1794317 - LeakSanitizer: [@ js::irregexp::InitializeNamedCaptures] with RegExp

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

for (let i = 0; i < 2; i++) {
  let j = 0;
  oomTest(function () {
    RegExp("(?<" + (j++).toString(32) + ">)").exec();
  })
}

==30873==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 16 byte(s) in 4 object(s) allocated from:
    #0 0x561ed1d2eebe in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x561ed3d3a8fd in js_arena_malloc(unsigned long, unsigned long) /home/skygentoo/shell-cache/js-dbg-64-asan-linux-x86_64-b8567457ece9/objdir-js/dist/include/js/Utility.h:366:10
    #2 0x561ed3d3a8fd in js_malloc(unsigned long) /home/skygentoo/shell-cache/js-dbg-64-asan-linux-x86_64-b8567457ece9/objdir-js/dist/include/js/Utility.h:370:10
    #3 0x561ed3d3a8fd in js::irregexp::InitializeNamedCaptures(JSContext*, JS::Handle<js::RegExpShared*>, v8::internal::ZoneVector<v8::internal::RegExpCapture*>*) /home/skygentoo/trees/mozilla-central/js/src/irregexp/RegExpAPI.cpp:638:53
    #4 0x561ed3d3cad0 in js::irregexp::CompilePattern(JSContext*, JS::MutableHandle<js::RegExpShared*>, JS::Handle<JSLinearString*>, js::RegExpShared::CodeKind) /home/skygentoo/trees/mozilla-central/js/src/irregexp/RegExpAPI.cpp:723:12
    #5 0x561ed2a1fa45 in js::RegExpShared::execute(JSContext*, JS::MutableHandle<js::RegExpShared*>, JS::Handle<JSLinearString*>, unsigned long, js::VectorMatchPairs*) /home/skygentoo/trees/mozilla-central/js/src/vm/RegExpObject.cpp:634:8
    #6 0x561ed2016b64 in ExecuteRegExpImpl(JSContext*, js::RegExpStatics*, JS::MutableHandle<js::RegExpShared*>, JS::Handle<JSLinearString*>, unsigned long, js::VectorMatchPairs*) /home/skygentoo/trees/mozilla-central/js/src/builtin/RegExp.cpp:298:7
    #7 0x561ed2016b64 in ExecuteRegExp(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSString*>, int, js::VectorMatchPairs*) /home/skygentoo/trees/mozilla-central/js/src/builtin/RegExp.cpp:1122:7
    #8 0x561ed2012f54 in RegExpMatcherImpl(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSString*>, int, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/builtin/RegExp.cpp:1144:7
    #9 0x561ed2013764 in js::RegExpMatcherRaw(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSString*>, int, js::MatchPairs*, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/builtin/RegExp.cpp:1196:10
    #10 0x1883ab86ad53  (<unknown module>)
    #11 0x1883ab89b941  (<unknown module>)
    #12 0x1883ab89b0b4  (<unknown module>)
    #13 0x1883ab89a873  (<unknown module>)
    #14 0x1883ab8567a4  (<unknown module>)
    #15 0x1883ab89a209  (<unknown module>)
    #16 0x1883ab899579  (<unknown module>)
    #17 0x1883ab856d88  (<unknown module>)
    #18 0x561ed4c34d43 in EnterJit(JSContext*, js::RunState&, unsigned char*) /home/skygentoo/trees/mozilla-central/js/src/jit/Jit.cpp:107:5
    #19 0x561ed4c34d43 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /home/skygentoo/trees/mozilla-central/js/src/jit/Jit.cpp:205:10
    #20 0x561ed206132c in js::RunScript(JSContext*, js::RunState&) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:421:32
    #21 0x561ed20a1e00 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:579:13
    #22 0x561ed20a48a4 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:646:8
    #23 0x561ed23c7d0f in JS_CallFunction(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSFunction*>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/CallAndConstruct.cpp:72:10
    #24 0x561ed2e7f1d6 in IterativeFailureTest::testIteration(unsigned int, unsigned int, bool&, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/builtin/TestingFunctions.cpp:3490:13
    #25 0x561ed2e7e8f8 in IterativeFailureTest::testThread(unsigned int) /home/skygentoo/trees/mozilla-central/js/src/builtin/TestingFunctions.cpp:3452:10
    #26 0x561ed2e7cbaa in IterativeFailureTest::test() /home/skygentoo/trees/mozilla-central/js/src/builtin/TestingFunctions.cpp:3402:10
    #27 0x561ed2e7cbaa in RunIterativeFailureTest(JSContext*, JS::CallArgs const&, IterativeFailureTest::FailureSimulator&) /home/skygentoo/trees/mozilla-central/js/src/builtin/TestingFunctions.cpp:3383:40
    #28 0x561ed2eba08c in OOMTest(JSContext*, unsigned int, JS::Value*) /home/skygentoo/trees/mozilla-central/js/src/builtin/TestingFunctions.cpp:3638:8
    #29 0x1883ab896c32  (<unknown module>)
    #30 0x1883ab89637b  (<unknown module>)
    #31 0x1883ab856d88  (<unknown module>)
    #32 0x561ed4c34d43 in EnterJit(JSContext*, js::RunState&, unsigned char*) /home/skygentoo/trees/mozilla-central/js/src/jit/Jit.cpp:107:5
    #33 0x561ed4c34d43 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /home/skygentoo/trees/mozilla-central/js/src/jit/Jit.cpp:205:10
    #34 0x561ed206132c in js::RunScript(JSContext*, js::RunState&) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:421:32
    #35 0x561ed20a865c in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:825:13

