Closed Bug 1598784 Opened 5 years ago Closed 5 years ago

LeakSanitizer: [@ js::jit::PendingBlock]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla72
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox71 --- unaffected
firefox72 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
4.05 KB, text/plain
Details
Bug 1598784 - Use Maybe<PendingEdgesMap> in IonBuilder instead of calling clearAndCompact(). r?tcampbell!
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 2c912e46295e (build with --enable-address-sanitizer, run with --fuzzing-safe --no-threads --ion-eager):

(function() {
    switch (0) {
        case 0:
            f() = 0;
        case -3:
    }
})(new Array);

Backtrace:

Direct leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x55c7667239f3 in __interceptor_malloc (/home/ubuntu/shell-cache/js-64-asan-linux-x86_64-2c912e46295e/js-64-asan-linux-x86_64-2c912e46295e+0x18549f3)
    #1 0x55c76878a618 in js_arena_malloc(unsigned long, unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-2c912e46295e/objdir-js/dist/include/js/Utility.h:387:10
    #2 0x55c76878a618 in js::jit::PendingBlock* js_pod_arena_malloc<js::jit::PendingBlock>(unsigned long, unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-2c912e46295e/objdir-js/dist/include/js/Utility.h:595
    #3 0x55c76878a618 in js::jit::PendingBlock* js::AllocPolicyBase::maybe_pod_arena_malloc<js::jit::PendingBlock>(unsigned long, unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-2c912e46295e/objdir-js/dist/include/js/AllocPolicy.h:31
    #4 0x55c76878a618 in js::jit::PendingBlock* js::AllocPolicyBase::pod_arena_malloc<js::jit::PendingBlock>(unsigned long, unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-2c912e46295e/objdir-js/dist/include/js/AllocPolicy.h:44
    #5 0x55c76878a618 in js::jit::PendingBlock* js::AllocPolicyBase::pod_malloc<js::jit::PendingBlock>(unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-2c912e46295e/objdir-js/dist/include/js/AllocPolicy.h:70
    #6 0x55c76878a618 in mozilla::Vector<js::jit::PendingBlock, 2ul, js::SystemAllocPolicy>::convertToHeapStorage(unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-2c912e46295e/objdir-js/dist/include/mozilla/Vector.h:937
    #7 0x55c76878a618 in mozilla::Vector<js::jit::PendingBlock, 2ul, js::SystemAllocPolicy>::growStorageBy(unsigned long) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-2c912e46295e/objdir-js/dist/include/mozilla/Vector.h:1025
    #8 0x55c76865cd8d in bool mozilla::Vector<js::jit::PendingBlock, 2ul, js::SystemAllocPolicy>::append<js::jit::PendingBlock const&>(js::jit::PendingBlock const&) /home/ubuntu/shell-cache/js-64-asan-linux-x86_64-2c912e46295e/objdir-js/dist/include/mozilla/Vector.h:1360:9
    #9 0x55c76865cd8d in js::jit::IonBuilder::addPendingBlock(js::jit::PendingBlock const&, unsigned char*) js/src/jit/IonBuilder.cpp:1721
    #10 0x55c76866c963 in js::jit::IonBuilder::visitTableSwitch() js/src/jit/IonBuilder.cpp:3712:5
    #11 0x55c768652de4 in js::jit::IonBuilder::inspectOpcode(JSOp, bool*) js/src/jit/IonBuilder.cpp:2051:14
    #12 0x55c7686448f7 in js::jit::IonBuilder::traverseBytecode() js/src/jit/IonBuilder.cpp:1604:5
    #13 0x55c768631b4e in js::jit::IonBuilder::build() js/src/jit/IonBuilder.cpp:957:3
/snip

For detailed crash information, see attachment.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/03783d54b398
user: Jan de Mooij
date: Wed Nov 20 17:03:29 2019 +0000
summary: Bug 1595476 part 3 - Rewrite and simplify control flow logic in Ion for bytecode -> MIR compilation. r=tcampbell

Jan, is bug 1595476 a likely regressor?

Flags: needinfo?(jdemooij)
Regressed by: 1595476

This ensures we properly destruct inline elements too.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Priority: -- → P1
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ef87e6c97e44
Use Maybe<PendingEdgesMap> in IonBuilder instead of calling clearAndCompact(). r=tcampbell

https://hg.mozilla.org/mozilla-central/rev/ef87e6c97e44

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox72: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: