Closed Bug 1605254 Opened 4 years ago Closed 4 years ago

Deferred parser allocation leaks BigInt if dead code elimination deletes parse node

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla73
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox71 --- wontfix
firefox72 --- wontfix
firefox73 --- fixed

People

(Reporter: mgaudet, Assigned: mgaudet)

References

(Regression)

Details

(Keywords: memory-leak, regression, testcase)

Attachments

(2 files)

Bug 1605254 - Move BigIntCreationData to Stencil.h r?tcampbell
47 bytes, text/x-phabricator-request
Details | Review
Bug 1605254 - Change ownership of BigIntCreationData by holding them on frontend::ParseInfo r?tcampbell
47 bytes, text/x-phabricator-request
Details | Review

+++ This bug was initially created as a clone of Bug #1604952 +++

128n

ASAN_OPTIONS=detect_leaks=1 $ ./dist/bin/js --fuzzing-safe --no-threads --no-baseline --no-ion --parser-deferred-alloc testcase.js

=================================================================
==18722==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x5634c3844f4d  (/home/matthew/unified/js/src/build_asan_DBG.OBJ/dist/bin/js+0x387cf4d)
    #1 0x5634c3a09264  (/home/matthew/unified/js/src/build_asan_DBG.OBJ/dist/bin/js+0x3a41264)
    #2 0x5634c3a09198  (/home/matthew/unified/js/src/build_asan_DBG.OBJ/dist/bin/js+0x3a41198)
    #3 0x5634c3a0907c  (/home/matthew/unified/js/src/build_asan_DBG.OBJ/dist/bin/js+0x3a4107c)
    #4 0x5634c38a0a9a  (/home/matthew/unified/js/src/build_asan_DBG.OBJ/dist/bin/js+0x38d8a9a)
    #5 0x5634c38a2219  (/home/matthew/unified/js/src/build_asan_DBG.OBJ/dist/bin/js+0x38da219)
    #6 0x5634c39ab549  (/home/matthew/unified/js/src/build_asan_DBG.OBJ/dist/bin/js+0x39e3549)

$

Tested this on m-c rev f870bccd07ee.

Configure flags are:

AR=ar sh ./configure --enable-address-sanitizer --disable-jemalloc --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

This is largely the exact same bug as 1604952.

See Also: → 1604952
Assignee: nobody → mgaudet
Status: NEW → ASSIGNED

Can we land a test for this?

status-firefox71: --- → wontfix
status-firefox72: --- → wontfix
status-firefox-esr68: --- → unaffected
Flags: needinfo?(mgaudet)
Keywords: memory-leak
Pushed by mgaudet@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9ea8c50d1b1a
Move BigIntCreationData to Stencil.h r=tcampbell
https://hg.mozilla.org/integration/autoland/rev/e36e29c5bd6b
Change ownership of BigIntCreationData by holding them on frontend::ParseInfo r=tcampbell

Good reminder; I did add a test to the landed patches.

Definitely wontfix for previous releases as this code path is dead without explicit opt in.

Flags: needinfo?(mgaudet)
Flags: in-testsuite+

https://hg.mozilla.org/mozilla-central/rev/9ea8c50d1b1a
https://hg.mozilla.org/mozilla-central/rev/e36e29c5bd6b

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox73: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla73
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: