[Webkit-unassigned] [Bug 29093] New: [V8] HTML attribute listeners leak memory.

Wed Sep 9 10:29:58 PDT 2009

https://bugs.webkit.org/show_bug.cgi?id=29093

           Summary: [V8] HTML attribute listeners leak memory.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: vitalyr at chromium.org
                CC: dglazkov at chromium.org

[V8] HTML attribute listeners leak memory.

Creating DOM elements using innerHTML with listeners will leak memory in case
these listeners are invoked at least once.

function leak() {
  var node = document.createElement("span");
  node.innerHTML = "<span onclick=''></span>";
  node.childNodes[0].onclick();  // (*)
}

If you remove (*) line everything is back to normal. The cycle looks like this:

  C++ Span Element <---------------------- JS node wrapper
        |                                        ^
        v                                        |
V8LazyEventListener --[strong handle]--> JS function (onclick)

The reference between JS function and JS wrapper gets created in
V8LazyEventListener when it lazily compiles the function. This is very similar
to http://crbug.com/17400 but with a different C++ listener type.

This can be fixed like http://crbug.com/17400 by making the handle in
V8LazyEventListener weak and adding a hidden dependency from JS wrapper to JS
function to prevent the function from being collected.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.