My favorites | Sign in
Logo
Project hosting will be READ-ONLY Wednesday at 8am PST due to brief network maintenance.
Project Home
  
Downloads
  
Wiki
  
Issues
    
New issue | Search
for
| Advanced search | Search tips
Issue 21079: Occasional memory leak in WebCore::V8EventListenerList::findOrCreateWrapper<>()
1 person starred this issue and may be notified of changes. Back to list
 
Reported by dank@chromium.org, Sep 04, 2009 
cc'ing vitaly and feng because they were involved in fixing related? bug 17400.

http://build.chromium.org/buildbot/waterfall/builders/Webkit%20Linux%20(valgrind%20layout)/builds/1663/steps/valgrind%20test:%20layout/logs/stdio

contains two related warnings from LayoutTests/svg:

76 (12 direct, 64 indirect) bytes in 1 blocks are definitely lost in loss
record 8,286 of 9,124
  malloc (vg_replace_malloc.c:194)
  WTF::fastMalloc(unsigned int)
(third_party/WebKit/JavaScriptCore/wtf/FastMalloc.cpp:233)
  WebCore::V8EventListenerList::add(WebCore::V8EventListener*)
(third_party/WebKit/JavaScriptCore/wtf/FastAllocBase.h:96)
  WTF::PassRefPtr<WebCore::V8EventListener>
WebCore::V8EventListenerList::findOrCreateWrapper<WebCore::V8ObjectEventListener>(WebCore::Frame*,
v8::Local<v8::Value>, bool)
(third_party/WebKit/WebCore/bindings/v8/V8EventListenerList.h:117)
  WebCore::V8DOMWrapper::getEventListener(WebCore::Node*,
v8::Local<v8::Value>, bool, bool)
(third_party/WebKit/WebCore/bindings/v8/V8DOMWrapper.cpp:1351)
  WebCore::V8Custom::v8NodeAddEventListenerCallback(v8::Arguments const&)
(third_party/WebKit/WebCore/bindings/v8/custom/V8NodeCustom.cpp:61)
  v8::internal::Builtin_HandleApiCall(v8::internal::Arguments)
(v8/src/builtins.cc:379)

and

76 (12 direct, 64 indirect) bytes in 1 blocks are definitely lost in loss
record 8,242 of 9,059
  malloc (vg_replace_malloc.c:194)
  WTF::fastMalloc(unsigned int)
(third_party/WebKit/JavaScriptCore/wtf/FastMalloc.cpp:233)
  WebCore::V8EventListenerList::add(WebCore::V8EventListener*)
(third_party/WebKit/JavaScriptCore/wtf/FastAllocBase.h:96)
  WTF::PassRefPtr<WebCore::V8EventListener>
WebCore::V8EventListenerList::findOrCreateWrapper<WebCore::V8EventListener>(WebCore::Frame*,
v8::Local<v8::Value>, bool)
(third_party/WebKit/WebCore/bindings/v8/V8EventListenerList.h:117)
 
WebCore::V8Custom::v8SVGElementInstanceAddEventListenerCallback(v8::Arguments
const&)
(third_party/WebKit/WebCore/bindings/v8/custom/V8SVGElementInstanceCustom.cpp:56)
  v8::internal::Builtin_HandleApiCall(v8::internal::Arguments)
(v8/src/builtins.cc:379)
Comment 1 by vitalyr@chromium.org, Sep 07, 2009 
Valgrind failed to catch this in my tests. Yet I think there is a leak indeed. What 
happens is this:
1. When creating a new EventListener instance V8DOMWrapper::getEventListener calls V8EventListenerList::findOrCreateWrapper on proxy->objectListeners().
2. objectListeners adds the newly created instance to its HashMap<int/*v8 JS function 
hash code*/, Vector<V8EventListener*>*>, growing existing or creating a new Vector. 
(Vector is required here because v8 hash codes are not unique.)
3. When proxy is disconnected from the frame, it clears proxy->objectListeners() that 
in turn clears the map, but the map does not delete the Vector objects. There is 
needsDestruction = true specified in its traits but it has no effect on pointers to 
Vector.

We have two options here:
1. Fix this by cleaning up the maps properly.
2. Rework this part by storing listeners in hidden properties on JS functions. This 
should make the code considerably simpler and less fragile.

Dimitri, what do you think?
Owner: vita...@chromium.org
Cc: dglaz...@chromium.org
Labels: -Area-Misc Area-WebKit
Comment 2 by dglazkov@chromium.org, Sep 07, 2009 
I really like #2.
Comment 3 by vitalyr@chromium.org, Oct 02, 2009 
Fixed in https://bugs.webkit.org/show_bug.cgi?id=29825.
Status: Fixed
Sign in to add a comment