[webkit-dev] JavaScript memory management question
Matt Fischer
mattfischer84 at gmail.com
Thu Dec 4 12:55:13 PST 2008
I'm working on an embedded product which uses a WebKit-based browser, and
I've been tracking down some memory leaks we're seeing. After a long while
of digging through the codebase, I've been able to determine that we're
occasionally leaking the WebCore::Document object when leaving certain
websites. A bit more tracing reveals that the Document object is being
retained because an HTMLImageElement holds a DocPtr reference on it, and the
element isn't going away when the normal refcount on the Document drops to
0. This pins the Document object in memory.
The specific site I've been testing with is www.yahoo.com. Examining the
source code to that page reveals the following in the page's beforeUnload
event:
window.onbeforeunload=function(){
var img=new Image;
now=new Date;
t6=now.getTime();
img.src='
http://www.yahoo.com/'+(ylp?ylp:'p.gif?t=0')+cc+'&tid='+ver+'&ni='+document.images.length+'&sss='+sss+'&t1='+t1+'&d1='+(t2-t1)+'&d2='+(t3-t1)+'&d3='+(t4-t1)+'&d4='+(t5-t1)+'&d5='+(t6-t1)+'&d6='+(t7-t1)+'&d7='+(t8-t1)+'&d8='+(t9-t1)+'&d9='+(t10-t1)+'&d10='+(t11-t1)+'&d11='+(t12-t1);
}
It appears that this Image object is never being removed--I can repeatedly
navigate to and from this site and watch HTMLImageElements (and their
associated Document objects) pile up.
I'm still not convinced this is a WebKit problem specifically (there's a
fair amount of code surrounding it in our product that could potentially
have bugs in it), but to continue tracing the problem, I need to know what
the mechanism is that *ought* to be freeing this object. I presume this is
something that should be taken care of by the JavaScript garbage collector,
however I can see JavaScriptCore::Collector::collect() calls running
occasionally after this object is created, and it never goes away. Is there
some immediately apparent reason why this wouldn't be happening? I.e., is
there something else that would be holding a reference to an object created
by this type of script code, or is something other than the GC responsible
for freeing it, etc?
My apologies if this turns out to be a stupid question--I'm just trying to
get some context for where I ought to focus next.
Thanks,
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20081204/d1d6b9c6/attachment.html>
More information about the webkit-dev
mailing list