[webkit-dev] Memory leak tracking in WebKit
Said Abou-Hallawa
sabouhallawa at apple.com
Tue Jan 5 14:26:28 PST 2016
This seems to be a reference cycle between SVGAnimatedListPropertyTearOff and SVGListPropertyTearOff. In SVGAnimatedListPropertyTearOff::animVal(), m_animVal is assigned to a new Ref<SVGListPropertyTearOff> but this new Ref increments the refcount of this. This looks similar to https://bugs.webkit.org/show_bug.cgi?id=151810.
> On Jan 5, 2016, at 2:19 PM, Vienneau, Christopher <cvienneau at ea.com> wrote:
>
> Thanks for suggesting that Simon, I’ve now opened the bug:
> https://bugs.webkit.org/show_bug.cgi?id=152759 <https://bugs.webkit.org/show_bug.cgi?id=152759>
>
> Chris
>
> From: simon.fraser at apple.com [mailto:simon.fraser at apple.com]
> Sent: Tuesday, January 05, 2016 12:09 PM
> To: Vienneau, Christopher <cvienneau at ea.com>
> Cc: WebKit Development <webkit-dev at lists.webkit.org>
> Subject: Re: [webkit-dev] Memory leak tracking in WebKit
>
> This sounds like a bug that would affect all WebKit ports. Can you file a bugs.webkit.org <http://bugs.webkit.org/> bug, and continue investigation there?
>
> Simon
>
> On Jan 5, 2016, at 12:03 PM, Vienneau, Christopher <cvienneau at ea.com <mailto:cvienneau at ea.com>> wrote:
>
> Hi,
>
> I’ve resumed the memory leak tracking I was doing last year, I have some more details to share, hopefully you’ll be able to suggest how I might fix it. The source of the leak appears to come from the below callstack. A cache of animation points is being created in SVGAnimatedProperty(SVGElement* contextElement, const QualifiedName& attributeName, AnimatedPropertyType animatedPropertyType), however the destructor for SVGAnimatedProperty is never called. The passed in contextElement gains a ref when the SVGAnimatedProperty is created, however I’m not seeing a code path where the animation points should be destroyed. This effects both svg polyline and polygon, and results in leaking the whole page.
>
> Thanks for any help you can provide,
>
> Chris Vienneau
>
>
> \WebCore\svg\properties\SVGAnimatedProperty.cpp
> SVGAnimatedProperty::SVGAnimatedProperty(SVGElement* contextElement, const QualifiedName& attributeName, AnimatedPropertyType animatedPropertyType)
> : m_contextElement(contextElement)
> , m_attributeName(attributeName)
> , m_animatedPropertyType(animatedPropertyType)
> , m_isAnimating(false)
> , m_isReadOnly(false)
> {
> }
>
> > EAWebKitd.dll!WebCore::SVGAnimatedProperty::SVGAnimatedProperty(WebCore::SVGElement * contextElement, const WebCore::QualifiedName & attributeName, WebCore::AnimatedPropertyType animatedPropertyType) Line 29 C++
> EAWebKitd.dll!WebCore::SVGAnimatedListPropertyTearOff<WebCore::SVGPointList>::SVGAnimatedListPropertyTearOff<WebCore::SVGPointList>(WebCore::SVGElement * contextElement, const WebCore::QualifiedName & attributeName, WebCore::AnimatedPropertyType animatedPropertyType, WebCore::SVGPointList & values) Line 166 C++
> EAWebKitd.dll!WebCore::SVGAnimatedListPropertyTearOff<WebCore::SVGPointList>::create(WebCore::SVGElement * contextElement, const WebCore::QualifiedName & attributeName, WebCore::AnimatedPropertyType animatedPropertyType, WebCore::SVGPointList & values) Line 159 C++
