[Webkit-unassigned] [Bug 29030] New: Unfreed UString objects
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Sep 8 06:31:51 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=29030
Summary: Unfreed UString objects
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: zherczeg at inf.u-szeged.hu
UStrings used for several purposes. Valgrind reports that many of them are not
freed (1491). To be more precise, their UString::Rep is not freed.
Unfortunately this happens only when heavy scripting is used on the opened
page, like www.google.com. I couldn't make a small example so far.
Note:
https://bugs.webkit.org/show_bug.cgi?id=27980
This patch applied to the source, so many global objects are freed (UStrings as
well).
Finally, I have found useful unfreed range of objects. I mean their rc (ref
count) is not overwritten too many times. (I just make the long story short
here)
One of them is "moveBy". (I am sure it is not a builtin string)
Created here:
#0 JSC::UString::Rep::repCreated (this=0x83edf80) at
../../../JavaScriptCore/runtime/UString.cpp:280
#1 0xb6842b22 in Rep (this=0x83edf80, length=6) at
../../../JavaScriptCore/runtime/UString.h:166
#2 0xb6842b76 in BaseString (this=0x83edf80, buffer=0x83edf70, length=6,
additionalCapacity=0)
at ../../../JavaScriptCore/runtime/UString.h:226
#3 0xb68ac05e in JSC::UString::Rep::create (buffer=0x83edf70, length=6)
at ../../../JavaScriptCore/runtime/UString.h:88
#4 0xb68ad8fa in JSC::CStringTranslator::translate (location=@0x83ea750,
c=0xb793c897 "moveBy",
hash=230789120) at ../../../JavaScriptCore/runtime/Identifier.cpp:117
#5 0xb68ad959 in WTF::HashSetTranslatorAdapter<JSC::UString::Rep*,
WTF::HashTraits<JSC::UString::Rep*>, char const*,
JSC::CStringTranslator>::translate (location=@0x83ea750, key=@0xbfd23e78,
hashCode=230789120)
at ../../../JavaScriptCore/wtf/HashSet.h:108
#6 0xb68adcc3 in WTF::HashTable<JSC::UString::Rep*, JSC::UString::Rep*,
WTF::IdentityExtractor<JSC::UString::Rep*>, WTF::StrHash<JSC::UString::Rep*>,
WTF::HashTraits<JSC::UString::Rep*>, WTF::HashTraits<JSC::UString::Rep*>
>::addPassingHashCode<char const*, char const*,
WTF::HashSetTranslatorAdapter<JSC::UString::Rep*,
WTF::HashTraits<JSC::UString::Rep*>, char const*, JSC::CStringTranslator> >
(this=0x83d12ec,
key=@0xbfd23e78, extra=@0xbfd23e78) at
../../../JavaScriptCore/wtf/HashTable.h:728
#7 0xb68adf75 in WTF::HashSet<JSC::UString::Rep*,
WTF::StrHash<JSC::UString::Rep*>, WTF::HashTraits<JSC::UString::Rep*>
>::add<char const*, JSC::CStringTranslator> (this=0x83d12ec, value=@0xbfd23e78)
at ../../../JavaScriptCore/wtf/HashSet.h:216
#8 0xb68adff6 in JSC::IdentifierTable::add<char const*,
JSC::CStringTranslator> (this=0x83d12e8,
value=0xb793c897 "moveBy") at
../../../JavaScriptCore/runtime/Identifier.cpp:54
#9 0xb68ae1f4 in JSC::Identifier::add (globalData=0x83d0658, c=0xb793c897
"moveBy")
at ../../../JavaScriptCore/runtime/Identifier.cpp:144
#10 0xb68c5281 in JSC::HashTable::createTable (this=0xb7eddb10,
globalData=0x83d0658)
at ../../../JavaScriptCore/runtime/Lookup.cpp:36
#11 0xb67ff9e4 in JSC::HashTable::initializeIfNeeded (this=0xb7eddb10,
exec=0x83de6bc)
at ../../../JavaScriptCore/runtime/Lookup.h:124
#12 0xb67ffa0e in JSC::HashTable::entry (this=0xb7eddb10, exec=0x83de6bc,
identifier=@0x83d2d80)
at ../../../JavaScriptCore/runtime/Lookup.h:138
#13 0xb696b9fe in WebCore::JSDOMWindow::getOwnPropertySlot (this=0xb3200080,
exec=0x83de6bc,
propertyName=@0x83d2d80, slot=@0xbfd240d8) at
../../../WebCore/bindings/js/JSDOMWindowCustom.cpp:184
#14 0xb67dabfd in JSC::JSCell::fastGetOwnPropertySlot (this=0xb3200080,
exec=0x83de6bc,
propertyName=@0x83d2d80, slot=@0xbfd240d8) at
../../../JavaScriptCore/runtime/JSObject.h:363
(More stack frames follow...)
