Leak in Decompile with genexp (detected by Valgrind)

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
--
critical
RESOLVED WORKSFORME
6 years ago
6 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, {regression, testcase, valgrind})

Trunk
regression, testcase, valgrind
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: js-triage-needed)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 606005 [details]
Valgrind stack

f = function() {
    var s = "";
    ([] for each(r in s))
}
if ("" == f) {}

when run with Valgrind using:

valgrind --leak-check=full ./js testcase.js

shows a leak of 48 bytes in 1 block.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   72349:b79cf02287c6
user:        Jeff Walden
date:        Fri Jun 24 18:03:04 2011 -0700
summary:     Bug 646574 - dis() is broken when the function being disassembled has upvars.  r=mrbkap
(Reporter)

Comment 1

6 years ago
Not sure if autoBisect is entirely correct or not, though.
(Reporter)

Comment 2

6 years ago
Definitely reproduces on Mac OS X 10.7 as well:

==17994== 48 (40 direct, 8 indirect) bytes in 1 blocks are definitely lost in loss record 313 of 695
==17994==    at 0xC743: malloc (vg_replace_malloc.c:266)
==17994==    by 0x1000B0CD9: Decompile(SprintStack*, unsigned char*, int) (Utility.h:173)
==17994==    by 0x1000A6776: DecompileCode(JSPrinter*, JSScript*, unsigned char*, unsigned int, unsigned int) (jsopcode.cpp:5459)
==17994==    by 0x1000A510F: js_DecompileFunction (jsopcode.cpp:5497)
==17994==    by 0x1000A4B78: js_DecompileToString (jsopcode.cpp:5517)
==17994==    by 0x1000189E7: JS_DecompileFunction (jsapi.cpp:5266)
==17994==    by 0x100049082: fun_toStringHelper(JSContext*, JSObject*, unsigned int) (jsfun.cpp:1175)
==17994==    by 0x10004991B: fun_toString(JSContext*, unsigned int, JS::Value*) (jsfun.cpp:1208)
==17994==    by 0x10007A772: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:314)
==17994==    by 0x10007AA36: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (Stack.h:300)
==17994==    by 0x10009AE55: js::DefaultValue(JSContext*, JSObject*, JSType, JS::Value*) (jsobj.cpp:5783)
==17994==    by 0x10007B32D: js::LooselyEqual(JSContext*, JS::Value const&, JS::Value const&, bool*) (jsobjinlines.h:148)
OS: Linux → All
Hardware: x86_64 → All

Updated

6 years ago
Summary: 48 bytes in 1 blocks are definitely lost as detected by Valgrind → Leak in Decompile with genexp (detected by Valgrind)
(Reporter)

Comment 3

6 years ago
Fixed by bug 730497.

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   89503:b882ebfeb90b
user:        Luke Wagner
date:        Mon Feb 27 23:49:02 2012 -0800
summary:     Bug 730497 - rm flat closures (r=bhackett,waldo)
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Reporter)

Comment 4

6 years ago
> Fixed by bug 730497.
> 
> autoBisect shows this is probably related to the following changeset:

I take that back, autoBisect lied this time, but WFM nonetheless.
Resolution: FIXED → WORKSFORME
You need to log in before you can comment on or make changes to this bug.