• d-bugmail puremagic.com (44/44) Jan 09 2023 https://issues.dlang.org/show_bug.cgi?id=23611

d-bugmail puremagic.com writes:

https://issues.dlang.org/show_bug.cgi?id=23611

          Issue ID: 23611
           Summary: Zombie heap leak proof of concept: linked list in dead
                    resized array
           Product: D
           Version: D2
          Hardware: x86_64
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P1
         Component: dmd
          Assignee: nobody puremagic.com
          Reporter: default_357-line yahoo.de

In my post A GC Memory Usage Experiment
https://forum.dlang.org/post/befrzndhowlwnvlqcoxx forum.dlang.org , I suggested
the existence of a GC leak caused by downsizing data structures. This bug
report poses a proof-of-concept for such a leak:

struct S {
    S[] parent;
}

void main() {
    S parent;
    while (true) {
        S[] link = [S(null), parent];
        link.length = 1;
        parent = S(link);
    }
}

As can be seen, at any given point almost no memory in this program is actually
live: `parent` can only point at an array of the value `[S(null)]`, and all
other variables get overwritten on every loop pass.

And yet, this program leaks an unbounded amount of memory. (I recommend running
with -m32 to test.)

What's happening is that the program forms a linked list in memory that is
dead, but that the GC cannot determine is dead. Because the GC has no
type-level understanding of allocated memory, it sees `parent` as a pointer to
a linked list of allocations; that the linking element lives in an unreferenced
part of the array is outside of its purview.

In theory this could be fixed by being smarter about arrays marking memory
regions as alive: a slice need only mark as alive the part of the array it
actually points at, which would allow the recursive mark to skip the dead
parent reference.

--