Open Bug 985972 Opened 6 years ago Updated 6 years ago

Memory leak parsing RegExp

Categories

(Core :: JavaScript Engine, defect, critical)

28 Branch
x86_64
Windows 7
defect
Not set
critical

Tracking

()

People

(Reporter: mr.starix, Unassigned)

Details

Attachments

(2 files)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 (Beta/Release)
Build ID: 20140314220517

Steps to reproduce:

<HTML>
<HEAD>
<TITLE>Firefox 27.0.1 and Safari 7.0.2 (9537.74.9)</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF">
<SCRIPT type="text/javascript">
var patt1=new RegExp("((.*)(((((((((((((((((((((((((((((((.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}.*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+))");
document.write(patt1.exec("peace"));
</SCRIPT>
</BODY>
</HTML>


Actual results:

Memory leak and force close in Firefox 28.0
Severity: normal → critical
Crashed as bp-a209bf6d-47e3-43a0-ad77-bfb292140405.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attached file regexp-leak-sample.txt
Reproduces in current Nightly. Memory usage jumped to about 2.5GB for the Firefox process and 8GB for the kernel_task process immediately and then slowly grew until I killed the browser at about 15GB of total usage.

Attached is a sample of the process from maybe a minute or two into things. Unsurprisingly, all time is spent under Yarr.

To find out whether this is a problem with our usage of Yarr or with Yarr itself, I ran the test case in Safari: same results, memory usage exploded and the browser froze. (Oh, I just see the <title> in the test case. Is this reported for webkit, already?)

The regexp is pretty hard on all browsers, it seems: Chrome (release and Canary) don't leak memory, but the process in which the test case runs freezes.
You need to log in before you can comment on or make changes to this bug.