> EAWebKitd.dll!WebCore::SVGAnimatedProperty::lookupOrCreateWrapper<WebCore::SVGPolyElement,WebCore::SVGAnimatedListPropertyTearOff<WebCore::SVGPointList>,WebCore::SVGPointList>(WebCore::SVGPolyElement * element, const WebCore::SVGPropertyInfo * info, WebCore::SVGPointList & property) Line 57 C++
> EAWebKitd.dll!WebCore::SVGPolyElement::lookupOrCreatePointsWrapper(WebCore::SVGElement * contextElement) Line 117 C++
> EAWebKitd.dll!WebCore::SVGPolyElement::animatedPoints() Line 130 C++
> EAWebKitd.dll!WebCore::updatePathFromPolylineElement(WebCore::SVGElement * element, WebCore::Path & path) Line 106 C++
> EAWebKitd.dll!WebCore::updatePathFromGraphicsElement(WebCore::SVGElement * element, WebCore::Path & path) Line 172 C++
> EAWebKitd.dll!WebCore::RenderSVGShape::updateShapeFromElement() Line 84 C++
> EAWebKitd.dll!WebCore::RenderSVGPath::updateShapeFromElement() Line 48 C++
> EAWebKitd.dll!WebCore::RenderSVGShape::layout() Line 164 C++
> EAWebKitd.dll!WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderElement & start, bool selfNeedsLayout) Line 281 C++
> EAWebKitd.dll!WebCore::RenderSVGRoot::layout() Line 181 C++
> EAWebKitd.dll!WebCore::RenderElement::layoutIfNeeded() Line 135 C++
> EAWebKitd.dll!WebCore::RenderBlockFlow::layoutLineBoxes(bool relayoutChildren, WebCore::LayoutUnit & repaintLogicalTop, WebCore::LayoutUnit & repaintLogicalBottom) Line 1621 C++
> EAWebKitd.dll!WebCore::RenderBlockFlow::layoutInlineChildren(bool relayoutChildren, WebCore::LayoutUnit & repaintLogicalTop, WebCore::LayoutUnit & repaintLogicalBottom) Line 652 C++
> EAWebKitd.dll!WebCore::RenderBlockFlow::layoutBlock(bool relayoutChildren, WebCore::LayoutUnit pageLogicalHeight) Line 484 C++
> EAWebKitd.dll!WebCore::RenderBlock::layout() Line 930 C++
> EAWebKitd.dll!WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox & child, WebCore::RenderBlockFlow::MarginInfo & marginInfo, WebCore::LayoutUnit & previousFloatLogicalBottom, WebCore::LayoutUnit & maxFloatLogicalBottom) Line 712 C++
> EAWebKitd.dll!WebCore::RenderBlockFlow::layoutBlockChildren(bool relayoutChildren, WebCore::LayoutUnit & maxFloatLogicalBottom) Line 633 C++
> EAWebKitd.dll!WebCore::RenderBlockFlow::layoutBlock(bool relayoutChildren, WebCore::LayoutUnit pageLogicalHeight) Line 488 C++
> EAWebKitd.dll!WebCore::RenderBlock::layout() Line 930 C++
> EAWebKitd.dll!WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox & child, WebCore::RenderBlockFlow::MarginInfo & marginInfo, WebCore::LayoutUnit & previousFloatLogicalBottom, WebCore::LayoutUnit & maxFloatLogicalBottom) Line 712 C++
> EAWebKitd.dll!WebCore::RenderBlockFlow::layoutBlockChildren(bool relayoutChildren, WebCore::LayoutUnit & maxFloatLogicalBottom) Line 633 C++
> EAWebKitd.dll!WebCore::RenderBlockFlow::layoutBlock(bool relayoutChildren, WebCore::LayoutUnit pageLogicalHeight) Line 488 C++
> EAWebKitd.dll!WebCore::RenderBlock::layout() Line 930 C++
> EAWebKitd.dll!WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox & child, WebCore::RenderBlockFlow::MarginInfo & marginInfo, WebCore::LayoutUnit & previousFloatLogicalBottom, WebCore::LayoutUnit & maxFloatLogicalBottom) Line 712 C++
