WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED INVALID
201015
ASan reports a memory leak under LockedPrintStream
https://bugs.webkit.org/show_bug.cgi?id=201015
Summary
ASan reports a memory leak under LockedPrintStream
secpanic
Reported
2019-08-21 18:17:21 PDT
When execute the js file below , jsc will have a memory leak ``` function main() { const v4 = [13.37]; const v6 = [1337,1337]; const v7 = [v4,"constructor",-3004925011]; const v8 = {b:13.37,toString:v6,d:v7,c:-3004925011}; const v9 = {d:v7,toString:v8}; let v10 = -3004925011; const v15 = [13.37,13.37]; const v17 = [1337,1337,1337,1337,1337]; const v18 = [1457955308,"FvJ1dPW7NF",13.37]; let v20 = NaN; const v22 = [13.37,13.37]; const v24 = [1337,1337,1337,v22]; const v25 = [1337,v24]; const v27 = (13.37).toLocaleString(); const v28 = v25.join(); function v29(v30,v31,v32,v33,...v34) { function v35(v36,v37,v38,v39,...v40) { const v45 = [13.37,13.37,13.37]; const v46 = v45.__proto__; const v48 = {set:gc,get:gc}; const v50 = Object.defineProperty(v46,128,v48); for (let v52 = 0; v52 < 1000; v52++) { function v54(v55,v56,v57,v58,...v59) { const v63 = isFinite.apply(Object); return v63; } const v64 = v54(); } return noInline; } const v65 = v35(); return v27; } const v66 = v29(v28,v29); const v67 = {valueOf:"FvJ1dPW7NF",a:v18}; const v69 = [13.37]; const v71 = [1337,1337,1337]; function v72(v73,v74,v75) { const v79 = [13.37,13.37,13.37,13.37,13.37]; const v80 = [v79,v79,-973213979,13.37]; const v82 = [13.37,Symbol,13.37]; function v83(v84,v85,v86) { } const v88 = [v80,13.37]; const v90 = [1337,1337,1337,v88]; const v91 = [1337,v90]; const v92 = v82.toLocaleString(); let v95 = 0; do { function v96(v97,v98,v99,v100,...v101) { function v102(v103,v104,v105,v106,...v107) { for (let v111 = 0; v111 < 1000; v111++) { function v112(v113,v114,v115,v116,...v117) { } } } } const v118 = v95 + 1; v95 = v118; } while (v95 < 8); const v123 = [13.37,13.37,13.37,13.37,13.37]; const v125 = [1337,1337]; const v126 = ["Z2EBZHeeZW","Z2EBZHeeZW"]; const v127 = {length:v123}; const v128 = {c:v125,a:v125,length:Function,b:Function,e:13.37}; let v129 = 1337; const v131 = [1337,1337,1337,1337]; const v133 = [1337,1337,1337,1337]; const v136 = [1337,1337,1337,1337]; const v137 = {}; let v138 = 3; function v139(v140,v141,v142) { for (let v147 = 0; v147 < 1000; v147++) { function v149(v150,v151,v152) { } let v154 = 0; for (const v155 of arguments) { const v157 = [1337]; function v159(v160,v161,v162) { arguments.__proto__ = v157; } function v163(v164,v165,v166,v167,...v168) { const v174 = v159(); } function v178(v179,v180,v181,v182,...v183) { } } const v191 = {__proto__:v149}; const v193 = Object.seal(arguments,9007199254740991,v191); } return v136; } const v195 = v139(v138,v137,v136); function v196(v197,v198,v199) { function v200(v201,v202,v203,v204,...v205) { } } let v210 = 0; do { const v211 = v210 + 1; v210 = v211; } while (v210 < 7); for (let v215 = 0; v215 < 3; v215++) { } const v217 = v139(8,1); function v218(v219,v220,v221,v222) { return 13.37; } function v223(v224,v225,v226,v227,...v228) { function v229(v230,v231,v232,v233,...v234) { function v235(v236,v237,v238,v239,...v240) { function v241(v242,v243,v244,v245,...v246) { return v237; } return v28; } return v82; } return v67; } const v247 = v91.push(v92); return v9; } const v248 = v69 - v71; const v249 = v72(13.37,1337,v248); } noDFG(main); noFTL(main); main(); ``` ASAN will show the detail ``` ================================================================= ==5624==ERROR: