<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">I spent more time on it and now have concrete info. The reason for the leak is ExecutableBase class in runtime/Executable.h has conditional compilation for the destroy call (only enabled if JIT is enabled). So
when a ProgramExecutable is created, it adds a ref to the JSC::SourceCode::m_provider member I mentioned below. However, if you turn off JIT, the allocateCell ends up putting it in heap.allocateWithoutDestructor. Since the destructor/destroy is not called
anymore, the ref leaks when JIT is not enabled.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">It seems to me that safeguarding the destructor using ENABLE(JIT) is a mistake. The memory leak is also quite severe as I outlined below. A quick local test I am running at the moment by allowing the destructor
for the non JIT path seems to be working well without leaks.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thoughts?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Arpit<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> webkit-help-bounces@lists.webkit.org [mailto:webkit-help-bounces@lists.webkit.org]
<b>On Behalf Of </b>Baldeva, Arpit<br>
<b>Sent:</b> Wednesday, April 09, 2014 5:47 PM<br>
<b>To:</b> webkit-help@lists.webkit.org<br>
<b>Subject:</b> [webkit-help] cached scripts leak in C Loop Interpreter mode<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am using WebCore::gcController().discardAllCompiledCode() API to discard cached scripts and free up memory. This works pretty well in the JIT mode. However, when I used C Loop interpreter, the cached scripts are not discarded. So far,
I have traced it down to JSC::SourceCode::m_provider member. The ref count on this member is all wrong.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The reproduction is pretty simple. Load a “hello world” type page in web view, then go to Google.com. That causes about 0.189 MB worth of scripts to get cached. Go back to the hello world page and now call WebCore::gcController().discardAllCompiledCode().
The JIT path is able to get rid of the cached scripts. However, C loop interpreter leaks pretty much everything (the ref count on the member noted about is around ~850 whereas it should be 1). The direct url of the problematic script is
<a href="http://www.google.com/xjs/_/js/k=xjs.hp.en_US.75bv2nh_qxI.O/m=sb_he,pcc/rt=j/d=1/sv=1/rs=AItRSTOX5WMsAVpkgEafYeVKZ7ZCJdNXcg">
http://www.google.com/xjs/_/js/k=xjs.hp.en_US.75bv2nh_qxI.O/m=sb_he,pcc/rt=j/d=1/sv=1/rs=AItRSTOX5WMsAVpkgEafYeVKZ7ZCJdNXcg</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">An even more accessible scenario is just keep on reloading the sunspider test suite. I used 0.9.1 -
<a href="http://www.webkit.org/perf/sunspider-0.9.1/sunspider-0.9.1/driver.html">
http://www.webkit.org/perf/sunspider-0.9.1/sunspider-0.9.1/driver.html</a> Every reload is pretty much leaking causing the memory usage to grow unbounded. The C Loop interpreter path memory usage goes up to 200 MB just within few minutes however the JIT path
stays around 12 MB.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">My version of code is about 5 months old (157437). However, I did not see any leak fixes going in recently when I search bugzilla.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Any help is appreciated.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks<o:p></o:p></p>
<p class="MsoNormal">Arpit<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>