Closed Bug 38942 Opened 24 years ago Closed 24 years ago

js_GC can lead to memory exhaustion when low on memory

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 98
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: cgn1234, Assigned: brendan)

References

Details

(Keywords: js1.5)

Attachments

(1 file)

small fix to finalize what we can each time the GC runs
720 bytes, patch
Details | Diff | Splinter Review 
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)
BuildID:    

Since the js_GC routine calls the same JS_ARENA_ALLOC as the rest of the code, 
it is most likely going to fail to allocate the memory it needs to perform the 
garbage collection if it is called after a failed memory allocation. The error 
handling when this happens is not freeing stuff, but it is forgetting about it. 
In my application this caused a major memory leak. My solution was to get a 
global state variable indicating I was in the garbage collector and have the 
lower level memory routines use a different pool while in the garbage collector.

Reproducible: Always
Steps to Reproduce:
Call the js_GC routine when the malloc routine can not allocate any more memory 
and there are items to be garbage collected.

Actual Results:  The items that would have been garbage collected are forgotten 
and the memory is leaked.

Expected Results:  The garbage collector would at least leave the items in a 
state where they could be garbage collected later. Ideally, memory would either 
be in reserve or come from a different pool so that the garbage collector would 
never fail due to low memory.
Needs to be assessed by developer; confirming.

Gerv
Status: UNCONFIRMED → NEW
Ever confirmed: true
Status: NEW → ASSIGNED
Reassigning to Patrick as per meeting; cc'ing Brendan
Assignee: rogerl → beard
Status: ASSIGNED → NEW
Status: NEW → ASSIGNED
I don't see how GC-things to be finalized, if there is an error allocating 
tempPool space from the malloc heap to hold the finalization records, are 
forgotten and permanently leaked.  Chris, can you say more?  The relevant 
allocation is at http://lxr.mozilla.org/mozilla/source/js/src/jsgc.c#1067, and 
if it fails, the GC goes to out, leaving the unswept/unfinalized garbage to be 
found by the next GC (if it doesn't run out of memory too).

Maybe that's the problem: you are counting on the JS GC to recover malloc space, 
and it's not finalizing what it could (the GC-things remembered by finalization 
records already allocated from tempPool, if any).  Attached is my patch to 
correct this pessimism.  Using a dedicated piece of memory to hold finalization 
records would do even better.

Patrick, I have other changes (js1.5 bugs on my list) coming here.  I'm happy to 
take it from you, if you like.

/be
Reassigning to brendan. Should this go into beta3?
Assignee: beard → brendan
Status: ASSIGNED → NEW
Keywords: nsbeta3
Yes, this should go into js1.5 final too; at least one Mozilla community member 
needs it now.

/be
Status: NEW → ASSIGNED
Keywords: js1.5
Target Milestone: --- → M18
The patch in bug 49816 fixes this bug too.

/be
Depends on: 49816
Summary: js_GC can cause a large memory leak when low on memory → js_GC can lead to memory exhaustion when low on memory
Fix is in -- I dropped the big one!

/be
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: