Closed Bug 1943823 Opened 1 year ago Closed 1 year ago

LSan: Direct leak of 256 byte(s) possibly [@ js::ArenaAllocPolicyBase::maybe_pod_arena_malloc]

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

All
Linux
defect

Tracking

()

RESOLVED FIXED
136 Branch
Tracking Status
firefox-esr128 --- unaffected
firefox134 --- unaffected
firefox135 --- unaffected
firefox136 --- fixed

People

(Reporter: gkw, Assigned: iain)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(2 files)

Attached file stack
setJitCompilerOption("offthread-compilation.enable", 1);
try {
  x = y;
} catch (e) {
  print(e);
}

Debug stack:

==2057271==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 256 byte(s) in 1 object(s) allocated from:
    #0 0x648d630b857f in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
    #1 0x648d6464185a in js_arena_malloc(unsigned long, unsigned long) /home/i32g7900a/shell-cache/js-64-asan-linux-x86_64-86db950c775f/objdir-js/dist/include/js/Utility.h:386:10
    #2 0x648d6464185a in js::jit::RetAddrEntry* js_pod_arena_malloc<js::jit::RetAddrEntry>(unsigned long, unsigned long) /home/i32g7900a/shell-cache/js-64-asan-linux-x86_64-86db950c775f/objdir-js/dist/include/js/Utility.h:602:26
    #3 0x648d6464185a in js::jit::RetAddrEntry* js::ArenaAllocPolicyBase::maybe_pod_arena_malloc<js::jit::RetAddrEntry>(unsigned long, unsigned long) /home/i32g7900a/shell-cache/js-64-asan-linux-x86_64-86db950c775f/objdir-js/dist/include/js/AllocPolicy.h:32:12
    #4 0x648d6464185a in js::jit::RetAddrEntry* js::ArenaAllocPolicyBase::pod_arena_malloc<js::jit::RetAddrEntry>(unsigned long, unsigned long) /home/i32g7900a/shell-cache/js-64-asan-linux-x86_64-86db950c775f/objdir-js/dist/include/js/AllocPolicy.h:45:12
    #5 0x648d6464185a in js::jit::RetAddrEntry* js::AllocPolicyBase::pod_malloc<js::jit::RetAddrEntry>(unsigned long) /home/i32g7900a/shell-cache/js-64-asan-linux-x86_64-86db950c775f/objdir-js/dist/include/js/AllocPolicy.h:75:12
/snip
The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/f4948f1d7709
user:        Iain Ireland
date:        Tue Jan 07 22:17:19 2025 +0000
summary:     Bug 1935289: Compile baseline code offthread r=jandem

Run with --fuzzing-safe --ion-offthread-compile=off --ion-eager and environment variable ASAN_OPTIONS=detect_leaks=1, compile with AR=ar sh ../configure --enable-fuzzing --without-sysroot --enable-address-sanitizer --disable-jemalloc --disable-stdcxx-compat --enable-undefined-sanitizer --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 86db950c775f.

Iain, is bug 1935289 a likely regressor?

Flags: needinfo?(iireland)

Set release status flags based on info from the regressing bug 1935289

Ah, good catch. We free the offthread macroassembler in BaselineCompileTask::FinishOffThreadTask, but I didn't notice that there are non-temporary allocations in the baseline compiler too.

Assignee: nobody → iireland
Severity: -- → S4
Flags: needinfo?(iireland)
Priority: -- → P2
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 136 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: