Last Comment Bug 737573 - Valgrind detects leak at Malloc, js::SaveScriptFilename (8 bytes in 1 blocks are definitely lost)
: Valgrind detects leak at Malloc, js::SaveScriptFilename (8 bytes in 1 blocks ...
: testcase, valgrind
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: mozilla14
Assigned To: Bill McCloskey (:billm)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: jsfunfuzz
  Show dependency treegraph
Reported: 2012-03-20 12:10 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2012-03-24 13:40 PDT (History)
7 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

fix (6.12 KB, patch)
2012-03-20 15:58 PDT, Bill McCloskey (:billm)
igor: review+
Details | Diff | Splinter Review

Description User image Gary Kwong [:gkw] [:nth10sd] 2012-03-20 12:10:22 PDT
function a(b) {
  f = Function("\
    c = ArrayBuffer();\
    c.toSource = (function(){ gc() });\
    <x/> ? '' : \"\"\
  try {
    evalcx(b, newGlobal("new-compartment"))
  } catch (e) {};

throws up a Valgrind error in js debug shell on m-c changeset c22568c8cf0e with -m.

==23137== 8 bytes in 1 blocks are definitely lost in loss record 1 of 3
==23137==    at 0x4C29313: malloc (vg_replace_malloc.c:263)
==23137==    by 0x506A0E: js::SaveScriptFilename(JSContext*, char const*) (Utility.h:173)
==23137==    by 0x50827F: JSScript::NewScriptFromEmitter(JSContext*, js::BytecodeEmitter*) (jsscript.cpp:1196)
==23137==    by 0x586B0B: js::frontend::CompileScript(JSContext*, JSObject*, js::StackFrame*, JSPrincipals*, JSPrincipals*, unsigned int, unsigned short const*, unsigned long, char const*, unsigned int, JSVersion, JSString*, unsigned int) (BytecodeCompiler.cpp:327)
==23137==    by 0x419D09: JS_EvaluateUCScriptForPrincipals (jsapi.cpp:5260)
==23137==    by 0x419F64: JS_EvaluateUCScript (jsapi.cpp:5311)
==23137==    by 0x4055BD: EvalInContext(JSContext*, unsigned int, JS::Value*) (js.cpp:2683)
==23137==    by 0x49FB20: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:314)
==23137==    by 0x4999C4: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2685)
==23137==    by 0x4A0680: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:667)
==23137==    by 0x41A67A: JS_ExecuteScript (jsapi.cpp:5232)
==23137==    by 0x409015: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:581)
Comment 1 User image Gary Kwong [:gkw] [:nth10sd] 2012-03-20 12:11:27 PDT
I used:

valgrind --leak-check=full --smc-check=all-non-file ./js -m testcase.js

Tested in 64-bit shell in Ubuntu.
Comment 2 User image Bill McCloskey (:billm) 2012-03-20 12:24:01 PDT
This looks like a bug reported earlier for script filenames that I couldn't reproduce. This one does reproduce for me.
Comment 3 User image Gary Kwong [:gkw] [:nth10sd] 2012-03-20 14:47:49 PDT
Not sure if it's related to bug 668095 (which merely added the -m flag, possibly):

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   73054:b1923b866d6a
user:        Chris Leary
date:        Tue Jul 19 16:37:09 2011 -0700
summary:     Bug 668095 - Write a proper option parser for SpiderMonkey CLI. (r=dvander)
Comment 4 User image Bill McCloskey (:billm) 2012-03-20 15:58:44 PDT
Created attachment 607752 [details] [diff] [review]

Here's what happened:
- gcKeepAtoms was set
- We did a GC and swept all the objects in a compartment
- We deleted the compartment

Since js_SweepScriptFilenames saves filenames when gcKeepAtoms is true, we leaked the script filename in this case.
Comment 6 User image Ed Morley [:emorley] 2012-03-24 13:40:55 PDT

Note You need to log in before you can comment on or make changes to this bug.