Closed Bug 1566189 Opened 5 years ago Closed 5 years ago

LeakSanitizer: [@ js::jit::BaselineDebugModeOSRInfo] with Debugger

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox-esr68 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Detailed Crash Information
2.99 KB, text/plain
Details

The following testcase crashes on mozilla-central revision d9f557b5fc76 (build with --enable-address-sanitizer, run with --fuzzing-safe --no-threads --ion-eager and the environment variables ASAN_OPTIONS=detect_leaks=1 LSAN_OPTIONS=max_leaks=1):

// Adapted from randomly chosen test: js/src/jit-test/tests/debug/resumption-08.js
g = newGlobal({
    newCompartment: true
});
dbg = new Debugger;
dbg.addDebuggee(g);
f = function(resumptionVal) {
    dbg.onEnterFrame = function(frame) {
        frame.onStep = function() {
            dbg.removeDebuggee(g);
            return {
                return: ""
            };
        }
    }
}
f();
g.eval("(" + function() {} + ")");

Backtrace:

==18260==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 48 byte(s) in 1 object(s) allocated from:
    #0 0x555cd4888397 in __interceptor_malloc (/home/ubuntu/shell-cache/js-64-asan-linux-x86_64-d9f557b5fc76/js-64-asan-linux-x86_64-d9f557b5fc76+0x1465397)
    #1 0x555cd60c8779 in js_arena_malloc(unsigned long, unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-d9f557b5fc76/objdir-js/dist/include/js/Utility.h:392:10
    #2 0x555cd60c8779 in unsigned char* js_pod_arena_malloc<unsigned char>(unsigned long, unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-d9f557b5fc76/objdir-js/dist/include/js/Utility.h:600
    #3 0x555cd60c8779 in unsigned char* js::MallocProvider<JSContext>::maybe_pod_malloc<unsigned char>(unsigned long, unsigned long) js/src/vm/MallocProvider.h:53
    #4 0x555cd60c8779 in unsigned char* js::MallocProvider<JSContext>::pod_malloc<unsigned char>(unsigned long, unsigned long) js/src/vm/MallocProvider.h:90
    #5 0x555cd60c8779 in js::jit::BaselineDebugModeOSRInfo* js::MallocProvider<JSContext>::new_<js::jit::BaselineDebugModeOSRInfo, unsigned char*&, js::jit::RetAddrEntry::Kind&>(unsigned char*&, js::jit::RetAddrEntry::Kind&) js/src/vm/MallocProvider.h:196
    #6 0x555cd60c8779 in DebugModeOSREntry::allocateRecompileInfo(JSContext*) js/src/jit/BaselineDebugModeOSR.cpp:114
    #7 0x555cd5fee88c in CollectJitStackScripts(JSContext*, js::Debugger::ExecutionObservableSet const&, js::ActivationIterator const&, mozilla::Vector<DebugModeOSREntry, 0ul, js::TempAllocPolicy>&) js/src/jit/BaselineDebugModeOSR.cpp:210:31
/snip

For detailed crash information, see attachment.

This seems to go back to August 2016 (m-c rev 5bf671f59015) and prior, I'm unable to bisect easily even further back now, so setting needinfo? from Jan as a start, as this involves Baseline.

Flags: needinfo?(jdemooij)
Type: task → defect
Depends on: 1566330

Heh, this comes at a good time. Bug 1566330 will remove the thing we're leaking here (BaselineDebugModeOSRInfo) and that will fix this too.

Flags: needinfo?(jdemooij)

(In reply to Jan de Mooij [:jandem] from comment #3)

Heh, this comes at a good time. Bug 1566330 will remove the thing we're leaking here (BaselineDebugModeOSRInfo) and that will fix this too.

It landed.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Assignee: nobody → jdemooij
Target Milestone: --- → mozilla70
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: