Hi Werner,
I got some clue. The leak is caused by this piece of code in ttinterp.c:
================================================
/* If any errors have occurred, function tables may be broken. */
/* Force a re-execution of `prep' and `fpgm' tables if no */
/* bytecode debugger is run. */
if ( CUR.error
&& !CUR.instruction_trap
&& CUR.curRange == tt_coderange_glyph )
{
FT_TRACE1(( " The interpreter returned error 0x%x\n", CUR.error ));
exc->size->bytecode_ready = -1;
exc->size->cvt_ready = -1;
}