As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact
Last Comment Bug 716115 - 56 bytes in 1 blocks are definitely lost at js::Vector with testcase as detected by Valgrind
: 56 bytes in 1 blocks are definitely lost at js::Vector with testcase as detec...
: testcase, valgrind
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: Jeff Walden [:Waldo] (remove +bmo to email)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: jsfunfuzz
  Show dependency treegraph
Reported: 2012-01-06 15:38 PST by Gary Kwong [:gkw] [:nth10sd]
Modified: 2012-01-27 12:03 PST (History)
9 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

stack (3.29 KB, text/plain)
2012-01-06 15:38 PST, Gary Kwong [:gkw] [:nth10sd]
no flags Details

Description User image Gary Kwong [:gkw] [:nth10sd] 2012-01-06 15:38:11 PST
Created attachment 586603 [details]

f = function () {
    var a = ([] for each (x in #1=[#1#]));

Using js 64-bit opt shell on Ubuntu 11.10 64-bit, m-c changeset c7e27452a143, Valgrind (changeset 12325) detects that 56 (40 direct, 16 indirect) bytes in 1 blocks are definitely lost.

The quit() function is not needed if the testcase is passed in as a CLI argument.

(see the attached log)

I used:
valgrind --leak-check=full ./js
Comment 1 User image Gary Kwong [:gkw] [:nth10sd] 2012-01-12 15:17:58 PST
Using a similar command:

+(function () {
    (#3= {
        a: #3#
    for (x in []))

causes a similar leak:

==12434== 56 (40 direct, 16 indirect) bytes in 1 blocks are definitely lost in loss record 2 of 4
==12434==    at 0x4C29313: malloc (vg_replace_malloc.c:263)
==12434==    by 0x4DAF20: Decompile(SprintStack*, unsigned char*, int) (Utility.h:135)
==12434==    by 0x4DE44C: DecompileCode(JSPrinter*, JSScript*, unsigned char*, unsigned int, unsigned int) (jsopcode.cpp:5410)
==12434==    by 0x4E06AC: js_DecompileFunction (jsopcode.cpp:5448)
==12434==    by 0x4D1A7F: js_DecompileToString (jsopcode.cpp:5468)
==12434==    by 0x41A27B: JS_DecompileFunction (jsapi.cpp:5286)
==12434==    by 0x45F448: fun_toStringHelper(JSContext*, JSObject*, unsigned int) [clone .part.203] (jsfun.cpp:1510)
==12434==    by 0x45FC4F: fun_toString(JSContext*, unsigned int, JS::Value*) (jsfun.cpp:1496)
==12434==    by 0x49C47F: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:311)
==12434==    by 0x49CB0B: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.h:157)
==12434==    by 0x4B81D7: js::MaybeCallMethod(JSContext*, JSObject*, long, JS::Value*) (jsobj.cpp:6032)
==12434==    by 0x4B9C3C: js::DefaultValue(JSContext*, JSObject*, JSType, JS::Value*) (jsobj.cpp:6081)
Comment 2 User image Jeff Walden [:Waldo] (remove +bmo to email) 2012-01-27 12:03:21 PST
This was probably resolved by bug 566700, although bug 688891 could also plausibly have fixed it.

Note You need to log in before you can comment on or make changes to this bug.