RESOLVED FIXED 167744
Correct memory leak in MediaConstraints 
https://bugs.webkit.org/show_bug.cgi?id=167744
Summary Correct memory leak in MediaConstraints
Brent Fulgham
Reported 2017-02-02 10:50:46 PST
Static analysis discovered a memory leak in the handling of ConstraintHolders. 1. ConstraintHolder::create returns a reference to a “new” object. 2. m_variants holds a set of ConstraintHolder objects. 3. m_variants.append(ConstraintHolder::create(…)) copies the returned reference, leaking the new object. I discussed this with Anders Carlsson, who confirmed that we should just return the object by value here, and return-value-optimization will make sure we efficiently use the memory.
Attachments
Patch (1.66 KB, patch)
2017-02-02 10:55 PST, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (4.16 KB, patch)
2017-02-02 17:37 PST, Brent Fulgham 		andersca: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2017-02-02 10:52:49 PST
<rdar://problem/30331444>
Brent Fulgham
Comment 2 2017-02-02 10:55:19 PST
Created attachment 300419 [details] Patch
Anders Carlsson
Comment 3 2017-02-02 10:59:25 PST
Comment on attachment 300419 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=300419&action=review > Source/WebCore/platform/mediastream/MediaConstraints.h:716 > + static ConstraintHolder create(const MediaConstraint& value) { return *new ConstraintHolder(value); } This should just be return ConstraintHolder(value) otherwise we'll still leak.
Brent Fulgham
Comment 4 2017-02-02 11:34:35 PST
Committed r211579: <http://trac.webkit.org/changeset/211579>
Brent Fulgham
Comment 5 2017-02-02 11:35:15 PST
(In reply to comment #3) > Comment on attachment 300419 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=300419&action=review > > > Source/WebCore/platform/mediastream/MediaConstraints.h:716 > > + static ConstraintHolder create(const MediaConstraint& value) { return *new ConstraintHolder(value); } > > This should just be return ConstraintHolder(value) otherwise we'll still > leak. Done!
Ryan Haddad
Comment 6 2017-02-02 13:15:57 PST
(In reply to comment #4) > Committed r211579: <http://trac.webkit.org/changeset/211579> This change caused 5 mediastream LayoutTests to crash: https://build.webkit.org/results/Apple%20Sierra%20Release%20WK2%20(Tests)/r211582%20(3234)/results.html
WebKit Commit Bot
Comment 7 2017-02-02 13:30:33 PST
Re-opened since this is blocked by bug 167753
Brent Fulgham
Comment 8 2017-02-02 13:31:42 PST
This isn't quite right. I introduced some media stream crashes with this change, so I'm rolling it out under https://bugs.webkit.org/show_bug.cgi?id=167753.
Brent Fulgham
Comment 9 2017-02-02 17:37:05 PST
Created attachment 300477 [details] Patch
Brent Fulgham
Comment 10 2017-02-02 17:39:05 PST
The problem was that the move operator was not clearing the union, so when the "move source" was cleaned up, the memory was getting freed, even though the pointers had been moved to the "move target" location.
Brent Fulgham
Comment 11 2017-02-02 20:22:40 PST
Tests are happy. I just want to have Anders (or maybe Darin) check that the move operator is written properly.
Anders Carlsson
Comment 12 2017-02-03 12:39:12 PST
Comment on attachment 300477 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=300477&action=review > Source/WebCore/platform/mediastream/MediaConstraints.h:749 > + m_value.asInteger = WTFMove(other.m_value.asInteger); > + other.m_value.asInteger = nullptr; No need to use move with pointers, just do something like m_value.asInteger = std::exchange(other.m_value.asInteger, nullptr); (same thing for the other cases).
Brent Fulgham
Comment 13 2017-02-03 12:41:21 PST
Comment on attachment 300477 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=300477&action=review >> Source/WebCore/platform/mediastream/MediaConstraints.h:749 >> + other.m_value.asInteger = nullptr; > > No need to use move with pointers, just do something like > > m_value.asInteger = std::exchange(other.m_value.asInteger, nullptr); > > (same thing for the other cases). Oh, cool! Will change.
Brent Fulgham
Comment 14 2017-02-03 12:55:02 PST
Committed r211646: <http://trac.webkit.org/changeset/211646>
Note You need to log in before you can comment on or make changes to this bug.