Bug 141612

Summary: RenderMultiColumnSpannerPlaceholder leaks seen on leaks bot
Product: WebKit Reporter: Joseph Pecoraro <joepeck>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: ap, darin, ddkilzer, hyatt, joepeck, kling, zalan
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=140899
https://bugs.webkit.org/show_bug.cgi?id=137273

Description Joseph Pecoraro 2015-02-14 18:25:38 PST 
* SUMMARY
RenderMultiColumnSpannerPlaceholder leaks seen on leaks bot:
https://build.webkit.org/builders/Apple%20Yosemite%20%28Leaks%29/builds/325

Not sure exactly which tests, but it looks like these are only created in one way.

Leak: 0x7fcf42c972b0  size=96  zone: DefaultMallocZone_0x100528000
	0x00000001 0xf0000000 0x42d27cd0 0x00007fcf 	.........|.B....
	0x42d27d20 0x00007fcf 0x42d27d50 0x00007fcf 	 }.B....P}.B....
	0x42d27db0 0x00007fcf 0x42d27f00 0x00007fcf 	.}.B.......B....
	0x4c7ee3c0 0x00007fcf 0x48f80720 0x00007fcf 	..~L.... ..H....
	0x00000000 0x00000000 0x42d286c0 0x00007fcf 	...........B....
	0x4006e000 0x00000080 0x000001c0 0x00000000 	...@............
	Call stack: [thread 0x7fff7d157300]: 
        | 0x2 
        | start 
        | main DumpRenderTreeMain.mm:30 
        | DumpRenderTreeMain(int, char const**) DumpRenderTree.mm:1301 
        | dumpRenderTree(int, char const**) DumpRenderTree.mm:1179 
        | runTestingServerLoop() DumpRenderTree.mm:1070 
        | runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) DumpRenderTree.mm:1886 
        | CFRunLoopRunSpecific 
        | __CFRunLoopRun 
        | __CFRunLoopDoSources0 
        | __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ 
        | MultiplexerSource::_perform(void*) 
        | MultiplexerSource::perform() 
        | RunloopBlockContext::perform() 
        | CFArrayApplyFunction 
        | RunloopBlockContext::_invoke_block(void const*, void*) 
        | ___ZN27URLConnectionClient_Classic18_withDelegateAsyncEPKcU13block_pointerFvP16_CFURLConnectionPK33CFURLConnectionClientCurrent_VMaxE_block_invoke_2 
        | ___ZN27URLConnectionClient_Classic26_delegate_didFinishLoadingEU13block_pointerFvvE_block_invoke 
        | -[NSURLConnectionInternal _withActiveConnectionAndDelegate:] 
        | -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] 
        | __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke 
        | -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] WebCoreResourceHandleAsDelegate.mm:261 
        | WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double) ResourceLoader.cpp:543 
        | WebCore::SubresourceLoader::didFinishLoading(double) SubresourceLoader.cpp:366 
        | WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) CachedRawResource.cpp:105 
        | WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) CachedResource.cpp:310 
        | WebCore::CachedResource::checkNotify() CachedResource.cpp:293 
        | WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*) DocumentLoader.cpp:376 
        | WebCore::DocumentLoader::finishedLoading(double) DocumentLoader.cpp:442 
        | WebCore::DocumentWriter::end() DocumentWriter.cpp:248 
        | WebCore::HTMLDocumentParser::finish() HTMLDocumentParser.cpp:452 
        | WebCore::HTMLDocumentParser::attemptToEnd() HTMLDocumentParser.cpp:424 
        | WebCore::HTMLDocumentParser::prepareToStopParsing() HTMLDocumentParser.cpp:133 
        | WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() HTMLDocumentParser.cpp:412 
        | WebCore::HTMLDocumentParser::end() HTMLDocumentParser.cpp:403 
        | WebCore::HTMLTreeBuilder::finished() HTMLTreeBuilder.cpp:2942 
        | WebCore::HTMLConstructionSite::finishedParsing() HTMLConstructionSite.cpp:405 
        | WebCore::Document::finishedParsing() Document.cpp:4629 
        | WebCore::FrameLoader::finishedParsing() FrameLoader.cpp:763 
        | WebCore::FrameLoader::checkCompleted() FrameLoader.cpp:843 
        | WebCore::FrameLoader::checkCallImplicitClose() FrameLoader.cpp:896 
        | WebCore::Document::implicitClose() Document.cpp:2457 
        | WebCore::Document::dispatchWindowLoadEvent() Document.cpp:3814 
        | WebCore::DOMWindow::dispatchLoadEvent() DOMWindow.cpp:1855 
        | WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) DOMWindow.cpp:1897 
        | WebCore::EventTarget::fireEventListeners(WebCore::Event*) EventTarget.cpp:207 
        | WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&) EventTarget.cpp:256 
        | WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) JSEventListener.cpp:127 
        | WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) JSMainThreadExecState.h:56 
        | JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) CallData.cpp:44 
        | JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) CallData.cpp:39 
        | JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) Interpreter.cpp:912 
        | JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) JITCode.cpp:77 
        | vmEntryToJavaScript 
        | llint_entry 
        | llint_entry 
        | llint_slow_path_get_by_id LLIntSlowPaths.cpp:581 
        | JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const JSCJSValueInlines.h:703 
        | JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const PropertySlot.h:256 
        | WebCore::jsElementOffsetTop(JSC::ExecState*, JSC::JSObject*, long long, JSC::PropertyName) JSElement.cpp:640 
