Closed Bug 735900 Opened 12 years ago Closed 12 years ago

Leak in Decompile with genexp (detected by Valgrind)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: regression, testcase, valgrind, Whiteboard: js-triage-needed)

Attachments

(1 file)

Valgrind stack
1.88 KB, text/plain
Details
Attached file Valgrind stack 
f = function() {
    var s = "";
    ([] for each(r in s))
}
if ("" == f) {}

when run with Valgrind using:

valgrind --leak-check=full ./js testcase.js

shows a leak of 48 bytes in 1 block.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   72349:b79cf02287c6
user:        Jeff Walden
date:        Fri Jun 24 18:03:04 2011 -0700
summary:     Bug 646574 - dis() is broken when the function being disassembled has upvars.  r=mrbkap
Not sure if autoBisect is entirely correct or not, though.
Definitely reproduces on Mac OS X 10.7 as well:

==17994== 48 (40 direct, 8 indirect) bytes in 1 blocks are definitely lost in loss record 313 of 695
==17994==    at 0xC743: malloc (vg_replace_malloc.c:266)
==17994==    by 0x1000B0CD9: Decompile(SprintStack*, unsigned char*, int) (Utility.h:173)
==17994==    by 0x1000A6776: DecompileCode(JSPrinter*, JSScript*, unsigned char*, unsigned int, unsigned int) (jsopcode.cpp:5459)
==17994==    by 0x1000A510F: js_DecompileFunction (jsopcode.cpp:5497)
==17994==    by 0x1000A4B78: js_DecompileToString (jsopcode.cpp:5517)
==17994==    by 0x1000189E7: JS_DecompileFunction (jsapi.cpp:5266)
==17994==    by 0x100049082: fun_toStringHelper(JSContext*, JSObject*, unsigned int) (jsfun.cpp:1175)
==17994==    by 0x10004991B: fun_toString(JSContext*, unsigned int, JS::Value*) (jsfun.cpp:1208)
==17994==    by 0x10007A772: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:314)
==17994==    by 0x10007AA36: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (Stack.h:300)
==17994==    by 0x10009AE55: js::DefaultValue(JSContext*, JSObject*, JSType, JS::Value*) (jsobj.cpp:5783)
==17994==    by 0x10007B32D: js::LooselyEqual(JSContext*, JS::Value const&, JS::Value const&, bool*) (jsobjinlines.h:148)
OS: Linux → All
Hardware: x86_64 → All
Summary: 48 bytes in 1 blocks are definitely lost as detected by Valgrind → Leak in Decompile with genexp (detected by Valgrind)
Fixed by bug 730497.

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   89503:b882ebfeb90b
user:        Luke Wagner
date:        Mon Feb 27 23:49:02 2012 -0800
summary:     Bug 730497 - rm flat closures (r=bhackett,waldo)
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
> Fixed by bug 730497.
> 
> autoBisect shows this is probably related to the following changeset:

I take that back, autoBisect lied this time, but WFM nonetheless.
Resolution: FIXED → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: