Last Comment Bug 716115 - 56 bytes in 1 blocks are definitely lost at js::Vector with testcase as detected by Valgrind
: 56 bytes in 1 blocks are definitely lost at js::Vector with testcase as detec...
Status: RESOLVED FIXED
[js-triage-done][MemShrink:P2]
: testcase, valgrind
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: Jeff Walden [:Waldo] (remove +bmo to email)
:
:
Mentors:
Depends on:
Blocks: jsfunfuzz
  Show dependency treegraph
 
Reported: 2012-01-06 15:38 PST by Gary Kwong [:gkw] [:nth10sd]
Modified: 2012-01-27 12:03 PST (History)
9 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
stack (3.29 KB, text/plain)
2012-01-06 15:38 PST, Gary Kwong [:gkw] [:nth10sd]
no flags Details

Description Gary Kwong [:gkw] [:nth10sd] 2012-01-06 15:38:11 PST
Created attachment 586603 [details]
stack

f = function () {
    var a = ([] for each (x in #1=[#1#]));
}
f.toString()
quit()

Using js 64-bit opt shell on Ubuntu 11.10 64-bit, m-c changeset c7e27452a143, Valgrind (changeset 12325) detects that 56 (40 direct, 16 indirect) bytes in 1 blocks are definitely lost.

The quit() function is not needed if the testcase is passed in as a CLI argument.

(see the attached log)

I used:
valgrind --leak-check=full ./js
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2012-01-12 15:17:58 PST
Using a similar command:

+(function () {
    (#3= {
        a: #3#
    }
    for (x in []))
})
quit()

causes a similar leak:

==12434== 56 (40 direct, 16 indirect) bytes in 1 blocks are definitely lost in loss record 2 of 4
==12434==    at 0x4C29313: malloc (vg_replace_malloc.c:263)
==12434==    by 0x4DAF20: Decompile(SprintStack*, unsigned char*, int) (Utility.h:135)
==12434==    by 0x4DE44C: DecompileCode(JSPrinter*, JSScript*, unsigned char*, unsigned int, unsigned int) (jsopcode.cpp:5410)
==12434==    by 0x4E06AC: js_DecompileFunction (jsopcode.cpp:5448)
==12434==    by 0x4D1A7F: js_DecompileToString (jsopcode.cpp:5468)
==12434==    by 0x41A27B: JS_DecompileFunction (jsapi.cpp:5286)
==12434==    by 0x45F448: fun_toStringHelper(JSContext*, JSObject*, unsigned int) [clone .part.203] (jsfun.cpp:1510)
==12434==    by 0x45FC4F: fun_toString(JSContext*, unsigned int, JS::Value*) (jsfun.cpp:1496)
==12434==    by 0x49C47F: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:311)
==12434==    by 0x49CB0B: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.h:157)
==12434==    by 0x4B81D7: js::MaybeCallMethod(JSContext*, JSObject*, long, JS::Value*) (jsobj.cpp:6032)
==12434==    by 0x4B9C3C: js::DefaultValue(JSContext*, JSObject*, JSType, JS::Value*) (jsobj.cpp:6081)
Comment 2 Jeff Walden [:Waldo] (remove +bmo to email) 2012-01-27 12:03:21 PST
This was probably resolved by bug 566700, although bug 688891 could also plausibly have fixed it.

Note You need to log in before you can comment on or make changes to this bug.