[Webkit-unassigned] [Bug 66438] New: Abandoned Memory: SVGFontElement and Corresponding SVGDocument Never Deconstructed

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Aug 17 17:45:36 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=66438

           Summary: Abandoned Memory: SVGFontElement and Corresponding
                    SVGDocument Never Deconstructed
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: SVG
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: joepeck at webkit.org
                CC: zimmermann at kde.org, timothy_horton at apple.com


Created an attachment (id=104285)
 --> (https://bugs.webkit.org/attachment.cgi?id=104285&action=review)
[TEST] Test Case

It looks like there is a ref/retain cycle between the SVGFontFaceElement and the SVGFontElement.
This cycle prevents the SVGDocument, and the corresponding SVG Font data from ever being
released. I attached a zip of a an html+svg font test (might be possible to reduce further for
those experienced with SVG).

What I'm seeing is:

  1. CachedFont creates the SVGDocument and assigns it into m_externalSVGDocument.
  2. When the CachedFont is evicted from WebCore's MemoryCache the SVGDocument
     gets its refCount dropped to 0 => removedLastRef
  3. Document::removeLastRef (for the SVGDocument) attempts to remove all Nodes,
     but doesn't delete the SVGFontElement subtree because the SVGFontElement has
     a ref (held by its containing SVGFontFaceElement).

So the node keeps the document alive, and no-one holds a reference to the document,
and presumably not the font anymore.

A possible fix is to just give the SVGFontFaceElement a weak reference to the
SVGFontElement. It doesn't seem to need a full RefPtr, but I'm not familiar with
the area. I'll run some tests and propose a patch soon.

Steps to reproduce with the attached test:

  1. Load the test page
  2. Close the test page
  3. Cause the CachedFont to be evicted
     gdb> WebCore::memoryCache()->setDisabled(true); // works like a charm
  4. See if the SVGDocument was actually deconstructed

You can also use memory analysis tools to see if there were leftover allocations
for the SVGElements (Glyphs, etc) that are still alive.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list