[Webkit-unassigned] [Bug 201015] New: JSC Memory LEAK
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Aug 21 18:17:21 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=201015
Bug ID: 201015
Summary: JSC Memory LEAK
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: secpanic at gmail.com
When execute the js file below , jsc will have a memory leak
```
function main() {
const v4 = [13.37];
const v6 = [1337,1337];
const v7 = [v4,"constructor",-3004925011];
const v8 = {b:13.37,toString:v6,d:v7,c:-3004925011};
const v9 = {d:v7,toString:v8};
let v10 = -3004925011;
const v15 = [13.37,13.37];
const v17 = [1337,1337,1337,1337,1337];
const v18 = [1457955308,"FvJ1dPW7NF",13.37];
let v20 = NaN;
const v22 = [13.37,13.37];
const v24 = [1337,1337,1337,v22];
const v25 = [1337,v24];
const v27 = (13.37).toLocaleString();
const v28 = v25.join();
function v29(v30,v31,v32,v33,...v34) {
function v35(v36,v37,v38,v39,...v40) {
const v45 = [13.37,13.37,13.37];
const v46 = v45.__proto__;
const v48 = {set:gc,get:gc};
const v50 = Object.defineProperty(v46,128,v48);
for (let v52 = 0; v52 < 1000; v52++) {
function v54(v55,v56,v57,v58,...v59) {
const v63 = isFinite.apply(Object);
return v63;
}
const v64 = v54();
}
return noInline;
}
const v65 = v35();
return v27;
}
const v66 = v29(v28,v29);
const v67 = {valueOf:"FvJ1dPW7NF",a:v18};
const v69 = [13.37];
const v71 = [1337,1337,1337];
function v72(v73,v74,v75) {
const v79 = [13.37,13.37,13.37,13.37,13.37];
const v80 = [v79,v79,-973213979,13.37];
const v82 = [13.37,Symbol,13.37];
function v83(v84,v85,v86) {
}
const v88 = [v80,13.37];
const v90 = [1337,1337,1337,v88];
const v91 = [1337,v90];
const v92 = v82.toLocaleString();
let v95 = 0;
do {
function v96(v97,v98,v99,v100,...v101) {
function v102(v103,v104,v105,v106,...v107) {
for (let v111 = 0; v111 < 1000; v111++) {
function v112(v113,v114,v115,v116,...v117) {
}
}
}
}
const v118 = v95 + 1;
v95 = v118;
} while (v95 < 8);
const v123 = [13.37,13.37,13.37,13.37,13.37];
const v125 = [1337,1337];
const v126 = ["Z2EBZHeeZW","Z2EBZHeeZW"];
const v127 = {length:v123};
const v128 = {c:v125,a:v125,length:Function,b:Function,e:13.37};
let v129 = 1337;
const v131 = [1337,1337,1337,1337];
const v133 = [1337,1337,1337,1337];
const v136 = [1337,1337,1337,1337];
const v137 = {};
let v138 = 3;
function v139(v140,v141,v142) {
for (let v147 = 0; v147 < 1000; v147++) {
function v149(v150,v151,v152) {
}
let v154 = 0;
for (const v155 of arguments) {
const v157 = [1337];
function v159(v160,v161,v162) {
arguments.__proto__ = v157;
}
function v163(v164,v165,v166,v167,...v168) {
const v174 = v159();
}
function v178(v179,v180,v181,v182,...v183) {
}
}
const v191 = {__proto__:v149};
const v193 = Object.seal(arguments,9007199254740991,v191);
}
return v136;
}
const v195 = v139(v138,v137,v136);
function v196(v197,v198,v199) {
function v200(v201,v202,v203,v204,...v205) {
}
}
let v210 = 0;
do {
const v211 = v210 + 1;
v210 = v211;
} while (v210 < 7);
for (let v215 = 0; v215 < 3; v215++) {
}
const v217 = v139(8,1);
function v218(v219,v220,v221,v222) {
return 13.37;
}
function v223(v224,v225,v226,v227,...v228) {
function v229(v230,v231,v232,v233,...v234) {
function v235(v236,v237,v238,v239,...v240) {
function v241(v242,v243,v244,v245,...v246) {
return v237;
}
return v28;
}
return v82;
}
return v67;
}
const v247 = v91.push(v92);
return v9;
}
const v248 = v69 - v71;
const v249 = v72(13.37,1337,v248);
}
noDFG(main);
noFTL(main);
main();
```
ASAN will show the detail
```
