Summary: | LEAK: Gmail leaks SegmentedVector<RegisterID> | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Cameron Zwarich (cpst) <zwarich> | ||||||||
Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | Normal | CC: | ggaren, mjs, oliver | ||||||||
Priority: | P2 | ||||||||||
Version: | 528+ (Nightly build) | ||||||||||
Hardware: | All | ||||||||||
OS: | All | ||||||||||
Attachments: |
|
Description
Cameron Zwarich (cpst)
2008-06-16 20:39:03 PDT
Created attachment 21749 [details]
Leaks report
Here is the leaks report. I can increase the number of leaks repeatably by reloading Gmail. There are some other leaks here, but the worst one is the SegmentedVector leak.
Since SegmentedVector is only ever used as a member for CodeGenerator, and we aren't leaking CodeGenerator instances (we also never could, because CodeGenerator instances are only stack allocated in generateCode() methods), this probably means there is a bug in the segment handling code in SegmentedVector. Created attachment 21750 [details]
Log
Here's a log of segment creations and deletions while loading Gmail. It seems that when we make more than one new segment we always leak the first one.
I found the problem. In the loop in SegmentedVector::grow(), the index i is often zero, which overwrites the inline segment in m_segments. In the destructor for SegmentedVector, the zero'th position is skipped in the deletion loop, because it is assumed to be the inline segment. Created attachment 21751 [details]
Proposed patch
Comment on attachment 21751 [details]
Proposed patch
r=me
|