Bug 19596 - LEAK: Gmail leaks SegmentedVector<RegisterID>
Summary: LEAK: Gmail leaks SegmentedVector<RegisterID>
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-06-16 20:39 PDT by Cameron Zwarich (cpst)
Modified: 2008-06-16 23:33 PDT (History)
3 users (show)

See Also:


Attachments
Leaks report (35.02 KB, text/plain)
2008-06-16 20:42 PDT, Cameron Zwarich (cpst)
no flags Details
Log (20.25 KB, text/plain)
2008-06-16 21:59 PDT, Cameron Zwarich (cpst)
no flags Details
Proposed patch (1.72 KB, patch)
2008-06-16 22:32 PDT, Cameron Zwarich (cpst)
mjs: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Cameron Zwarich (cpst) 2008-06-16 20:39:03 PDT
I will upload a leaks report as an attachment.
Comment 1 Cameron Zwarich (cpst) 2008-06-16 20:42:09 PDT
Created attachment 21749 [details]
Leaks report

Here is the leaks report. I can increase the number of leaks repeatably by reloading Gmail. There are some other leaks here, but the worst one is the SegmentedVector leak.
Comment 2 Cameron Zwarich (cpst) 2008-06-16 20:56:28 PDT
Since SegmentedVector is only ever used as a member for CodeGenerator, and we aren't leaking CodeGenerator instances (we also never could, because CodeGenerator instances are only stack allocated in generateCode() methods), this probably means there is a bug in the segment handling code in SegmentedVector.
Comment 3 Cameron Zwarich (cpst) 2008-06-16 21:59:04 PDT
Created attachment 21750 [details]
Log

Here's a log of segment creations and deletions while loading Gmail. It seems that when we make more than one new segment we always leak the first one.
Comment 4 Cameron Zwarich (cpst) 2008-06-16 22:13:47 PDT
I found the problem. In the loop in SegmentedVector::grow(), the index i is often zero, which overwrites the inline segment in m_segments. In the destructor for SegmentedVector, the zero'th position is skipped in the deletion loop, because it is assumed to be the inline segment.
Comment 5 Cameron Zwarich (cpst) 2008-06-16 22:32:08 PDT
Created attachment 21751 [details]
Proposed patch
Comment 6 Maciej Stachowiak 2008-06-16 23:00:30 PDT
Comment on attachment 21751 [details]
Proposed patch

r=me
Comment 7 Cameron Zwarich (cpst) 2008-06-16 23:33:52 PDT
Landed in r34617. I will file the other leaks as separate bugs.