Its reference counter is accessed here (watch *(int*)address_of(rc)):
Old value = 1
New value = 2
#0 0xb67bdd9a in JSC::UString::Rep::ref (this=0x83edf80) at
../../../JavaScriptCore/runtime/UString.h:135
#1 0xb67c2070 in RefPtr (this=0xbfd23efc, ptr=0x83edf80) at
../../../JavaScriptCore/wtf/RefPtr.h:39
#2 0xb68ae273 in JSC::Identifier::add (globalData=0x83d0658, c=0xb793c897
"moveBy")
at ../../../JavaScriptCore/runtime/Identifier.cpp:150
#3 0xb68c5281 in JSC::HashTable::createTable (this=0xb7eddb10,
globalData=0x83d0658)
at ../../../JavaScriptCore/runtime/Lookup.cpp:36
#4 0xb67ff9e4 in JSC::HashTable::initializeIfNeeded (this=0xb7eddb10,
exec=0x83de6bc)
at ../../../JavaScriptCore/runtime/Lookup.h:124
#5 0xb67ffa0e in JSC::HashTable::entry (this=0xb7eddb10, exec=0x83de6bc,
identifier=@0x83d2d80)
at ../../../JavaScriptCore/runtime/Lookup.h:138
#6 0xb696b9fe in WebCore::JSDOMWindow::getOwnPropertySlot (this=0xb3200080,
exec=0x83de6bc,
propertyName=@0x83d2d80, slot=@0xbfd240d8) at
../../../WebCore/bindings/js/JSDOMWindowCustom.cpp:184
#7 0xb67dabfd in JSC::JSCell::fastGetOwnPropertySlot (this=0xb3200080,
exec=0x83de6bc,
propertyName=@0x83d2d80, slot=@0xbfd240d8) at
../../../JavaScriptCore/runtime/JSObject.h:363
#8 0xb67dac42 in JSC::JSObject::getPropertySlot (this=0xb3200080,
exec=0x83de6bc,
propertyName=@0x83d2d80, slot=@0xbfd240d8) at
../../../JavaScriptCore/runtime/JSObject.h:372
#9 0xb68bce5d in JSC::JSObject::hasProperty (this=0xb3200080, exec=0x83de6bc,
propertyName=@0x83d2d80)
at ../../../JavaScriptCore/runtime/JSObject.cpp:172
#10 0xb6838da0 in BytecodeGenerator (this=0x83ebad8, programNode=0x83eb638,
debugger=0x0,
scopeChain=@0xbfd242c0, symbolTable=0x83de74c, codeBlock=0x83eb868)
at ../../../JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:266
#11 0xb68a5e74 in JSC::ProgramExecutable::compile (this=0xbfd24328,
exec=0x83de6bc,
scopeChainNode=0x83df248) at
../../../JavaScriptCore/runtime/Executable.cpp:107
#12 0xb68aee4e in JSC::evaluate (exec=0x83de6bc, scopeChain=@0x83de678,
source=@0xbfd24778, thisValue=
{u = {asEncodedJSValue = -5584715776, asDouble =
-nan(0xffffeb3200000), asBits = {payload = -1289748480, tag = -2}}}) at
../../../JavaScriptCore/runtime/Completion.cpp:53
#13 0xb69b5c42 in WebCore::ScriptController::evaluate (this=0x813d410,
sourceCode=@0xbfd24774)
at ../../../WebCore/bindings/js/ScriptController.cpp:115
#14 0xb6d83070 in WebCore::FrameLoader::executeScript (this=0x813d18c,
sourceCode=@0xbfd24774)
at ../../../WebCore/loader/FrameLoader.cpp:776
(More stack frames follow...)