        | WebCore::Element::offsetTop() Element.cpp:706 
        | WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) Document.cpp:1871 
        | WebCore::Document::updateLayout() Document.cpp:1837 
        | WebCore::FrameView::layout(bool) FrameView.cpp:1333 
        | WebCore::RenderView::layout() RenderView.cpp:359 
        | WebCore::RenderView::layoutContent(WebCore::LayoutState const&) RenderView.cpp:233 
        | WebCore::RenderBlock::layout() RenderBlock.cpp:930 
        | WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) RenderBlockFlow.cpp:484 
        | WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) RenderBlockFlow.cpp:629 
        | WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) RenderBlockFlow.cpp:708 
        | WebCore::RenderBlock::layout() RenderBlock.cpp:930 
        | WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) RenderBlockFlow.cpp:484 
        | WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) RenderBlockFlow.cpp:629 
        | WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) RenderBlockFlow.cpp:708 
        | WebCore::RenderBlock::layout() RenderBlock.cpp:930 
        | WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) RenderBlockFlow.cpp:484 
        | WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) RenderBlockFlow.cpp:622 
        | WebCore::RenderBlockFlow::insertFloatingObject(WebCore::RenderBox&) RenderBlockFlow.cpp:2231 
        | WebCore::RenderElement::layoutIfNeeded() RenderElement.h:119 
        | WebCore::RenderBlock::layout() RenderBlock.cpp:930 
        | WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) RenderBlockFlow.cpp:484 
        | WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) RenderBlockFlow.cpp:629 
        | WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) RenderBlockFlow.cpp:708 
        | WebCore::RenderBlock::layout() RenderBlock.cpp:930 
        | WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) RenderBlockFlow.cpp:434 
        | WebCore::RenderBlockFlow::recomputeLogicalWidthAndColumnWidth() RenderBlockFlow.cpp:384 
        | WebCore::RenderBlockFlow::computeColumnCountAndWidth() RenderBlockFlow.cpp:423 
        | WebCore::RenderBlockFlow::setComputedColumnCountAndWidth(int, WebCore::LayoutUnit) RenderBlockFlow.cpp:3791 
        | WebCore::RenderBlockFlow::createMultiColumnFlowThread() RenderBlockFlow.cpp:128 
        | WebCore::RenderMultiColumnFlowThread::populate() RenderMultiColumnFlowThread.cpp:159 
        | WebCore::RenderBoxModelObject::moveChildrenTo(WebCore::RenderBoxModelObject*, WebCore::RenderObject*, WebCore::RenderObject*, bool) RenderBoxModelObject.h:306 
        | WebCore::RenderBoxModelObject::moveChildrenTo(WebCore::RenderBoxModelObject*, WebCore::RenderObject*, WebCore::RenderObject*, WebCore::RenderObject*, bool) RenderBoxModelObject.cpp:2740 
        | WebCore::RenderBoxModelObject::moveChildTo(WebCore::RenderBoxModelObject*, WebCore::RenderObject*, WebCore::RenderObject*, bool) RenderBoxModelObject.cpp:2701 
        | WebCore::RenderBlockFlow::addChild(WebCore::RenderObject*, WebCore::RenderObject*) RenderBlockFlow.cpp:3728 
        | WebCore::RenderBlock::addChild(WebCore::RenderObject*, WebCore::RenderObject*) RenderBlock.cpp:406 
        | WebCore::RenderBlock::addChildIgnoringContinuation(WebCore::RenderObject*, WebCore::RenderObject*) RenderBlock.cpp:492 
        | WebCore::RenderElement::addChild(WebCore::RenderObject*, WebCore::RenderObject*) RenderElement.cpp:511 
        | WebCore::RenderElement::insertChildInternal(WebCore::RenderObject*, WebCore::RenderObject*, WebCore::RenderElement::NotifyChildrenType) RenderElement.cpp:586 
        | WebCore::RenderBlockFlow::insertedIntoTree() RenderBlockFlow.cpp:140 
        | WebCore::RenderElement::insertedIntoTree() RenderElement.cpp:1034 
        | WebCore::RenderObject::insertedIntoTree() RenderObject.cpp:1917 
        | WebCore::RenderMultiColumnFlowThread::flowThreadDescendantInserted(WebCore::RenderObject*) RenderMultiColumnFlowThread.cpp:400 
        | WebCore::RenderMultiColumnFlowThread::processPossibleSpannerDescendant(WebCore::RenderObject*&, WebCore::RenderObject*) RenderMultiColumnFlowThread.cpp:307 
        | WebCore::RenderMultiColumnSpannerPlaceholder::createAnonymous(WebCore::RenderMultiColumnFlowThread*, WebCore::RenderBox*, WebCore::RenderStyle*) RenderMultiColumnSpannerPlaceholder.cpp:39 
        | WebCore::RenderStyle::createAnonymousStyleWithDisplay(WebCore::RenderStyle const*, WebCore::EDisplay) RenderStyle.cpp:102 
        | WebCore::RenderStyle::create() RenderStyle.cpp:91 
        | WTF::RefCounted<WebCore::RenderStyle>::operator new(unsigned long) RefCounted.h:141 
        | WTF::fastMalloc(unsigned long) FastMalloc.cpp:275 
        | bmalloc::api::malloc(unsigned long) bmalloc.h:36 
        | bmalloc::Cache::allocate(unsigned long) Cache.h:68 
        | bmalloc::Allocator::allocate(unsigned long) Allocator.h:85 
        | bmalloc::Allocator::allocateSlowCase(unsigned long) Allocator.cpp:195 
        | malloc 
        | malloc_zone_malloc
Comment 1 Joseph Pecoraro 2015-02-14 18:27:13 PST 
I'm unfamiliar with the render tree code. It doesn't appear to use any of our common smart pointers. What should the lifetime be / Who should delete this object?
Comment 2 Alexey Proskuryakov 2015-02-16 10:07:04 PST 
This is an intentional (for now) leak, see <http://trac.webkit.org/changeset/175641>.

