Closed
Bug 1917564
Opened 9 months ago
Closed 9 months ago
LeakSanitizer: [@ malloc] through [@ js::jit::CompilationDependencyTracker::addDependency]
Categories
(Core :: JavaScript Engine: JIT, defect, P2)
Tracking
()
RESOLVED
FIXED
132 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox130 | --- | unaffected |
| firefox131 | --- | unaffected |
| firefox132 | --- | fixed |
People
(Reporter: decoder, Assigned: mgaudet)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, Whiteboard: [bugmon:update,bisect][fuzzblocker])
Attachments
(2 files)
The following testcase leaks on mozilla-central revision 20240908-eb90f648ee67 (asan-opt build, run with --fuzzing-safe --wasm-compiler=baseline --test-wasm-await-tier2 --no-asmjs --ion-warmup-threshold=0 --fast-warmup --scalar-replace-arguments --more-compartments --spectre-mitigations=on --ion-offthread-compile=off --no-incremental-gc --baseline-warmup-threshold=0 --baseline-eager -e maxRunTime=12000):
Backtrace:
==1927015==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 512 byte(s) in 4 object(s) allocated from:
#0 0x55c54cf4613f in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
#1 0x55c54e49aecf in js_arena_malloc /builds/worker/workspace/obj-build/dist/include/js/Utility.h:385:10
#2 0x55c54e49aecf in js_pod_arena_malloc<mozilla::UniquePtr<js::jit::CompilationDependency, JS::DeletePolicy<js::jit::CompilationDependency> > > /builds/worker/workspace/obj-build/dist/include/js/Utility.h:601:26
#3 0x55c54e49aecf in maybe_pod_arena_malloc<mozilla::UniquePtr<js::jit::CompilationDependency, JS::DeletePolicy<js::jit::CompilationDependency> > > /builds/worker/workspace/obj-build/dist/include/js/AllocPolicy.h:32:12
#4 0x55c54e49aecf in pod_arena_malloc<mozilla::UniquePtr<js::jit::CompilationDependency, JS::DeletePolicy<js::jit::CompilationDependency> > > /builds/worker/workspace/obj-build/dist/include/js/AllocPolicy.h:45:12
#5 0x55c54e49aecf in pod_malloc<mozilla::UniquePtr<js::jit::CompilationDependency, JS::DeletePolicy<js::jit::CompilationDependency> > > /builds/worker/workspace/obj-build/dist/include/js/AllocPolicy.h:75:12
#6 0x55c54e49aecf in mozilla::Vector<mozilla::UniquePtr<js::jit::CompilationDependency, JS::DeletePolicy<js::jit::CompilationDependency>>, 8ul, js::SystemAllocPolicy>::convertToHeapStorage(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:1027:30
#7 0x55c54e3d0d01 in append<mozilla::UniquePtr<js::jit::CompilationDependency, JS::DeletePolicy<js::jit::CompilationDependency> > > /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:1474:9
#8 0x55c54e3d0d01 in js::jit::CompilationDependencyTracker::addDependency(js::jit::CompilationDependency&) /js/src/jit/CompilationDependencyTracker.h:52:25
#9 0x55c54e48bc71 in WarpCacheIRTranspiler::emitGuardGlobalGeneration(unsigned int, unsigned int, unsigned int) /js/src/jit/WarpCacheIRTranspiler.cpp:6604:27
#10 0x55c54e3c09bb in emitGuardGlobalGeneration /js/src/jit/WarpCacheIRTranspiler.cpp:313:3
#11 0x55c54e3c09bb in WarpCacheIRTranspiler::transpile(std::initializer_list<js::jit::MDefinition*>) /js/src/jit/WarpCacheIRTranspiler.cpp:345:7
#12 0x55c54e48bf5d in js::jit::TranspileCacheIRToMIR(js::jit::WarpBuilder*, js::BytecodeLocation, js::jit::WarpCacheIR const*, std::initializer_list<js::jit::MDefinition*>, js::jit::CallInfo*) /js/src/jit/WarpCacheIRTranspiler.cpp:6663:19