Old value = 2
New value = 3
#0 0xb67bdd9a in JSC::UString::Rep::ref (this=0x83edf80) at
../../../JavaScriptCore/runtime/UString.h:135
#1 0xb67c6941 in WTF::RefPtr<JSC::UString::Rep>::operator= (this=0x83e7bcc,
o=@0xbfd23efc)
at ../../../JavaScriptCore/wtf/RefPtr.h:96
#2 0xb68ac854 in WTF::HashMapTranslator<std::pair<char const*,
WTF::RefPtr<JSC::UString::Rep> >, WTF::PairHashTraits<WTF::HashTraits<char
const*>, WTF::HashTraits<WTF::RefPtr<JSC::UString::Rep> > >, WTF::PtrHash<char
const*> >::translate (location=@0x83e7bc8, key=@0xbfd23f28, mapped=@0xbfd23efc)
at ../../../JavaScriptCore/wtf/HashMap.h:106
#3 0xb68ad532 in WTF::HashTable<char const*, std::pair<char const*,
WTF::RefPtr<JSC::UString::Rep> >, WTF::PairFirstExtractor<std::pair<char
const*, WTF::RefPtr<JSC::UString::Rep> > >, WTF::PtrHash<char const*>,
WTF::PairHashTraits<WTF::HashTraits<char const*>,
WTF::HashTraits<WTF::RefPtr<JSC::UString::Rep> > >, WTF::HashTraits<char
const*> >::add<char const*, WTF::RefPtr<JSC::UString::Rep>,
WTF::HashMapTranslator<std::pair<char const*, WTF::RefPtr<JSC::UString::Rep> >,
WTF::PairHashTraits<WTF::HashTraits<char const*>,
WTF::HashTraits<WTF::RefPtr<JSC::UString::Rep> > >, WTF::PtrHash<char const*> >
> (this=0x83d1308,
key=@0xbfd23f28, extra=@0xbfd23efc) at
../../../JavaScriptCore/wtf/HashTable.h:681
#4 0xb68ad7eb in WTF::HashMap<char const*, WTF::RefPtr<JSC::UString::Rep>,
WTF::PtrHash<char const*>, WTF::HashTraits<char const*>,
WTF::HashTraits<WTF::RefPtr<JSC::UString::Rep> > >::inlineAdd (this=0x83d1308,
key=@0xbfd23f28, mapped=@0xbfd23efc) at
../../../JavaScriptCore/wtf/HashMap.h:181
#5 0xb68ad871 in WTF::HashMap<char const*, WTF::RefPtr<JSC::UString::Rep>,
WTF::PtrHash<char const*>, WTF::HashTraits<char const*>,
WTF::HashTraits<WTF::RefPtr<JSC::UString::Rep> > >::add (this=0x83d1308,
key=@0xbfd23f28, mapped=@0xbfd23efc) at
../../../JavaScriptCore/wtf/HashMap.h:200
#6 0xb68ae293 in JSC::Identifier::add (globalData=0x83d0658, c=0xb793c897
"moveBy")
at ../../../JavaScriptCore/runtime/Identifier.cpp:150
#7 0xb68c5281 in JSC::HashTable::createTable (this=0xb7eddb10,
globalData=0x83d0658)
at ../../../JavaScriptCore/runtime/Lookup.cpp:36
#8 0xb67ff9e4 in JSC::HashTable::initializeIfNeeded (this=0xb7eddb10,
exec=0x83de6bc)
at ../../../JavaScriptCore/runtime/Lookup.h:124
#9 0xb67ffa0e in JSC::HashTable::entry (this=0xb7eddb10, exec=0x83de6bc,
identifier=@0x83d2d80)
at ../../../JavaScriptCore/runtime/Lookup.h:138
#10 0xb696b9fe in WebCore::JSDOMWindow::getOwnPropertySlot (this=0xb3200080,
exec=0x83de6bc,
propertyName=@0x83d2d80, slot=@0xbfd240d8) at
../../../WebCore/bindings/js/JSDOMWindowCustom.cpp:184
#11 0xb67dabfd in JSC::JSCell::fastGetOwnPropertySlot (this=0xb3200080,
exec=0x83de6bc,
propertyName=@0x83d2d80, slot=@0xbfd240d8) at
../../../JavaScriptCore/runtime/JSObject.h:363
#12 0xb67dac42 in JSC::JSObject::getPropertySlot (this=0xb3200080,
exec=0x83de6bc,
propertyName=@0x83d2d80, slot=@0xbfd240d8) at
