1879437 - LeakSanitizer: detected memory leaks [@ js::jit::JitHintsMap::addIonHint]

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect, P2)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(function g(x) {
  if (x) {
    g(x - 1);
  }
})(9999);
function f() {
  class foobar extends Object {}
  for (let i = 0; i < 10; i++) {}
  for (let i = 0; i < 10; i++) {}
  for (let i = 0; i < 10; i++) {
    for (let j = 0; j < 10;
      (function () {
        j++;
      })()
    ) {}
  }
}
f();
oomTest(f);

==21979==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 72 byte(s) in 1 object(s) allocated from:
    #0 0x560e39ac384e in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x560e3d17fa7f in js_malloc(unsigned long) /home/gen32gx500/shell-cache/js-dbg-64-asan-linux-x86_64-286029e09b16/objdir-js/dist/include/js/Utility.h:374:10
    #2 0x560e3d17fa7f in js::jit::JitHintsMap::IonHint* js_new<js::jit::JitHintsMap::IonHint, unsigned int&>(unsigned int&) /home/gen32gx500/shell-cache/js-dbg-64-asan-linux-x86_64-286029e09b16/objdir-js/dist/include/js/Utility.h:530:1
    #3 0x560e3d17fa7f in js::jit::JitHintsMap::addIonHint(unsigned int, mozilla::detail::HashTable<mozilla::HashMapEntry<unsigned int, js::jit::JitHintsMap::IonHint*>, mozilla::HashMap<unsigned int, js::jit::JitHintsMap::IonHint*, mozilla::DefaultHasher<unsigned int, void>, js::SystemAllocPolicy>::MapHashPolicy, js::SystemAllocPolicy>::AddPtr&) /home/gen32gx500/trees/mozilla-central/js/src/jit/JitHints.cpp:24:19
    #4 0x560e3d183198 in js::jit::JitHintsMap::addMonomorphicInlineLocation(JSScript*, js::BytecodeLocation) /home/gen32gx500/trees/mozilla-central/js/src/jit/JitHints.cpp:124:12
    #5 0x560e3cffdc2e in WarpScriptOracle::maybeInlineCall(mozilla::LinkedList<js::jit::WarpOpSnapshot>&, js::BytecodeLocation, js::jit::ICCacheIRStub*, js::jit::ICFallbackStub*, unsigned char*) /home/gen32gx500/trees/mozilla-central/js/src/jit/WarpOracle.cpp:1131:20
    #6 0x560e3cff7654 in WarpScriptOracle::maybeInlineIC(mozilla::LinkedList<js::jit::WarpOpSnapshot>&, js::BytecodeLocation) /home/gen32gx500/trees/mozilla-central/js/src/jit/WarpOracle.cpp:981:5
    #7 0x560e3cfebd76 in WarpScriptOracle::createScriptSnapshot() /home/gen32gx500/trees/mozilla-central/js/src/jit/WarpOracle.cpp:591:9
    #8 0x560e3cfe8490 in js::jit::WarpOracle::createSnapshot() /home/gen32gx500/trees/mozilla-central/js/src/jit/WarpOracle.cpp:161:3
    #9 0x560e3ce3da30 in js::jit::CreateWarpSnapshot(JSContext*, js::jit::MIRGenerator*, JS::Handle<JSScript*>) /home/gen32gx500/trees/mozilla-central/js/src/jit/Ion.cpp:1627:48
    #10 0x560e3ce27559 in js::jit::IonCompile(JSContext*, JS::Handle<JSScript*>, unsigned char*) /home/gen32gx500/trees/mozilla-central/js/src/jit/Ion.cpp:1697:41
    #11 0x560e3ce27559 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) /home/gen32gx500/trees/mozilla-central/js/src/jit/Ion.cpp:1890:24
    #12 0x560e3ce2a47c in BaselineCanEnterAtEntry(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*) /home/gen32gx500/trees/mozilla-central/js/src/jit/Ion.cpp:2022:25
    #13 0x560e3ce2a47c in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) /home/gen32gx500/trees/mozilla-central/js/src/jit/Ion.cpp:2147:12
    #14 0x3131eef083a5  (<unknown module>)
/snip

Run with --fuzzing-safe --no-threads --baseline-eager and ASAN_OPTIONS=detect_leaks=1, compile with AR=ar sh ../configure --enable-debug --enable-address-sanitizer --enable-fuzzing --disable-jemalloc --disable-stdcxx-compat --without-sysroot --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 286029e09b16.

It seemed to start happening from between mid-Nov 2023 and mid-Dec 2023, but I'm still checking.

Unlikely to be s-s as this is just a leak, but as JIT stuff is on the stack, I'm setting it until it is looked at.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7dc6122ebd68
user:        Denis Palmeiro
date:        Wed Nov 22 01:53:40 2023 +0000
summary:     Bug 1847258: Use the warmup counter when the last IC is attached as the Ion hint threshold, and adjust inlining heuristics when the hint is used. r=iain

Denis, is bug 1847258 a likely regressor?

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1847258

Comment 3

[Andrew McCreight [:mccr8]]

There's really no need to hide a leak.

Comment 4

[Denis Palmeiro [:denispal]]

Attachment: Bug 1879437: Delete allocated IonHint if it failed to insert into the IonHintMap. r=iain!

Comment 5

[Donal Meehan [:dmeehan]]

Could this be triaged for severity?

Comment 6

[Pulsebot]

Pushed by dpalmeiro@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/58c91aae23ff
Delete allocated IonHint if it failed to insert into the IonHintMap. r=iain

Comment 7

[Serban Stanca [:SerbanS]]

https://hg.mozilla.org/mozilla-central/rev/58c91aae23ff

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:denispal, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox123 to wontfix.

For more information, please visit BugBot documentation.

Comment 9

[Denis Palmeiro [:denispal]]

I don't think this needs to be uplifted. It's a minor leak that only happens if we go oom.