#13 0x55c54e3675b4 in js::jit::WarpBuilder::buildIC(js::BytecodeLocation, js::jit::CacheKind, std::initializer_list<js::jit::MDefinition*>) /js/src/jit/WarpBuilder.cpp:3292:12
#14 0x55c54e3548f8 in js::jit::WarpBuilder::build_GetGName(js::BytecodeLocation) /js/src/jit/WarpBuilder.cpp:1935:10
#15 0x55c54e324e0c in js::jit::WarpBuilder::buildBody() /js/src/jit/WarpBuilder.cpp:673:19
#16 0x55c54e378535 in buildInline /js/src/jit/WarpBuilder.cpp:320:8
#17 0x55c54e378535 in js::jit::WarpBuilder::buildInlinedCall(js::BytecodeLocation, js::jit::WarpInlinedCall const*, js::jit::CallInfo&) /js/src/jit/WarpBuilder.cpp:3637:22
#18 0x55c54e3768e9 in js::jit::WarpBuilder::buildCallOp(js::BytecodeLocation) /js/src/jit/WarpBuilder.cpp:1833:12
#19 0x55c54e32336b in js::jit::WarpBuilder::buildBody() /js/src/jit/WarpBuilder.cpp:673:19
#20 0x55c54e378535 in buildInline /js/src/jit/WarpBuilder.cpp:320:8
#21 0x55c54e378535 in js::jit::WarpBuilder::buildInlinedCall(js::BytecodeLocation, js::jit::WarpInlinedCall const*, js::jit::CallInfo&) /js/src/jit/WarpBuilder.cpp:3637:22
#22 0x55c54e3768e9 in js::jit::WarpBuilder::buildCallOp(js::BytecodeLocation) /js/src/jit/WarpBuilder.cpp:1833:12
#23 0x55c54e32336b in js::jit::WarpBuilder::buildBody() /js/src/jit/WarpBuilder.cpp:673:19
#24 0x55c54e320979 in js::jit::WarpBuilder::build() /js/src/jit/WarpBuilder.cpp:300:8
#25 0x55c54e8ad5dc in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) /js/src/jit/Ion.cpp:1627:18
#26 0x55c54e8af540 in IonCompile /js/src/jit/Ion.cpp:1767:38
#27 0x55c54e8af540 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) /js/src/jit/Ion.cpp:1921:24
#28 0x55c54e8b010b in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) /js/src/jit/Ion.cpp
#29 0x357aafe5b08a (<unknown module>)
[...]
#37 0x357aafe574e5 (<unknown module>)
#38 0x55c54e907dee in EnterJit /js/src/jit/Jit.cpp:115:5
#39 0x55c54e907dee in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /js/src/jit/Jit.cpp:261:10
#40 0x55c54d29c714 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:449:32
SUMMARY: AddressSanitizer: 512 byte(s) leaked in 4 allocation(s).
jsfunfuzz started spamming this some time around the weekend with very high frequency. I wasn't able to reduce this to a test so far.
|
Reporter | |
Comment 1•9 months ago
|
||
|
||
Updated•9 months ago
|
Flags: needinfo?(mgaudet)
|
Assignee | |
Comment 2•9 months ago
|
||
When off-thread compile is explicitly kicked off, we then explicitly clear the
dependencies before freeing the lifo alloc. However, we need to -also- free the
backing store for the vector, as we cannot rely on the vector destructor
either!
|
||
Updated•9 months ago
|
Assignee: nobody → mgaudet
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•9 months ago
|
Flags: needinfo?(mgaudet)
|
||
Updated•9 months ago
|
status-firefox130:
--- → unaffected
status-firefox131:
--- → unaffected
status-firefox-esr115:
--- → unaffected
status-firefox-esr128:
--- → unaffected
Regressed by: 1905988
|
||
Updated•9 months ago
|
Severity: -- → S3
Priority: -- → P2
Pushed by mgaudet@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1dbdc13d7d46
Don't forget to free backing store for CompilationDependencies r=jandem
|
||
Comment 4•9 months ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → 132 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•