SUMMARY: AddressSanitizer: 16 byte(s) leaked in 4 allocation(s).

Due to skipped revisions, the first bad revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/0e09bbc94f04
user:        Iain Ireland
date:        Wed Aug 03 18:06:47 2022 +0000
summary:     Bug 1779849: Re-import irregexp r=mgaudet

changeset:   https://hg.mozilla.org/mozilla-central/rev/f390b51c4e67
user:        Iain Ireland
date:        Wed Aug 03 18:06:48 2022 +0000
summary:     Bug 1779849: Use enum class in CheckSpecialCharacterClass r=mgaudet

changeset:   https://hg.mozilla.org/mozilla-central/rev/72e453021744
user:        Iain Ireland
date:        Wed Aug 03 18:06:49 2022 +0000
summary:     Bug 1779849: Refactor ByteArray r=mgaudet

changeset:   https://hg.mozilla.org/mozilla-central/rev/a33a389e957a
user:        Iain Ireland
date:        Wed Aug 03 18:06:49 2022 +0000
summary:     Bug 1779849: Implement CheckCharacterInRangeArray r=mgaudet

changeset:   https://hg.mozilla.org/mozilla-central/rev/3f5b77469ad0
user:        Iain Ireland
date:        Wed Aug 03 18:06:50 2022 +0000
summary:     Bug 1779849: Refactor InitializeNamedCaptures r=mgaudet

changeset:   https://hg.mozilla.org/mozilla-central/rev/58a6369ecf67
user:        Iain Ireland
date:        Wed Aug 03 18:06:50 2022 +0000
summary:     Bug 1779849: Update RegExpStack code r=mgaudet

changeset:   https://hg.mozilla.org/mozilla-central/rev/282f8562675c
user:        Iain Ireland
date:        Wed Aug 03 18:06:51 2022 +0000
summary:     Bug 1779849: Update RegExpFlags r=mgaudet

changeset:   https://hg.mozilla.org/mozilla-central/rev/a1954be3f4f9
user:        Iain Ireland
date:        Wed Aug 03 18:06:51 2022 +0000
summary:     Bug 1779849: Remove FlatStringReader r=mgaudet

changeset:   https://hg.mozilla.org/mozilla-central/rev/3b1c86a28842
user:        Iain Ireland
date:        Wed Aug 03 18:06:51 2022 +0000
summary:     Bug 1779849: Move definitions into base namespace r=mgaudet

changeset:   https://hg.mozilla.org/mozilla-central/rev/77243ba8b574
user:        Iain Ireland
date:        Wed Aug 03 18:06:52 2022 +0000
summary:     Bug 1779849: Miscellaneous shim changes r=mgaudet

changeset:   https://hg.mozilla.org/mozilla-central/rev/13be26ada116
user:        Iain Ireland
date:        Wed Aug 03 18:06:52 2022 +0000
summary:     Bug 1779849: Support zone allocation for SmallVec r=mgaudet

changeset:   https://hg.mozilla.org/mozilla-central/rev/b622378d5a70
user:        Iain Ireland
date:        Wed Aug 03 18:06:53 2022 +0000
summary:     Bug 1779849: Update stack overflow detection r=mgaudet

Run with --fuzzing-safe --no-threads --baseline-eager --no-ion (with ASAN_OPTIONS=detect_leaks=1), compile with AR=ar sh ./configure --enable-debug --enable-address-sanitizer --disable-jemalloc --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests, tested on m-c rev b8567457ece9.

Guessing likely not s-s. Iain, is bug 1779849 a likely regressor?

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1779849

Comment 2

[Nicolas B. Pierron [:nbp]]

This sounds like an easy fix, in the few return false cases which are in the following loop.
Is this bug affecting upstream code as well?

Comment 3

[Iain Ireland [:iain]]

Attachment: Bug 1794317: Free captureIndices on OOM r=mgaudet

Comment 4

[Iain Ireland [:iain]]

(In reply to Nicolas B. Pierron [:nbp] from comment #2)

Is this bug affecting upstream code as well?

No, this bug is in the glue code between SM and irregexp.

Comment 5

[Pulsebot]

Pushed by iireland@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d6cb947e0cd1
Free captureIndices on OOM r=mgaudet

Comment 6

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/d6cb947e0cd1