Bug 150724 - CSSParserVariable leaks seen on leaks bots
Summary: CSSParserVariable leaks seen on leaks bots
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Joseph Pecoraro
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-30 11:52 PDT by Joseph Pecoraro
Modified: 2015-10-30 16:19 PDT (History)
5 users (show)

See Also:

Attachments
[PATCH] Proposed Fix (1.18 KB, patch)
2015-10-30 12:37 PDT, Joseph Pecoraro 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Joseph Pecoraro 2015-10-30 11:52:31 PDT 
* SUMMARY
CSSParserVariable leaks seen on leaks bots.
https://build.webkit.org/builders/Apple%20Yosemite%20%28Leaks%29/builds/3581

* LEAK (allocation trace)
Call stack: [thread 0x11c62f300]: 
    | 0x2 
    | start 
    | main DumpRenderTreeMain.mm:30 
    | DumpRenderTreeMain(int, char const**) DumpRenderTree.mm:1430 
    | dumpRenderTree(int, char const**) DumpRenderTree.mm:1295 
    | runTestingServerLoop() DumpRenderTree.mm:1186 
    | runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) DumpRenderTree.mm:2036 
    | CFRunLoopRunSpecific 
    | __CFRunLoopRun 
    | __CFRunLoopDoSources0 
    | __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ 
    | MultiplexerSource::_perform(void*) 
    | MultiplexerSource::perform() 
    | RunloopBlockContext::perform() 
    | CFArrayApplyFunction 
    | RunloopBlockContext::_invoke_block(void const*, void*) 
    | ___ZN27URLConnectionClient_Classic18_withDelegateAsyncEPKcU13block_pointerFvP16_CFURLConnectionPK33CFURLConnectionClientCurrent_VMaxE_block_invoke_2 
    | ___ZN27URLConnectionClient_Classic26_delegate_didFinishLoadingEU13block_pointerFvvE_block_invoke 
    | -[NSURLConnectionInternal _withActiveConnectionAndDelegate:] 
    | -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] 
    | __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke 
    | -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] WebCoreResourceHandleAsDelegate.mm:258 
    | WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double) ResourceLoader.cpp:639 
    | WebCore::SubresourceLoader::didFinishLoading(double) SubresourceLoader.cpp:374 
    | WebCore::CachedCSSStyleSheet::finishLoading(WebCore::SharedBuffer*) CachedCSSStyleSheet.cpp:101 
    | WebCore::CachedCSSStyleSheet::checkNotify() CachedCSSStyleSheet.cpp:113 
    | non-virtual thunk to WebCore::HTMLLinkElement::setCSSStyleSheet(WTF::String const&, WebCore::URL const&, WTF::String const&, WebCore::CachedCSSStyleSheet const*) HTMLLinkElement.cpp:359 
    | WebCore::HTMLLinkElement::setCSSStyleSheet(WTF::String const&, WebCore::URL const&, WTF::String const&, WebCore::CachedCSSStyleSheet const*) HTMLLinkElement.cpp:351 
    | WebCore::StyleSheetContents::parseAuthorStyleSheet(WebCore::CachedCSSStyleSheet const*, WebCore::SecurityOrigin const*) StyleSheetContents.cpp:317 
    | WebCore::CSSParser::parseSheet(WebCore::StyleSheetContents*, WTF::String const&, WTF::TextPosition const&, WTF::Vector<WTF::RefPtr<WebCore::CSSRuleSourceData>, 0ul, WTF::CrashOnOverflow, 16ul>*, bool) CSSParser.cpp:462 
    | cssyyparse(WebCore::CSSParser*) .CSSGrammar.y:1743 
    | WebCore::CSSParserVariable::operator new(unsigned long) CSSParserValues.h:193 
    | WTF::fastMalloc(unsigned long) FastMalloc.cpp:193 
    | bmalloc::api::malloc(unsigned long) bmalloc.h:43 
    | bmalloc::Cache::allocate(unsigned long) Cache.h:79 
    | bmalloc::Allocator::allocate(unsigned long) Allocator.h:86 
    | bmalloc::Allocator::allocateSlowCase(unsigned long) Allocator.cpp:242 
    | malloc 
    | malloc_zone_malloc 

* NOTES

CSSGrammar.y.in

> variable_function:
>     VARFUNCTION maybe_space CUSTOM_PROPERTY maybe_space closing_parenthesis {
>         CSSParserVariable* var = new CSSParserVariable;
>         var->name = $3;
>         var->args = nullptr;
>         $$.id = CSSValueInvalid;
>         $$.unit = CSSParserValue::Variable;
>         $$.variable = var;
>     }
>    ...

It looks like `variable_function` has some destroy() method:

> %type <value> calc_function function variable_function min_or_max_function term
> %destructor { destroy($$); } calc_function function variable_function min_or_max_function term

Maybe this destroy function should be deleting `.variable` in the new case:

> void destroy(const CSSParserValue& value)
> {
>     if (value.unit == CSSParserValue::Function)
>         delete value.function;
>     else if (value.unit == CSSParserValue::ValueList)
>         delete value.valueList;
> }
Comment 1 Joseph Pecoraro 2015-10-30 12:02:31 PDT 
* STEPS TO REPRODUCE
shell> run-webkit-tests --leaks -1 fast/css/variables
Comment 2 Joseph Pecoraro 2015-10-30 12:18:55 PDT 
This gets most of the leaks, there are still others. I'll give some time to tracking them otherwise I'll just put this patch up.
Comment 3 Joseph Pecoraro 2015-10-30 12:28:19 PDT 
There is a CSSParserValueList leak, which I suspect is happening from:

    CSSValueList::buildParserValueSubstitutingVariables
    CSSValueList::buildParserValueListSubstitutingVariables

They call each other but in the error cases I don't think the CSSParserValueList created by buildParserValueSubstitutingVariables gets destroyed. I'll file a separate bug about this, since it is non-trivial for me but probably easy for those familiar with what this code is doing.
Comment 4 Joseph Pecoraro 2015-10-30 12:37:02 PDT 
Created attachment 264410 [details]
[PATCH] Proposed Fix
Comment 5 WebKit Commit Bot 2015-10-30 16:19:17 PDT 
Comment on attachment 264410 [details]
[PATCH] Proposed Fix

Clearing flags on attachment: 264410

Committed r191825: <http://trac.webkit.org/changeset/191825>
Comment 6 WebKit Commit Bot 2015-10-30 16:19:21 PDT 
All reviewed patches have been landed.  Closing bug.