Bug 201804 - [JSC] REGRESSION (r248938): Leak of uint32_t arrays in testFastForwardCopy32()
Summary: [JSC] REGRESSION (r248938): Leak of uint32_t arrays in testFastForwardCopy32()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: David Kilzer (:ddkilzer)
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-09-15 07:01 PDT by David Kilzer (:ddkilzer)
Modified: 2019-09-16 13:29 PDT (History)
10 users (show)

See Also:

Attachments
Patch v1 (2.33 KB, patch)
2019-09-15 07:12 PDT, David Kilzer (:ddkilzer) 		no flags Details | Formatted Diff | Diff
Patch v2 (2.33 KB, patch)
2019-09-15 07:24 PDT, David Kilzer (:ddkilzer) 		no flags Details | Formatted Diff | Diff
Patch v3 (2.46 KB, patch)
2019-09-16 05:31 PDT, David Kilzer (:ddkilzer) 		no flags Details | Formatted Diff | Diff
Patch v4 (2.45 KB, patch)
2019-09-16 06:42 PDT, David Kilzer (:ddkilzer) 		no flags Details | Formatted Diff | Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Kilzer (:ddkilzer) 2019-09-15 07:01:56 PDT 
Leak of uint32_t arrays in testFastForwardCopy32() due to `continue` statements not releasing memory allocated by `new`.

void testFastForwardCopy32()
{
#if CPU(X86_64)
    for (const bool aligned : { true, false }) {
        for (const bool overlap : { false, true }) {
            for (size_t arrsize : { 1, 4, 5, 6, 8, 10, 12, 16, 20, 40, 100, 1000}) {
                size_t overlapAmount = 5;

                uint32_t* arr1, *arr2;

                if (overlap) {
                    arr1 = new uint32_t[arrsize * 2];
                    arr2 = arr1 + (arrsize - overlapAmount);
                } else {
                    arr1 = new uint32_t[arrsize];
                    arr2 = new uint32_t[arrsize];
                }

                if (!aligned && arrsize < 3)
                    continue;  // LEAKS!
                if (overlap && arrsize <= overlapAmount + 3)
                    continue;  // LEAKS!

                [...]

                if (!overlap) {
                    delete[] arr1;
                    delete[] arr2;
                } else
                    delete[] arr1;
            }
        }
    }
#endif
}

<https://trac.webkit.org/browser/webkit/trunk/Source/JavaScriptCore/b3/testb3_8.cpp>
Comment 1 David Kilzer (:ddkilzer) 2019-09-15 07:04:51 PDT 
Leak introduced by:

Bug 200181: Identify memcpy loops in b3
<https://bugs.webkit.org/show_bug.cgi?id=200181>
<https://trac.webkit.org/changeset/248938>
Comment 2 David Kilzer (:ddkilzer) 2019-09-15 07:12:35 PDT 
Created attachment 378811 [details]
Patch v1
Comment 3 David Kilzer (:ddkilzer) 2019-09-15 07:24:24 PDT 
Created attachment 378812 [details]
Patch v2
Comment 4 David Kilzer (:ddkilzer) 2019-09-15 07:27:31 PDT 
(In reply to David Kilzer (:ddkilzer) from comment #3)
> Created attachment 378812 [details]
> Patch v2

ERROR: Source/JavaScriptCore/b3/testb3_8.cpp:881:  Use 'WTF::makeUnique<>' instead of 'std::make_unique<>'.  [runtime/wtf_make_unique] [4]
ERROR: Source/JavaScriptCore/b3/testb3_8.cpp:885:  Use 'WTF::makeUnique<>' instead of 'std::make_unique<>'.  [runtime/wtf_make_unique] [4]
ERROR: Source/JavaScriptCore/b3/testb3_8.cpp:886:  Use 'WTF::makeUnique<>' instead of 'std::make_unique<>'.  [runtime/wtf_make_unique] [4]
Total errors found: 3 in 2 files

This is a false positive.  WTF::makeUnique<> doesn't handle POD types, so std::make_unique<> must still be used.  (See build failures of "Patch v1".)
Comment 5 Radar WebKit Bug Importer 2019-09-15 10:57:59 PDT 
<rdar://problem/55380614>
Comment 6 Saam Barati 2019-09-15 22:02:28 PDT 
Comment on attachment 378812 [details]
Patch v2

View in context: https://bugs.webkit.org/attachment.cgi?id=378812&action=review

> Source/JavaScriptCore/b3/testb3_8.cpp:885
> +                    array1 = std::make_unique<uint32_t[]>(arrsize);

Should we be using WTF::makeUnique?
Comment 7 David Kilzer (:ddkilzer) 2019-09-15 22:41:20 PDT 
(In reply to Saam Barati from comment #6)
> Comment on attachment 378812 [details]
> Patch v2
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=378812&action=review
> 
> > Source/JavaScriptCore/b3/testb3_8.cpp:885
> > +                    array1 = std::make_unique<uint32_t[]>(arrsize);
> 
> Should we be using WTF::makeUnique?

