Closed Bug 389757 Opened 18 years ago Closed 18 years ago

leak nsSystemPrincipal running bloatcycle.html

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dbaron, Assigned: dbaron)

References

Details

(Keywords: memory-leak)

Attachments

(4 files, 1 obsolete file)

JS <-> nsTraceRefcnt debugging patch
13.19 KB, patch
Details | Diff | Splinter Review
full stacks of leaked JSPrincipals references (from find-comptr-leakers)
19.60 KB, text/plain; charset=UTF-8
Details
top of stacks where leaked JSScript objects were allocated
4.63 KB, text/plain; charset=UTF-8
Details
patch
6.16 KB, patch
igor
: review+
brendan
: approval1.9+
Details | Diff | Splinter Review
We leak an nsSystemPrincipal while running through bloatcycle.html, the leak test on tinderbox. This leak is due to an imbalance (of 2 references) between calls to JS_HoldPrincipals and JS_DropPrincipals. These two references are associated with two leaked objects for which we call js_NewScript but do not call js_DestroyScript. However, the function object for the function corresponding to these scripts do not appear to be leaked, since I see the exact same XPC_SHUTDOWN_HEAP_DUMP loading about:blank (which does not show the leak) and running bloatcycle.html (which does). Steps to reproduce: 1. create an empty directory (say, "deleteme") 2. run ./firefox -profile deleteme /path/to/mozilla/build/bloatcycle.html 3. when the notification comes down about popups, choose "Allow popups from" 4. go to about:config, and set dom.allow_scripts_to_close_windows to true 5. quit the browser 6. export XPCOM_MEM_LEAK_LOG=leak.log 7. run ./firefox -profile deleteme /path/to/mozilla/build/bloatcycle.html 8. after the browser closes, look at leak.log Actual results: an nsSystemPrincipal object has been leaked The 2 leaked JSScript objects are for: _createTabMenuItem in chrome://global/content/bindings/tabbrowser.xml _setBlockingState in chrome://global/content/bindings/notification.xml I checked in the debugger, and the JSFunction, with the leaked script, did make its way out to nsJSContext::CompileFunction. I'm not sure that this is a JS engine bug, but the fact that the function object doesn't show up in the leak log and yet the script was not destroyed suggests to me that it is.
Here's the debugging patch I used to determine a bunch of the above information. I've been keeping my JS <-> nsTraceRefcnt code in a single patch in my mq stack, but that patch got a good bit larger while debugging this, since I needed to add a new nsTraceRefcnt API, plus the logging for the reference counts of JS_HoldPrincipals and JS_DropPrincipals and the logging of JSScript creation and destruction.
Attached patch possible patch (obsolete) — Splinter Review
This fixes the leak. I was looking at the code, and it seemed odd to me that the destruction of the script was done in the function object's finalizer. That seemed to assume that the function would always be collected in the same GC as its function object. Apparently that wasn't the case here. My theory as to why is that the function object was in a newborn root (which fits with both of the methods leaked being the last method on the binding). So since JSFunction was the only user of GCX_PRIVATE, I changed it from GCX_PRIVATE to GCX_FUNCTION (which seems to be an assumption the tracing code already makes), and gave it a finalizer.
Attachment #274093 - Flags: review?(igor)
Comment on attachment 274093 [details] [diff] [review] possible patch Nit about bracing style (rarely, with a multiline if condition, the left brace goes on its own line, but the condition becomes one-line with this patch). /be
Comment on attachment 274093 [details] [diff] [review] possible patch The patch got it very right!
Attachment #274093 - Flags: review?(igor) → review+
Attached patch patchSplinter Review
This addresses brendan's bracing comment, fixes the comment in jsgc.c about the ordering of finalization, fixes a comment in nsXPConnect.cpp, and also pulls the comment change in js_NewFunction from igor's patch in bug 375808. I looked at the patch in bug 375808; this patch basically has the changes from that patch relating to separating the finalization but not the ones related to separating the marking or making the JSFunction mark its funobj.
Assignee: general → dbaron
Attachment #274093 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #274114 - Flags: review?(igor)
Attachment #274114 - Flags: review?(igor) → review+
Comment on attachment 274114 [details] [diff] [review] patch This fixes a leak that can happen occasionally. It's not incredibly high frequency, but the patch is pretty simple and should be low risk.
Attachment #274114 - Flags: approval1.9?
Blocks: 375808
Attachment #274114 - Flags: approval1.9? → approval1.9+
Fix checked in to trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: