Closed Bug 716115 Opened 13 years ago Closed 12 years ago

56 bytes in 1 blocks are definitely lost at js::Vector with testcase as detected by Valgrind

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: Waldo)

Details

(Keywords: testcase, valgrind, Whiteboard: [js-triage-done][MemShrink:P2])

Attachments

(1 file)

stack
3.29 KB, text/plain
Details
Attached file stack 
f = function () {
    var a = ([] for each (x in #1=[#1#]));
}
f.toString()
quit()

Using js 64-bit opt shell on Ubuntu 11.10 64-bit, m-c changeset c7e27452a143, Valgrind (changeset 12325) detects that 56 (40 direct, 16 indirect) bytes in 1 blocks are definitely lost.

The quit() function is not needed if the testcase is passed in as a CLI argument.

(see the attached log)

I used:
valgrind --leak-check=full ./js
Whiteboard: js-triage-needed → [js-triage-needed][MemShrink]
Assignee: general → jwalden+bmo
Whiteboard: [js-triage-needed][MemShrink] → [js-triage-needed][MemShrink:P2]
Using a similar command:

+(function () {
    (#3= {
        a: #3#
    }
    for (x in []))
})
quit()

causes a similar leak:

==12434== 56 (40 direct, 16 indirect) bytes in 1 blocks are definitely lost in loss record 2 of 4
==12434==    at 0x4C29313: malloc (vg_replace_malloc.c:263)
==12434==    by 0x4DAF20: Decompile(SprintStack*, unsigned char*, int) (Utility.h:135)
==12434==    by 0x4DE44C: DecompileCode(JSPrinter*, JSScript*, unsigned char*, unsigned int, unsigned int) (jsopcode.cpp:5410)
==12434==    by 0x4E06AC: js_DecompileFunction (jsopcode.cpp:5448)
==12434==    by 0x4D1A7F: js_DecompileToString (jsopcode.cpp:5468)
==12434==    by 0x41A27B: JS_DecompileFunction (jsapi.cpp:5286)
==12434==    by 0x45F448: fun_toStringHelper(JSContext*, JSObject*, unsigned int) [clone .part.203] (jsfun.cpp:1510)
==12434==    by 0x45FC4F: fun_toString(JSContext*, unsigned int, JS::Value*) (jsfun.cpp:1496)
==12434==    by 0x49C47F: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:311)
==12434==    by 0x49CB0B: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.h:157)
==12434==    by 0x4B81D7: js::MaybeCallMethod(JSContext*, JSObject*, long, JS::Value*) (jsobj.cpp:6032)
==12434==    by 0x4B9C3C: js::DefaultValue(JSContext*, JSObject*, JSType, JS::Value*) (jsobj.cpp:6081)
This was probably resolved by bug 566700, although bug 688891 could also plausibly have fixed it.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: [js-triage-needed][MemShrink:P2] → [js-triage-done][MemShrink:P2]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: