Closed Bug 1604952 Opened 6 years ago Closed 6 years ago

Differential Testing: Different output message involving deferred parser allocation

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla73
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox71 --- unaffected
firefox72 --- wontfix
firefox73 --- fixed

People

(Reporter: gkw, Assigned: mgaudet)

References

(Regression)

Details

(Keywords: memory-leak, regression, testcase)

Attachments

(3 files)

Bug 1604952 - Rename FunctionCreationData.h to Stencil.h r?tcampbell
47 bytes, text/x-phabricator-request
Details | Review
Bug 1604952 - Move RegExpCreationData to Stencil.h r?tcampbell
47 bytes, text/x-phabricator-request
Details | Review
Bug 1604952 - Change ownership of RegExpCreationData by holding them on frontend::ParseInfo r?tcampbell
47 bytes, text/x-phabricator-request
Details | Review 
/x/;

$ ./js-64-asan-linux-x86_64-f870bccd07ee --fuzzing-safe --no-threads --no-baseline --no-ion --parser-deferred-alloc testcase.js
-----------------------------------------------------
Suppressions used:
  count      bytes template
      1          4 js::frontend::Parse
-----------------------------------------------------

$

$ ./js-64-asan-linux-x86_64-f870bccd07ee --fuzzing-safe --no-threads --no-baseline --no-ion testcase.js
$

Tested this on m-c rev f870bccd07ee, run with ASAN_OPTIONS=detect_leaks=1

My configure flags are:

AR=ar sh ./configure --enable-address-sanitizer --disable-jemalloc --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/886319fa10ea
user: Matthew Gaudet
date: Wed Nov 06 18:45:28 2019 +0000
summary: Bug 1580338 - Defer RegExp allocation until after parse r=tcampbell

Matt, is bug 1580338 a likely regressor?

Flags: needinfo?(mgaudet)

100% a likely regressor.

I've been looking at this for a little bit since Gary pinged me offline.

The leaked allocation is here, where we duplicate the RegExp string in RegExpCreationData::init.

It's worth noting that the leak doesn't occur if the regexp is used (so /x/.exec("") does not leak); this makes me suspect the cleanup story is getting corrupted by something like a dead-code elimination pass.

It's seems worth noting that I seem to have lost some of the thread around this exact case when attempting to land this code. It landed with an out-of-date comment that suggested that this would be registered in the ParseInfo, and cleaned up that way; but there's nothing in the ParseInfo of that revision that suggests it was the case.

Working on reverse-engineering how this cleanup does happen right now, and how we could accidentally be losing it.

Flags: needinfo?(mgaudet)

Ah, OK. I see the bug:

So the normal case is that during bytecode emission, when we emit a RegExpLiteral, we need to get the GCThingList index, and so we call this append method, which moves the RegExpCreationData into the GCThingList. At this point, it is the GCThingList being destroyed that cleans up and frees the pointer that's being lost.

In the simple /x/ test case, what's happening is that something (FoldConstants is my guess) deletes the reference to the RegExpLiteralNode, but this means it's no longer emitted, and so the memory is leaked when the LifoAlloc tears down all the parse nodes without running destructors.

As to how to fix this: My feeling is that ParseInfo ought to have a Vector<RegExpCreationData>, and RegExpLiteral ought to refer to the creation data via an index.

Priority: -- → P1
Assignee: nobody → mgaudet

Because I'm planning on moving non-function data into this, I think the time is
potentially right to start calling this stencil.h

As a side effect of removing a now-cylic-dependency, this rehomes
FunctionSytaxKind.

Depends on D57902

By doing this we guarantee RegExpCreationData are cleaned up, avoiding a possible leak where
dead code elimination removes a ParseNode without cleaning up the RegExpCreationData.

Depends on D57903

See Also: → 1605254

I assume we're going to leave Fx72 as-is here. Also, can we land a test for this?

status-firefox71: --- → unaffected
status-firefox72: --- → wontfix
status-firefox-esr68: --- → unaffected
Flags: needinfo?(mgaudet)
Keywords: memory-leak
Pushed by mgaudet@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/54a84425dcf0 Rename FunctionCreationData.h to Stencil.h r=tcampbell
Pushed by mgaudet@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/bf14c11659ad Move RegExpCreationData to Stencil.h r=tcampbell https://hg.mozilla.org/integration/autoland/rev/19f1d3da6e34 Change ownership of RegExpCreationData by holding them on frontend::ParseInfo r=tcampbell

Good reminder; I did add a test to the landed patches.

Definitely wontfix for previous releases as this code path is dead without explicit opt in.

Flags: needinfo?(mgaudet)
Flags: in-testsuite+
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: