[Webkit-unassigned] [Bug 29909] New: [V8] Chromium's implementation of ScriptString is awful for XHR's responseText

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Sep 29 18:35:25 PDT 2009 

https://bugs.webkit.org/show_bug.cgi?id=29909

           Summary: [V8] Chromium's implementation of ScriptString is
                    awful for XHR's responseText
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: New Bugs
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: jamesr at chromium.org
                CC: mike at belshe.com


ScriptString is implemented in bindings/v8 as a thin wrapper around
WebCore::String.  This means every append operation calls into String::append()
which allocates a new buffer large enough for the entire string and copies the
data in.  For XMLHttpRequest's responseText object, this means every time new
data is received from the network a new WebCore::String is allocated and
populate with the text received thus far.

This results in memcpy()ing the same data around a lot and making a lot of
allocations and deallocations, but it interacts particularly badly with V8 if
the readystatechange to 3 handler happens to grab a reference to the
responseText object because when this happens V8 grabs a reference to the
WebCore::String backing responseText.  Some sites check the responseText.length
parameter on readyState 3 which means they will create a handle from V8 on
every intermediate WebCore string resulting in quadratic memory use (mitigated
by a very small constant factor, but quadratic nonetheless).   For example, if
a 1MB XHR is received in 32 chunks of size 32K there are a sequence of
WebCore::String's created of sizes:

32k
64k
98k
128k
160k
...
992k
1024k

and a readystatechange event fired at each.  If the script grabs a handle at
each readystatechange handler, up to around half a gig could be kept live until
V8 GC's the handles holding the WebCore::String objects alive.  This is
suboptimal, especially as I suspect it is rare that a script would want to look
at the actual contents of responseText before the download completes.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list