> EAWebKitd.dll!WebCore::RenderBlockFlow::layoutBlockChildren(bool relayoutChildren, WebCore::LayoutUnit & maxFloatLogicalBottom) Line 633 C++
> EAWebKitd.dll!WebCore::RenderBlockFlow::layoutBlock(bool relayoutChildren, WebCore::LayoutUnit pageLogicalHeight) Line 488 C++
> EAWebKitd.dll!WebCore::RenderBlock::layout() Line 930 C++
> EAWebKitd.dll!WebCore::RenderView::layoutContent(const WebCore::LayoutState & state) Line 256 C++
> EAWebKitd.dll!WebCore::RenderView::layout() Line 382 C++
> EAWebKitd.dll!WebCore::FrameView::layout(bool allowSubtree) Line 1426 C++
> EAWebKitd.dll!WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive() Line 4153 C++
> EAWebKitd.dll!EA::WebKit::View::Paint() Line 278 C++
> EAWebKitDemoUTFWin.exe!EA::Browser::BrowserWinView::OnTick() Line 1039 C++
> EAWebKitDemoUTFWin.exe!EA::UTFWin::CustomWindow::DoMessage(const EA::UTFWin::Message & msg) Line 46 C++
> EAWebKitDemoUTFWin.exe!EA::Browser::BrowserWinView::DoMessage(const EA::UTFWin::Message & msg) Line 649 C++
> EAWebKitDemoUTFWin.exe!EA::UTFWin::WindowMgr::DispatchMsgToWindow(EA::UTFWin::Window * target, const EA::UTFWin::Message & msg, bool outbound) Line 2120 C++
> EAWebKitDemoUTFWin.exe!EA::UTFWin::WindowMgr::SendMsg(EA::UTFWin::IWindow * src, EA::UTFWin::IWindow * dst0, const EA::UTFWin::Message & msg, bool inheritable, bool reversePriority) Line 249 C++
> EAWebKitDemoUTFWin.exe!EA::UTFWin::WindowMgr::ProcessMessages() Line 451 C++
> EAWebKitDemoUTFWin.exe!EA::Browser::BrowserApp::TickEAWebKitThread() Line 781 C++
> EAWebKitDemoUTFWin.exe!EA::Browser::BrowserApp::RunEAWebKit(void * instance) Line 838 C++
> EAWebKitDemoUTFWin.exe!EA::Debug::ExceptionHandler::ExecuteUserFunction(EA::Debug::ExceptionHandler::UserFunctionUnion userFunctionUnion, EA::Debug::ExceptionHandler::UserFunctionType userFunctionType, void * pContext) Line 900 C++
> EAWebKitDemoUTFWin.exe!EA::Debug::ExceptionHandlerWin32::RunTrapped(EA::Debug::ExceptionHandler::UserFunctionUnion userFunctionUnion, EA::Debug::ExceptionHandler::UserFunctionType userFunctionType, void * pContext, bool & exceptionCaught) Line 529 C++
> EAWebKitDemoUTFWin.exe!EA::Debug::ExceptionHandler::RunTrappedInternal(EA::Debug::ExceptionHandler::UserFunctionUnion userFunctionUnion, EA::Debug::ExceptionHandler::UserFunctionType userFunctionType, void * pContext, bool & exceptionCaught) Line 881 C++
> EAWebKitDemoUTFWin.exe!EA::Debug::ExceptionHandler::RunTrapped(void (void *) * userFunction, void * pContext) Line 925 C++
> EAWebKitDemoUTFWin.exe!EA::Browser::BrowserApp::Run(void * __formal) Line 855 C++
> EAWebKitDemoUTFWin.exe!RunnableObjectInternal(void * pContext) Line 608 C++
> EAWebKitDemoUTFWin.exe!invoke_thread_procedure(unsigned int (void *) * const procedure, void * const context) Line 92 C++
> EAWebKitDemoUTFWin.exe!thread_start<unsigned int (__cdecl*)(void * __ptr64)>(void * const parameter) Line 115 C++
> [External Code]
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org <mailto:webkit-dev at lists.webkit.org>
> https://lists.webkit.org/mailman/listinfo/webkit-dev <https://lists.webkit.org/mailman/listinfo/webkit-dev>
>
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-dev/attachments/20160105/3a58fe90/attachment.html>
More information about the webkit-dev
mailing list