=================================================================
==5624==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 96 byte(s) in 3 object(s) allocated from:
#0 0x7f85dc6a4f00 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc7f00)
#1 0x240ecc9 in bmalloc::Heap::Heap(bmalloc::HeapKind, std::lock_guard<bmalloc::Mutex>&) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x240ecc9)
#2 0x2407a25 in bmalloc::PerProcess<bmalloc::PerHeapKind<bmalloc::Heap> >::getSlowCase() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x2407a25)
#3 0x2407367 in bmalloc::Cache::Cache(bmalloc::HeapKind) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x2407367)
#4 0x2407cab in bmalloc::PerThread<bmalloc::PerHeapKind<bmalloc::Cache> >::getSlowCase() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x2407cab)
#5 0x24073fd in bmalloc::Cache::allocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x24073fd)
#6 0x233e24d in WTF::fastMalloc(unsigned long) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x233e24d)
#7 0x23f51d6 in WTF::Thread::initializeCurrentTLS() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x23f51d6)
#8 0x234f56c in WTF::LockedPrintStream::begin() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x234f56c)
#9 0x199ecdd in void std::call_once<JSC::Options::initialize()::{lambda()#1}>(std::once_flag&, JSC::Options::initialize()::{lambda()#1}&&)::{lambda()#2}::_FUN() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x199ecdd)
#10 0x7f85dc3cea98 in __pthread_once_slow (/lib/x86_64-linux-gnu/libpthread.so.0+0xea98)
Indirect leak of 120 byte(s) in 3 object(s) allocated from:
#0 0x7f85dc6a4f00 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc7f00)
#1 0x240ec45 in bmalloc::Heap::Heap(bmalloc::HeapKind, std::lock_guard<bmalloc::Mutex>&) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x240ec45)
#2 0x2407a25 in bmalloc::PerProcess<bmalloc::PerHeapKind<bmalloc::Heap> >::getSlowCase() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x2407a25)
#3 0x2407367 in bmalloc::Cache::Cache(bmalloc::HeapKind) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x2407367)
#4 0x2407cab in bmalloc::PerThread<bmalloc::PerHeapKind<bmalloc::Cache> >::getSlowCase() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x2407cab)
#5 0x24073fd in bmalloc::Cache::allocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x24073fd)
#6 0x233e24d in WTF::fastMalloc(unsigned long) (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x233e24d)
#7 0x23f51d6 in WTF::Thread::initializeCurrentTLS() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x23f51d6)
#8 0x234f56c in WTF::LockedPrintStream::begin() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x234f56c)
#9 0x199ecdd in void std::call_once<JSC::Options::initialize()::{lambda()#1}>(std::once_flag&, JSC::Options::initialize()::{lambda()#1}&&)::{lambda()#2}::_FUN() (/home/android/Desktop/Fuzzer/BrowserCore/webkit/WebKitBuild/Release/bin/jsc+0x199ecdd)
#10 0x7f85dc3cea98 in __pthread_once_slow (/lib/x86_64-linux-gnu/libpthread.so.0+0xea98)
SUMMARY: AddressSanitizer: 216 byte(s) leaked in 6 allocation(s).
```
To reproduce this issue ,you need to run jsc with this command:
`jsc --validateOptions=true --useConcurrentJIT=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --gcAtEnd=true crash_1565006120806_26271_flaky_6.js`
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190822/ae7edcbe/attachment.html>
More information about the webkit-unassigned
mailing list