Bug 19596

Summary: LEAK: Gmail leaks SegmentedVector<RegisterID>
Product: WebKit Reporter: Cameron Zwarich (cpst) <zwarich>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Severity: Normal CC: ggaren, mjs, oliver
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Description Flags
Leaks report
Proposed patch mjs: review+

Description Cameron Zwarich (cpst) 2008-06-16 20:39:03 PDT
I will upload a leaks report as an attachment.
Comment 1 Cameron Zwarich (cpst) 2008-06-16 20:42:09 PDT
Created attachment 21749 [details]
Leaks report

Here is the leaks report. I can increase the number of leaks repeatably by reloading Gmail. There are some other leaks here, but the worst one is the SegmentedVector leak.
Comment 2 Cameron Zwarich (cpst) 2008-06-16 20:56:28 PDT
Since SegmentedVector is only ever used as a member for CodeGenerator, and we aren't leaking CodeGenerator instances (we also never could, because CodeGenerator instances are only stack allocated in generateCode() methods), this probably means there is a bug in the segment handling code in SegmentedVector.
Comment 3 Cameron Zwarich (cpst) 2008-06-16 21:59:04 PDT
Created attachment 21750 [details]

Here's a log of segment creations and deletions while loading Gmail. It seems that when we make more than one new segment we always leak the first one.
Comment 4 Cameron Zwarich (cpst) 2008-06-16 22:13:47 PDT
I found the problem. In the loop in SegmentedVector::grow(), the index i is often zero, which overwrites the inline segment in m_segments. In the destructor for SegmentedVector, the zero'th position is skipped in the deletion loop, because it is assumed to be the inline segment.
Comment 5 Cameron Zwarich (cpst) 2008-06-16 22:32:08 PDT
Created attachment 21751 [details]
Proposed patch
Comment 6 Maciej Stachowiak 2008-06-16 23:00:30 PDT
Comment on attachment 21751 [details]
Proposed patch

Comment 7 Cameron Zwarich (cpst) 2008-06-16 23:33:52 PDT
Landed in r34617. I will file the other leaks as separate bugs.