnterFrame = function(frame) {
    frame.onStep = function() {}
}
g.f();

Backtrace:

Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x55602eb89397 in __interceptor_malloc (/home/ubuntu/shell-cache/js-64-asan-linux-x86_64-4a63f0a3a1f2/js-64-asan-linux-x86_64-4a63f0a3a1f2+0x1461397)
#1 0x55602f0fdcbb in js_arena_malloc(unsigned long, unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-4a63f0a3a1f2/objdir-js/dist/include/js/Utility.h:368:10
#2 0x55602f0fdcbb in unsigned char* js_pod_arena_malloc<unsigned char>(unsigned long, unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-4a63f0a3a1f2/objdir-js/dist/include/js/Utility.h:573
#3 0x55602f0fdcbb in unsigned char* js::MallocProvider<JSContext>::maybe_pod_malloc<unsigned char>(unsigned long, unsigned long) js/src/vm/MallocProvider.h:53
#4 0x55602f0fdcbb in unsigned char* js::MallocProvider<JSContext>::pod_malloc<unsigned char>(unsigned long, unsigned long) js/src/vm/MallocProvider.h:90
#5 0x55602f0fdcbb in js::ScriptedOnStepHandler* js::MallocProvider<JSContext>::new_<js::ScriptedOnStepHandler, JSObject*>(JSObject*&&) js/src/vm/MallocProvider.h:196
#6 0x55602f0fdcbb in js::DebuggerFrame::onStepSetter(JSContext*, unsigned int, JS::Value*) js/src/vm/Debugger.cpp:10164
/snip

For detailed crash information, see attachment.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/411716c0fa8e
user: Jim Blandy
date: Mon Jun 10 20:17:00 2019 +0000
summary: Bug 1551176: Drop a generator script's stepper count when its Debugger.Frame is GC'd. r=jorendorff

Jim, is bug 1551176 a likely regressor?

Flags: needinfo?(jimb)
Regressed by: 1551176

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)

Jim, is bug 1551176 a likely regressor?

Yes. Obvious fix, taking.

Flags: needinfo?(jimb)

When I wrote my prior patch, I forgot that a DebuggerFrame object's
ONSTEP_HANDLER_SLOT holds, not a JavaScript object, but a private value pointing
to an OnStepHandler, which must be explicitly freed.

Priority: -- → P1
Assignee: nobody → jimb
Pushed by jblandy@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/89a432e0cf0b
Don't leak onStep handlers. r=jorendorff
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
You need to log in before you can comment on or make changes to this bug.