../../../JavaScriptCore/runtime/JSObject.h:372
#13 0xb68bce5d in JSC::JSObject::hasProperty (this=0xb3200080, exec=0x83de6bc,
propertyName=@0x83d2d80)
at ../../../JavaScriptCore/runtime/JSObject.cpp:172
#14 0xb6838da0 in BytecodeGenerator (this=0x83ebad8, programNode=0x83eb638,
debugger=0x0,
scopeChain=@0xbfd242c0, symbolTable=0x83de74c, codeBlock=0x83eb868)
at ../../../JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:266
(More stack frames follow...)
Old value = 3
New value = 2
#0 0xb67bedf3 in JSC::UString::Rep::deref (this=0x83edf80)
at ../../../JavaScriptCore/runtime/UString.h:136
#1 0xb67bee3f in ~RefPtr (this=0xbfd23efc) at
../../../JavaScriptCore/wtf/RefPtr.h:51
#2 0xb68ae2b2 in JSC::Identifier::add (globalData=0x83d0658, c=0xb793c897
"moveBy")
at ../../../JavaScriptCore/runtime/Identifier.cpp:150
#3 0xb68c5281 in JSC::HashTable::createTable (this=0xb7eddb10,
globalData=0x83d0658)
at ../../../JavaScriptCore/runtime/Lookup.cpp:36
#4 0xb67ff9e4 in JSC::HashTable::initializeIfNeeded (this=0xb7eddb10,
exec=0x83de6bc)
at ../../../JavaScriptCore/runtime/Lookup.h:124
#5 0xb67ffa0e in JSC::HashTable::entry (this=0xb7eddb10, exec=0x83de6bc,
identifier=@0x83d2d80)
at ../../../JavaScriptCore/runtime/Lookup.h:138
#6 0xb696b9fe in WebCore::JSDOMWindow::getOwnPropertySlot (this=0xb3200080,
exec=0x83de6bc,
propertyName=@0x83d2d80, slot=@0xbfd240d8) at
../../../WebCore/bindings/js/JSDOMWindowCustom.cpp:184
#7 0xb67dabfd in JSC::JSCell::fastGetOwnPropertySlot (this=0xb3200080,
exec=0x83de6bc,
propertyName=@0x83d2d80, slot=@0xbfd240d8) at
../../../JavaScriptCore/runtime/JSObject.h:363
#8 0xb67dac42 in JSC::JSObject::getPropertySlot (this=0xb3200080,
exec=0x83de6bc,
propertyName=@0x83d2d80, slot=@0xbfd240d8) at
../../../JavaScriptCore/runtime/JSObject.h:372
#9 0xb68bce5d in JSC::JSObject::hasProperty (this=0xb3200080, exec=0x83de6bc,
propertyName=@0x83d2d80)
at ../../../JavaScriptCore/runtime/JSObject.cpp:172
#10 0xb6838da0 in BytecodeGenerator (this=0x83ebad8, programNode=0x83eb638,
debugger=0x0,
scopeChain=@0xbfd242c0, symbolTable=0x83de74c, codeBlock=0x83eb868)
at ../../../JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:266
#11 0xb68a5e74 in JSC::ProgramExecutable::compile (this=0xbfd24328,
exec=0x83de6bc,
scopeChainNode=0x83df248) at
../../../JavaScriptCore/runtime/Executable.cpp:107
#12 0xb68aee4e in JSC::evaluate (exec=0x83de6bc, scopeChain=@0x83de678,
source=@0xbfd24778, thisValue=
{u = {asEncodedJSValue = -5584715776, asDouble =
-nan(0xffffeb3200000), asBits = {payload = -1289748480, tag = -2}}}) at
../../../JavaScriptCore/runtime/Completion.cpp:53
#13 0xb69b5c42 in WebCore::ScriptController::evaluate (this=0x813d410,
sourceCode=@0xbfd24774)
at ../../../WebCore/bindings/js/ScriptController.cpp:115
#14 0xb6d83070 in WebCore::FrameLoader::executeScript (this=0x813d18c,
sourceCode=@0xbfd24774)
at ../../../WebCore/loader/FrameLoader.cpp:776
(More stack frames follow...)