LeakSanitizer: detected memory leaks Direct leak of 96 byte(s) in 3 object(s) allocated from: #0 0x7f85dc6a4f00 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc7f00) #1 0x240ecc9 in bmalloc::Heap::Heap(bmalloc::HeapKind, std::lock_guard<bmalloc::Mutex>&) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x240ecc9) #2 0x2407a25 in bmalloc::PerProcess<bmalloc::PerHeapKind<bmalloc::Heap> >::getSlowCase() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x2407a25) #3 0x2407367 in bmalloc::Cache::Cache(bmalloc::HeapKind) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x2407367) #4 0x2407cab in bmalloc::PerThread<bmalloc::PerHeapKind<bmalloc::Cache> >::getSlowCase() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x2407cab) #5 0x24073fd in bmalloc::Cache::allocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x24073fd) #6 0x233e24d in WTF::fastMalloc(unsigned long) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x233e24d) #7 0x23f51d6 in WTF::Thread::initializeCurrentTLS() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x23f51d6) #8 0x234f56c in WTF::LockedPrintStream::begin() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x234f56c) #9 0x199ecdd in void std::call_once<JSC::Options::initialize()::{lambda()#1}>(std::once_flag&, JSC::Options::initialize()::{lambda()#1}&&)::{lambda()#2}::_FUN() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x199ecdd) #10 0x7f85dc3cea98 in __pthread_once_slow (/lib/x86_64-linux-gnu/libpthread.so.0+0xea98) Indirect leak of 120 byte(s) in 3 object(s) allocated from: #0 0x7f85dc6a4f00 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc7f00) #1 0x240ec45 in bmalloc::Heap::Heap(bmalloc::HeapKind, std::lock_guard<bmalloc::Mutex>&) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x240ec45) #2 0x2407a25 in bmalloc::PerProcess<bmalloc::PerHeapKind<bmalloc::Heap> >::getSlowCase() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x2407a25) #3 0x2407367 in bmalloc::Cache::Cache(bmalloc::HeapKind) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x2407367) #4 0x2407cab in bmalloc::PerThread<bmalloc::PerHeapKind<bmalloc::Cache> >::getSlowCase() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x2407cab) #5 0x24073fd in bmalloc::Cache::allocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x24073fd) #6 0x233e24d in WTF::fastMalloc(unsigned long) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x233e24d) #7 0x23f51d6 in WTF::Thread::initializeCurrentTLS() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x23f51d6) #8 0x234f56c in WTF::LockedPrintStream::begin() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x234f56c) #9 0x199ecdd in void std::call_once<JSC::Options::initialize()::{lambda()#1}>(std::once_flag&, JSC::Options::initialize()::{lambda()#1}&&)::{lambda()#2}::_FUN() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x199ecdd) #10 0x7f85dc3cea98 in __pthread_once_slow (/lib/x86_64-linux-gnu/libpthread.so.0+0xea98) SUMMARY: AddressSanitizer: 216 byte(s) leaked in 6 allocation(s). ``` To reproduce this issue ,you need to run jsc with this command: `jsc --validateOptions=true --useConcurrentJIT=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --gcAtEnd=true crash_1565006120806_26271_flaky_6.js`
Attachments
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2019-08-22 14:19:33 PDT
<
rdar://problem/54614147
>
Yusuke Suzuki
Comment 2
2019-08-30 16:04:06 PDT
This is per-process singleton. Not an actual leak.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug