New issue
Advanced search Search tips

Issue 757962 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Aug 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug



Sign in to add a comment

v8_context_snapshot_generator leaks memory if is_asan=true (and is_lsan=false)

Project Member Reported by lukasza@chromium.org, Aug 22 2017

Issue description

Repro steps:
$ cat out/gn/args.gn 
dcheck_always_on = true
is_asan = true
is_component_build = true
is_debug = false
use_goma = true
enable_nacl = false

$ git log --oneline | head -1
4ab93d541b2b ...

$ ninja -C out/gn -j 1500 -l 25 blink_tests
...
Indirect leak of 16 byte(s) in 2 object(s) allocated from:
    #0 0x4e6e22  (/usr/local/google/home/lukasza/src/chromium3/src/out/gn/v8_context_snapshot_generator+0x4e6e22)
    #1 0x7f6507f9c35b  (/usr/local/google/home/lukasza/src/chromium3/src/out/gn/./libv8.so+0x13d235b)
    #2 0x7f650804dbf7  (/usr/local/google/home/lukasza/src/chromium3/src/out/gn/./libv8.so+0x1483bf7)
    #3 0x7f650804ca5f  (/usr/local/google/home/lukasza/src/chromium3/src/out/gn/./libv8.so+0x1482a5f)
    #4 0x7f650804c8e8  (/usr/local/google/home/lukasza/src/chromium3/src/out/gn/./libv8.so+0x14828e8)
    #5 0x7f65080236e3  (/usr/local/google/home/lukasza/src/chromium3/src/out/gn/./libv8.so+0x14596e3)
    #6 0x7f6507f9ed64  (/usr/local/google/home/lukasza/src/chromium3/src/out/gn/./libv8.so+0x13d4d64)
    #7 0x7f6507f6521d  (/usr/local/google/home/lukasza/src/chromium3/src/out/gn/./libv8.so+0x139b21d)
    #8 0x7f6508014521  (/usr/local/google/home/lukasza/src/chromium3/src/out/gn/./libv8.so+0x144a521)
    #9 0x7f6507fea51e  (/usr/local/google/home/lukasza/src/chromium3/src/out/gn/./libv8.so+0x142051e)
    #10 0x7f6507fe2630  (/usr/local/google/home/lukasza/src/chromium3/src/out/gn/./libv8.so+0x1418630)
    #11 0x7f6507f5bcd6  (/usr/local/google/home/lukasza/src/chromium3/src/out/gn/./libv8.so+0x1391cd6)
    #12 0x7f6507f56161  (/usr/local/google/home/lukasza/src/chromium3/src/out/gn/./libv8.so+0x138c161)
    #13 0x7f6507f53747  (/usr/local/google/home/lukasza/src/chromium3/src/out/gn/./libv8.so+0x1389747)
    #14 0x7f6507f546d4  (/usr/local/google/home/lukasza/src/chromium3/src/out/gn/./libv8.so+0x138a6d4)
    #15 0x7f650726f9f9  (/usr/local/google/home/lukasza/src/chromium3/src/out/gn/./libv8.so+0x6a59f9)
    #16 0x7f64f95b1838  (/usr/local/google/home/lukasza/src/chromium3/src/out/gn/./libblink_core.so+0x1da5838)
    #17 0x4e9f01  (/usr/local/google/home/lukasza/src/chromium3/src/out/gn/v8_context_snapshot_generator+0x4e9f01)
    #18 0x7f64edf28f44  (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: 43024 byte(s) leaked in 144 allocation(s).
ninja: build stopped: subcommand failed.



 
Owner: peria@chromium.org
Status: Assigned (was: Untriaged)
peria@, can you PTAL?  I've bisected the build error down to your r496290
Components: Infra>Client>V8 Blink>Bindings
Interestingly, the build error doesn't repro in the gn configuration copied from the linux_chromium_asan_rel_ng bot:

$ cat out/bot/args.gn 
dcheck_always_on = true
is_asan = true
is_component_build = false
is_debug = false
is_lsan = true
strip_absolute_paths_from_debug_symbols = true
symbol_level = 1
use_goma = true

But it *does* repro after removing "is_lsan = true":

$ cat out/bot/args.gn 
dcheck_always_on = true
is_asan = true
is_component_build = false
is_debug = false
strip_absolute_paths_from_debug_symbols = true
symbol_level = 1
use_goma = true

Comment 4 by peria@chromium.org, Aug 22 2017

Status: Started (was: Assigned)
Thank you for confirmation.
I'll investigate and fix it asap.

Could you put a link of the build, if you find this issue with bot errors?


Thank you in advance
So far I have only encountered this error locally, with the GN config shown in #c3 and in the original repro steps.  AFAICT the bots do not test this particular configuration.

Comment 6 by peria@chromium.org, Aug 23 2017

Cc: yukishiino@chromium.org peria@chromium.org
 Issue 758079  has been merged into this issue.

Comment 7 by mmoroz@chromium.org, Aug 25 2017

Cc: mmoroz@chromium.org infe...@chromium.org och...@chromium.org

Comment 9 by peria@chromium.org, Aug 25 2017

Cc: yangguo@chromium.org
Labels: OS-All
Summary: v8_context_snapshot_generator leaks memory if is_asan=true (and is_lsan=false) (was: v8_context_snapshot_generator leaks memory (making asan build impossible?))
Yang, could you help me for this issue?
SnapshotCreator::CreateBlob seems to leak memory. Or is there anything we have to call to release memory in V8?
Interesting. It rather looks like V8 is not being shut down properly. I'll try to reproduce.
I can reproduce. It looks like the destructor for SnapshotCreator is not called. That causes the isolate it creates to be not disposed.
Issue 759150 has been merged into this issue.
Labels: -Pri-2 Pri-0
Raising the priority as per AFL builder breakage (see c#8 and issue 759150).
I'd argue it's not a P0 since this leak occurs during build, but not a run time for users.
Labels: -Pri-0 Pri-1
Fair point, setting priority to P1, but please note that we don't have fresh fuzzer builds for almost 3 days. Due to that, we cannot verify bug fixes and cannot find new bugs. It would be great if we could at least revert the CL which introduced the regression.
I think peria@ is already working in this.

Comment 19 by peria@chromium.org, Aug 28 2017

Thank you for your updates. I detected the root cause and creating a CL to fix it.
Project Member

Comment 20 by bugdroid1@chromium.org, Aug 28 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a304f7f0d92ca52824a35eb7ea5357edca82fac8

commit a304f7f0d92ca52824a35eb7ea5357edca82fac8
Author: Hitoshi Yoshida <peria@chromium.org>
Date: Mon Aug 28 14:25:36 2017

bindings: Exit v8_context_snapshot_creator without running sanitizers

v8::SnapshotCreator used in WebV8ContextSnapshot makes it complex how to
manage lifetime of v8::Isolate, gin::IsolateHolder, and
blink::V8PerIsolateData.
This CL make the process of v8_context_snapshot_generator exit just after
its task is done, and skip running sanitizers.


Bug:  757962 
Change-Id: I3fd49b135f0bb786603fa9b6ab3a56bba4460886
Reviewed-on: https://chromium-review.googlesource.com/637513
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Yuki Shiino <yukishiino@chromium.org>
Commit-Queue: Hitoshi Yoshida <peria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#497753}
[modify] https://crrev.com/a304f7f0d92ca52824a35eb7ea5357edca82fac8/tools/v8_context_snapshot/v8_context_snapshot_generator.cc

Comment 22 by peria@chromium.org, Aug 29 2017

Status: Fixed (was: Started)
Thank you for confirmation! :)

Sign in to add a comment