Old value = 2
New value = 1
#0 0xb67bedf3 in JSC::UString::Rep::deref (this=0x83edf80)
at ../../../JavaScriptCore/runtime/UString.h:136
#1 0xb67bee3f in ~RefPtr (this=0x843100c) at
../../../JavaScriptCore/wtf/RefPtr.h:51
#2 0xb68ac950 in ~pair (this=0x8431008)
at
/nfs_root_dir/usr/bin/../lib/gcc/../../include/c++/4.3/bits/stl_pair.h:73
#3 0xb68ad1de in WTF::HashTable<char const*, std::pair<char const*,
WTF::RefPtr<JSC::UString::Rep> >, WTF::PairFirstExtractor<std::pair<char
const*, WTF::RefPtr<JSC::UString::Rep> > >, WTF::PtrHash<char const*>,
WTF::PairHashTraits<WTF::HashTraits<char const*>,
WTF::HashTraits<WTF::RefPtr<JSC::UString::Rep> > >, WTF::HashTraits<char
const*> >::deallocateTable (table=0x842eb18, size=2048)
at ../../../JavaScriptCore/wtf/HashTable.h:872
#4 0xb68ae454 in ~HashTable (this=0x83d1308) at
../../../JavaScriptCore/wtf/HashTable.h:296
#5 0xb68ae4c3 in ~HashMap (this=0x83d1308) at
../../../JavaScriptCore/wtf/HashMap.h:32
#6 0xb68ae624 in ~IdentifierTable (this=0x83d12e8) at
../../../JavaScriptCore/runtime/Identifier.cpp:42
#7 0xb68ae702 in JSC::deleteIdentifierTable (table=0x83d12e8)
at ../../../JavaScriptCore/runtime/Identifier.cpp:75
#8 0xb67e3f3f in ~JSGlobalData (this=0x83d0658) at
../../../JavaScriptCore/runtime/JSGlobalData.cpp:193
#9 0xb6960bb2 in globalDataFree (ptr=0xb7edf854) at
../../../WebCore/bindings/js/JSDOMWindowBase.cpp:169
#10 0xb67bcfbc in WTF::StaticPtrBase::freeStaticPtrs ()
at ../../../JavaScriptCore/wtf/StaticPtrBase.cpp:41
#11 0xb70923b1 in qt_drt_freeStaticPtrs () at
../../../WebKit/qt/Api/qwebframe.cpp:196
#12 0x080591e4 in launcherMain (app=@0xbfd254b8)
at /home/hzoli/Webkit-ARM/WebKit-arm/WebKit/qt/QtLauncher/main.cpp:426
#13 0x08059ae1 in main (argc=Cannot access memory at address 0x39
) at /home/hzoli/Webkit-ARM/WebKit-arm/WebKit/qt/QtLauncher/main.cpp:478
The last deref is called by the static pointers patch (freeStaticPtrs).
RefCount transition to 2->3->2 is caused by an access in Identifier.cpp:150
Apart from the last deref, the object is only accessed inside:
JSC::HashTable::initializeIfNeeded (this=0xb7eddb10, ...)
Probably the second ref() keeps the object alive forever.
Any idea would be apprecaited.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list