New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 600484 link

Starred by 1 user
Status: Fixed
Owner:
roc...@chromium.org
please use my google.com address
Closed: May 2016
Cc:
jam@chromium.org
isheriff@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Leak in mojo::edk::js::HandleWrapper::Create()

Project Member Reported by jyasskin@chromium.org, Apr 4 2016 
https://build.chromium.org/p/chromium.memory.fyi/builders/Linux%20Tests%20%28valgrind%29%282%29/builds/54616/steps/memory_test%3A%20extensions_unittests/logs/stdio reports:

Leak_DefinitelyLost
64 bytes in 1 blocks are definitely lost in loss record 1,567 of 2,723
  operator new(unsigned long) (m_replacemalloc/vg_replace_malloc.c:1140)
7 new files were left in /tmp: Fix the tests to clean up themselves.
  mojo::edk::js::HandleWrapper::Create(v8::Isolate*, unsigned int) (/mnt/data/b/build/slave/chromium-rel-linux-valgrind-tests-2/build/src/out/Release/extensions_unittests)
  gin::Converter<mojo::Handle, void>::ToV8(v8::Isolate*, mojo::Handle const&) (mojo/edk/js/handle.cc:53)
  v8::Local<v8::Value> gin::ConvertToV8<mojo::Handle>(v8::Isolate*, mojo::Handle) (/mnt/data/b/build/slave/chromium-rel-linux-valgrind-tests-2/build/src/out/Release/extensions_unittests)
  gin::ToV8Traits<mojo::Handle, false>::TryConvertToV8(v8::Isolate*, mojo::Handle, v8::Local<v8::Value>*) (gin/converter.h:239)
  bool gin::TryConvertToV8<mojo::Handle>(v8::Isolate*, mojo::Handle, v8::Local<v8::Value>*) (/mnt/data/b/build/slave/chromium-rel-linux-valgrind-tests-2/build/src/out/Release/extensions_unittests)
  bool gin::Dictionary::Set<mojo::Handle>(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, mojo::Handle) (gin/dictionary.h:47)
  mojo::edk::js::(anonymous namespace)::CreateDataPipe(gin::Arguments const&) (mojo/edk/js/core.cc:230)


HandleWrapper::Create is:

  static gin::Handle<HandleWrapper> Create(v8::Isolate* isolate,
                                           MojoHandle handle) {
    return gin::CreateHandle(isolate, new HandleWrapper(handle));
  }


gin::CreateHandle is:

template<typename T>
gin::Handle<T> CreateHandle(v8::Isolate* isolate, T* object) {
  v8::Local<v8::Object> wrapper = object->GetWrapper(isolate);
  if (wrapper.IsEmpty())
    return gin::Handle<T>();
  return gin::Handle<T>(wrapper, object);
}

I see a path in CreateHandle that returns without freeing |object|. I think object->GetWrapper() intends to 'delete this' when it returns an empty object, but the logic to do that is complex and hard to follow, and I'm not sure it's working.

It's not obvious which change in https://build.chromium.org/p/chromium.memory.fyi/builders/Linux%20Tests%20%28valgrind%29%282%29/builds/54616extensions_unittests made this start happening, but it isn't flaky.
Project Member

Comment 1 by bugdroid1@chromium.org, Apr 4 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1b0431b9210795cc8518177aca22776740435382

commit 1b0431b9210795cc8518177aca22776740435382
Author: jyasskin <jyasskin@chromium.org>
Date: Mon Apr 04 20:57:39 2016

Suppress a leak report in mojo's HandleWrapper::Create.

BUG= 600484 
TBR=rockot@chromium.org,isheriff@chromium.org,jam@chromium.org

Review URL: https://codereview.chromium.org/1853303002

Cr-Commit-Position: refs/heads/master@{#385001}

[modify] https://crrev.com/1b0431b9210795cc8518177aca22776740435382/tools/valgrind/memcheck/suppressions.txt
Project Member

Comment 2 by bugdroid1@chromium.org, May 15 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a509a1e6dee3c9b9572e5662a0dceb08c8502c25

commit a509a1e6dee3c9b9572e5662a0dceb08c8502c25
Author: rockot <rockot@chromium.org>
Date: Sun May 15 05:54:36 2016

Remove Mojo JS leak suppression

Can't repro this locally so maybe it's fixed. If not,
at least we can gather some new logs, as the ones in
the bug are no longer available.

BUG= 600484 
TBR=jyasskin@chromium.org

Review-Url: https://codereview.chromium.org/1977253002
Cr-Commit-Position: refs/heads/master@{#393766}

[modify] https://crrev.com/a509a1e6dee3c9b9572e5662a0dceb08c8502c25/tools/valgrind/memcheck/suppressions.txt

Comment 3 by roc...@chromium.org, May 16 2016

Status: Fixed (was: Assigned)
As best as I can tell, gin::CreateHandle and GetWrapper both have correct logic, so if a HandleWrapper ever leaks, it's because a v8 handle wrapping it has leaked.

This may have been a result of some JS object leaks in extensions unittests due to circular references which were fixed a little while ago.

Tentatively closing this as Fixed since the leaks haven't reappeared on bots since removing the suppression.

Sign in to add a comment