201015 – ASan reports a memory leak under LockedPrintStream

Bug 201015 - ASan reports a memory leak under LockedPrintStream

Summary: ASan reports a memory leak under LockedPrintStream

Status:	RESOLVED INVALID

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Local Build
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2019-08-21 18:17 PDT by secpanic
Modified:	2019-08-30 16:04 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description secpanic 2019-08-21 18:17:21 PDT

When execute the js file below , jsc will have a memory leak

```
function main() {
const v4 = [13.37];
const v6 = [1337,1337];
const v7 = [v4,"constructor",-3004925011];
const v8 = {b:13.37,toString:v6,d:v7,c:-3004925011};
const v9 = {d:v7,toString:v8};
let v10 = -3004925011;
const v15 = [13.37,13.37];
const v17 = [1337,1337,1337,1337,1337];
const v18 = [1457955308,"FvJ1dPW7NF",13.37];
let v20 = NaN;
const v22 = [13.37,13.37];
const v24 = [1337,1337,1337,v22];
const v25 = [1337,v24];
const v27 = (13.37).toLocaleString();
const v28 = v25.join();
function v29(v30,v31,v32,v33,...v34) {
    function v35(v36,v37,v38,v39,...v40) {
        const v45 = [13.37,13.37,13.37];
        const v46 = v45.__proto__;
        const v48 = {set:gc,get:gc};
        const v50 = Object.defineProperty(v46,128,v48);
        for (let v52 = 0; v52 < 1000; v52++) {
            function v54(v55,v56,v57,v58,...v59) {
                const v63 = isFinite.apply(Object);
                return v63;
            }
            const v64 = v54();
        }
        return noInline;
    }
    const v65 = v35();
    return v27;
}
const v66 = v29(v28,v29);
const v67 = {valueOf:"FvJ1dPW7NF",a:v18};
const v69 = [13.37];
const v71 = [1337,1337,1337];
function v72(v73,v74,v75) {
    const v79 = [13.37,13.37,13.37,13.37,13.37];
    const v80 = [v79,v79,-973213979,13.37];
    const v82 = [13.37,Symbol,13.37];
    function v83(v84,v85,v86) {
    }
    const v88 = [v80,13.37];
    const v90 = [1337,1337,1337,v88];
    const v91 = [1337,v90];
    const v92 = v82.toLocaleString();
    let v95 = 0;
    do {
        function v96(v97,v98,v99,v100,...v101) {
            function v102(v103,v104,v105,v106,...v107) {
                for (let v111 = 0; v111 < 1000; v111++) {
                    function v112(v113,v114,v115,v116,...v117) {
                    }
                }
            }
        }
        const v118 = v95 + 1;
        v95 = v118;
    } while (v95 < 8);
    const v123 = [13.37,13.37,13.37,13.37,13.37];
    const v125 = [1337,1337];
    const v126 = ["Z2EBZHeeZW","Z2EBZHeeZW"];
    const v127 = {length:v123};
    const v128 = {c:v125,a:v125,length:Function,b:Function,e:13.37};
    let v129 = 1337;
    const v131 = [1337,1337,1337,1337];
    const v133 = [1337,1337,1337,1337];
    const v136 = [1337,1337,1337,1337];
    const v137 = {};
    let v138 = 3;
    function v139(v140,v141,v142) {
        for (let v147 = 0; v147 < 1000; v147++) {
            function v149(v150,v151,v152) {
            }
            let v154 = 0;
            for (const v155 of arguments) {
                const v157 = [1337];
                function v159(v160,v161,v162) {
                    arguments.__proto__ = v157;
                }
                function v163(v164,v165,v166,v167,...v168) {
                    const v174 = v159();
                }
                function v178(v179,v180,v181,v182,...v183) {
                }
            }
            const v191 = {__proto__:v149};
            const v193 = Object.seal(arguments,9007199254740991,v191);
        }
        return v136;
    }
    const v195 = v139(v138,v137,v136);
    function v196(v197,v198,v199) {
        function v200(v201,v202,v203,v204,...v205) {
        }
    }
    let v210 = 0;
    do {
        const v211 = v210 + 1;
        v210 = v211;
    } while (v210 < 7);
    for (let v215 = 0; v215 < 3; v215++) {
    }
    const v217 = v139(8,1);
    function v218(v219,v220,v221,v222) {
        return 13.37;
    }
    function v223(v224,v225,v226,v227,...v228) {
        function v229(v230,v231,v232,v233,...v234) {
            function v235(v236,v237,v238,v239,...v240) {
                function v241(v242,v243,v244,v245,...v246) {
                    return v237;
                }
                return v28;
            }
            return v82;
        }
        return v67;
    }
    const v247 = v91.push(v92);
    return v9;
}
const v248 = v69 - v71;
const v249 = v72(13.37,1337,v248);
}
noDFG(main);
noFTL(main);
main();