That said, it certainly needs to be fixed eventually.
Comment 3 Alexey Proskuryakov 2015-02-22 22:35:45 PST 
In the meanwhile, we should add the leak to Tools/Scripts/webkitpy/port/leakdetector.py
Comment 4 David Kilzer (:ddkilzer) 2015-02-28 11:21:04 PST 
Are you sure this is intentional?  The ChangeLog talks about leaking the placeholder, not the RenderStyle it uses.

Am I missing something?

diff --git a/Source/WebCore/rendering/RenderMultiColumnSpannerPlaceholder.cpp b/Source/WebCore/rendering/RenderMultiColumnSpannerPlaceholder.cpp
index 6d7e9f1..f871aa2 100644
--- a/Source/WebCore/rendering/RenderMultiColumnSpannerPlaceholder.cpp
+++ b/Source/WebCore/rendering/RenderMultiColumnSpannerPlaceholder.cpp
@@ -36,9 +36,9 @@ namespace WebCore {
 
 RenderMultiColumnSpannerPlaceholder* RenderMultiColumnSpannerPlaceholder::createAnonymous(RenderMultiColumnFlowThread* flowThread, RenderBox* spanner, RenderStyle* parentStyle)
 {
-    RefPtr<RenderStyle> newStyle(RenderStyle::createAnonymousStyleWithDisplay(parentStyle, BLOCK));
+    auto newStyle = RenderStyle::createAnonymousStyleWithDisplay(parentStyle, BLOCK);
     newStyle->setClear(CBOTH); // We don't want floats in the row preceding the spanner to continue on the other side.
-    auto placeholder = new RenderMultiColumnSpannerPlaceholder(flowThread, spanner, *newStyle);
+    auto placeholder = new RenderMultiColumnSpannerPlaceholder(flowThread, spanner, WTF::move(newStyle));
     placeholder->initializeStyle();
     return placeholder;
 }
Comment 5 David Kilzer (:ddkilzer) 2015-03-03 10:30:49 PST 
(In reply to comment #4)
> Are you sure this is intentional?  The ChangeLog talks about leaking the
> placeholder, not the RenderStyle it uses.
> 
> Am I missing something?

I am missing something!  Both the RenderMultiColumnSpannerPlaceholder and the RenderStyle are leaked, which is expected based on the comment.