No.  It doesn't support POD types.  See Comment #4.
Comment 8 David Kilzer (:ddkilzer) 2019-09-15 22:44:20 PDT 
Comment on attachment 378812 [details]
Patch v2

View in context: https://bugs.webkit.org/attachment.cgi?id=378812&action=review

>>> Source/JavaScriptCore/b3/testb3_8.cpp:885
>>> +                    array1 = std::make_unique<uint32_t[]>(arrsize);
>> 
>> Should we be using WTF::makeUnique?
> 
> No.  It doesn't support POD types.  See Comment #4.

Or is the patch missing a #include of <wtf/UniqueArray.h>?
Comment 9 Yusuke Suzuki 2019-09-16 00:56:56 PDT 
Comment on attachment 378812 [details]
Patch v2

View in context: https://bugs.webkit.org/attachment.cgi?id=378812&action=review

>>>> Source/JavaScriptCore/b3/testb3_8.cpp:885
>>>> +                    array1 = std::make_unique<uint32_t[]>(arrsize);
>>> 
>>> Should we be using WTF::makeUnique?
>> 
>> No.  It doesn't support POD types.  See Comment #4.
> 
> Or is the patch missing a #include of <wtf/UniqueArray.h>?

Use `makeUniqueArray<uint32_t>(arrsize)` instead.
Comment 10 David Kilzer (:ddkilzer) 2019-09-16 05:30:51 PDT 
(In reply to Yusuke Suzuki from comment #9)
> Comment on attachment 378812 [details]
> Patch v2
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=378812&action=review
> 
> >>>> Source/JavaScriptCore/b3/testb3_8.cpp:885
> >>>> +                    array1 = std::make_unique<uint32_t[]>(arrsize);
> >>> 
> >>> Should we be using WTF::makeUnique?
> >> 
> >> No.  It doesn't support POD types.  See Comment #4.
> > 
> > Or is the patch missing a #include of <wtf/UniqueArray.h>?
> 
> Use `makeUniqueArray<uint32_t>(arrsize)` instead.

Thanks!  Just noticed that.
Comment 11 David Kilzer (:ddkilzer) 2019-09-16 05:31:26 PDT 
Created attachment 378856 [details]
Patch v3
Comment 12 David Kilzer (:ddkilzer) 2019-09-16 06:42:18 PDT 
Created attachment 378858 [details]
Patch v4
Comment 13 David Kilzer (:ddkilzer) 2019-09-16 09:36:10 PDT 
(In reply to David Kilzer (:ddkilzer) from comment #4)
> (In reply to David Kilzer (:ddkilzer) from comment #3)
> > Created attachment 378812 [details]
> > Patch v2
> 
> ERROR: Source/JavaScriptCore/b3/testb3_8.cpp:881:  Use 'WTF::makeUnique<>'
> instead of 'std::make_unique<>'.  [runtime/wtf_make_unique] [4]
> ERROR: Source/JavaScriptCore/b3/testb3_8.cpp:885:  Use 'WTF::makeUnique<>'
> instead of 'std::make_unique<>'.  [runtime/wtf_make_unique] [4]
> ERROR: Source/JavaScriptCore/b3/testb3_8.cpp:886:  Use 'WTF::makeUnique<>'
> instead of 'std::make_unique<>'.  [runtime/wtf_make_unique] [4]
> Total errors found: 3 in 2 files
> 
> This is a false positive.  WTF::makeUnique<> doesn't handle POD types, so
> std::make_unique<> must still be used.  (See build failures of "Patch v1".)

Filed Bug 201818 to fix this error message when using arrays:

Bug 201818: check-webkit-style: Fix warning message for std::make_unique<typename[]>
<https://bugs.webkit.org/show_bug.cgi?id=201818>
Comment 14 WebKit Commit Bot 2019-09-16 13:29:49 PDT 
Comment on attachment 378858 [details]
Patch v4

Clearing flags on attachment: 378858

Committed r249914: <https://trac.webkit.org/changeset/249914>
Comment 15 WebKit Commit Bot 2019-09-16 13:29:51 PDT 
All reviewed patches have been landed.  Closing bug.