```

ASAN will show the detail

```
=================================================================
==5624==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 96 byte(s) in 3 object(s) allocated from:
    #0 0x7f85dc6a4f00 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc7f00)
    #1 0x240ecc9 in bmalloc::Heap::Heap(bmalloc::HeapKind, std::lock_guard<bmalloc::Mutex>&) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x240ecc9)
    #2 0x2407a25 in bmalloc::PerProcess<bmalloc::PerHeapKind<bmalloc::Heap> >::getSlowCase() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x2407a25)
    #3 0x2407367 in bmalloc::Cache::Cache(bmalloc::HeapKind) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x2407367)
    #4 0x2407cab in bmalloc::PerThread<bmalloc::PerHeapKind<bmalloc::Cache> >::getSlowCase() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x2407cab)
    #5 0x24073fd in bmalloc::Cache::allocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x24073fd)
    #6 0x233e24d in WTF::fastMalloc(unsigned long) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x233e24d)
    #7 0x23f51d6 in WTF::Thread::initializeCurrentTLS() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x23f51d6)
    #8 0x234f56c in WTF::LockedPrintStream::begin() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x234f56c)
    #9 0x199ecdd in void std::call_once<JSC::Options::initialize()::{lambda()#1}>(std::once_flag&, JSC::Options::initialize()::{lambda()#1}&&)::{lambda()#2}::_FUN() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x199ecdd)
    #10 0x7f85dc3cea98 in __pthread_once_slow (/lib/x86_64-linux-gnu/libpthread.so.0+0xea98)

Indirect leak of 120 byte(s) in 3 object(s) allocated from:
    #0 0x7f85dc6a4f00 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc7f00)
    #1 0x240ec45 in bmalloc::Heap::Heap(bmalloc::HeapKind, std::lock_guard<bmalloc::Mutex>&) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x240ec45)
    #2 0x2407a25 in bmalloc::PerProcess<bmalloc::PerHeapKind<bmalloc::Heap> >::getSlowCase() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x2407a25)
    #3 0x2407367 in bmalloc::Cache::Cache(bmalloc::HeapKind) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x2407367)
    #4 0x2407cab in bmalloc::PerThread<bmalloc::PerHeapKind<bmalloc::Cache> >::getSlowCase() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x2407cab)
    #5 0x24073fd in bmalloc::Cache::allocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x24073fd)
    #6 0x233e24d in WTF::fastMalloc(unsigned long) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x233e24d)
    #7 0x23f51d6 in WTF::Thread::initializeCurrentTLS() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x23f51d6)
    #8 0x234f56c in WTF::LockedPrintStream::begin() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x234f56c)
    #9 0x199ecdd in void std::call_once<JSC::Options::initialize()::{lambda()#1}>(std::once_flag&, JSC::Options::initialize()::{lambda()#1}&&)::{lambda()#2}::_FUN() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x199ecdd)
    #10 0x7f85dc3cea98 in __pthread_once_slow (/lib/x86_64-linux-gnu/libpthread.so.0+0xea98)

SUMMARY: AddressSanitizer: 216 byte(s) leaked in 6 allocation(s).

```



To reproduce this issue ,you need to run jsc with this command:

`jsc --validateOptions=true --useConcurrentJIT=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --gcAtEnd=true  crash_1565006120806_26271_flaky_6.js`

Comment 1 Radar WebKit Bug Importer 2019-08-22 14:19:33 PDT

<rdar://problem/54614147>

Comment 2 Yusuke Suzuki 2019-08-30 16:04:06 PDT

This is per-process singleton. Not an actual leak.