Closed
Bug 1944959
Opened 9 months ago
Closed 9 months ago
LSan: Indirect leak of 32768 byte(s) possibly [@ js::LifoAlloc::newChunkWithCapacity]
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
RESOLVED
FIXED
137 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr128 | --- | unaffected |
| firefox134 | --- | unaffected |
| firefox135 | --- | unaffected |
| firefox136 | --- | wontfix |
| firefox137 | --- | fixed |
People
(Reporter: gkw, Assigned: iain)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, reporter-external, testcase)
Attachments
(2 files)
for (var i = 0; i < 9; i++) {}
setJitCompilerOption("offthread-compilation.enable", 1);
var x = 55;
eval(" \
for (let j = 0; j < 56; j++) { \
for (let k = 0; k < 1; k++) { \
oomAtAllocation(x, 4); \
} \
x--; \
if (x < 1) break; \
} \
");
Debug stack:
==400582==ERROR: LeakSanitizer: detected memory leaks
Indirect leak of 32768 byte(s) in 1 object(s) allocated from:
#0 0x594e3fe5703f in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
#1 0x594e41002724 in js_arena_malloc(unsigned long, unsigned long) /home/i32g7900a/shell-cache/js-dbg-64-asan-linux-x86_64-2bc2e0070931/objdir-js/dist/include/js/Utility.h:386:10
#2 0x594e41002724 in js::detail::BumpChunk::newWithCapacity(unsigned long, unsigned long) /home/i32g7900a/trees/mozilla-central/js/src/ds/LifoAlloc.cpp:28:15
#3 0x594e41003e8f in js::LifoAlloc::newChunkWithCapacity(unsigned long, bool) /home/i32g7900a/trees/mozilla-central/js/src/ds/LifoAlloc.cpp:189:7
#4 0x594e410042d9 in js::LifoAlloc::getOrCreateChunk(unsigned long) /home/i32g7900a/trees/mozilla-central/js/src/ds/LifoAlloc.cpp:221:30
#5 0x594e4100451d in js::LifoAlloc::allocImplColdPath(unsigned long) /home/i32g7900a/trees/mozilla-central/js/src/ds/LifoAlloc.cpp:231:30
#6 0x594e42696cf7 in js::LifoAlloc::allocImpl(unsigned long) /home/i32g7900a/trees/mozilla-central/js/src/ds/LifoAlloc.h:773:12
/snip
Run with --fuzzing-safe --no-ion and environment variable ASAN_OPTIONS=detect_leaks=1, compile with AR=ar sh ../configure --enable-debug --enable-fuzzing --without-sysroot --enable-address-sanitizer --disable-jemalloc --disable-stdcxx-compat --enable-undefined-sanitizer --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 2bc2e0070931.
|
Reporter | |
Comment 1•9 months ago
|
||
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/f4948f1d7709
user: Iain Ireland
date: Tue Jan 07 22:17:19 2025 +0000
summary: Bug 1935289: Compile baseline code offthread r=jandem
Iain, is bug 1935289 a likely regressor?
Component: JavaScript Engine → JavaScript Engine: JIT
Flags: needinfo?(iireland)
Regressed by: 1935289
|
||
Comment 2•9 months ago
|
||
Set release status flags based on info from the regressing bug 1935289
status-firefox134:
--- → unaffected
status-firefox135:
--- → unaffected
status-firefox-esr128:
--- → unaffected
|
Assignee | |
Updated•9 months ago
|
Flags: needinfo?(iireland)
|
|
Assignee | |
Comment 5•9 months ago
|
||
|
||
Updated•9 months ago
|
Assignee: nobody → iireland
Status: NEW → ASSIGNED
|
||
Updated•9 months ago
|
Severity: -- → S3
Priority: -- → P1
Pushed by iireland@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9acdc97bad32
Free BaselineCompileTask even if compilation failed r=nbp
|
||
Comment 7•9 months ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
status-firefox137:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 137 Branch
|
||
Comment 8•9 months ago
|
||
:iain does this need a beta uplift request for Fx136 or should it ride the train with Fx137?
Flags: needinfo?(iireland)
|
|
Assignee | |
Comment 9•9 months ago
|
||
This is a memory leak that can only be triggered by a precisely timed OOM, in an experimental feature that is off by default. It can ride the trains.
Flags: needinfo?(iireland)
You need to log in
before you can comment on or make changes to this bug.
Description
•