Closed
Bug 1563051
Opened 5 years ago
Closed 5 years ago
LeakSanitizer: [@ js::jit::BaselineDebugModeOSRInfo] with Debugger
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla69
People
(Reporter: gkw, Assigned: jandem)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 109ccdeb9634 (build with --enable-address-sanitizer, run with --fuzzing-safe --no-threads --ion-eager and the environment variables ASAN_OPTIONS=detect_leaks=1 LSAN_OPTIONS=max_leaks=1):
// Adapted from randomly chosen test: js/src/jit-test/tests/debug/resumption-08.js
g = newGlobal({
newCompartment: true
});
dbg = new Debugger;
dbg.addDebuggee(g);
dbg.onEnterFrame = function(frame) {
frame.onPop = function() {
dbg.removeDebuggee(g);
u;
}
}
g.eval(function t() {} + "");
Backtrace:
Direct leak of 48 byte(s) in 1 object(s) allocated from:
#0 0x55a12b360397 in __interceptor_malloc (/home/ubuntu/shell-cache/js-64-asan-linux-x86_64-109ccdeb9634/js-64-asan-linux-x86_64-109ccdeb9634+0x1460397)
#1 0x55a12cb42c8a in js_arena_malloc(unsigned long, unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-109ccdeb9634/objdir-js/dist/include/js/Utility.h:392:10
#2 0x55a12cb42c8a in unsigned char* js_pod_arena_malloc<unsigned char>(unsigned long, unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-109ccdeb9634/objdir-js/dist/include/js/Utility.h:600
#3 0x55a12cb42c8a in unsigned char* js::MallocProvider<JSContext>::maybe_pod_malloc<unsigned char>(unsigned long, unsigned long) js/src/vm/MallocProvider.h:53
#4 0x55a12cb42c8a in unsigned char* js::MallocProvider<JSContext>::pod_malloc<unsigned char>(unsigned long, unsigned long) js/src/vm/MallocProvider.h:90
#5 0x55a12cb42c8a in js::jit::BaselineDebugModeOSRInfo* js::MallocProvider<JSContext>::new_<js::jit::BaselineDebugModeOSRInfo, unsigned char*&, js::jit::RetAddrEntry::Kind&>(unsigned char*&, js::jit::RetAddrEntry::Kind&) js/src/vm/MallocProvider.h:196
/snip
For detailed crash information, see attachment.
Reporter | ||
Comment 1•5 years ago
|
||
Reporter | ||
Comment 2•5 years ago
|
||
This seems to go back further than m-c rev e1cac03485d9 (about 3 years ago), so setting needinfo? from Jan as a start.
Flags: needinfo?(jdemooij)
Reporter | ||
Updated•5 years ago
|
Type: task → defect
Assignee | ||
Comment 3•5 years ago
|
||
The other caller of EnsureBareExitFrame is when unwinding in the exception
handler and we already call deleteDebugModeOSRInfo there.
Assignee | ||
Comment 4•5 years ago
|
||
Nice find, thanks.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Updated•5 years ago
|
Priority: -- → P1
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/adc099a94bc8 Fix a debugger leak of BaselineDebugModeOSRInfo in DebugEpilogue. r=iain
Comment 6•5 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
Updated•5 years ago
|
status-firefox68:
--- → wontfix
status-firefox-esr60:
--- → wontfix
status-firefox-esr68:
--- → wontfix
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•