[Webkit-unassigned] [Bug 55899] New: [Chromium] Detached DOM trees leak because of CSSStyleDeclaration wrapper sharing

Mon Mar 7 13:14:35 PST 2011

https://bugs.webkit.org/show_bug.cgi?id=55899

           Summary: [Chromium] Detached DOM trees leak because of
                    CSSStyleDeclaration wrapper sharing
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mnaganov at chromium.org
                CC: antonm at chromium.org, vitalyr at chromium.org,
                    gregsimon at chromium.org
        Depends on: 55399

A common pattern of detached DOM trees leak is observed. The common repro scenario is like this: an application sets a style value on some node, then a whole DOM subtree to which this node belongs stays uncollected, even after being detached from the document.

This happens because V8 object group for the node includes CSSStyleDeclaration wrapper, which participates in two object groups -- the node group, and the group containing all style declarations. The latter group is thus held by any DOM subtree, including the document object group, and it effectively prevents all other object groups from being collected. Graphically the situation looks like this:

   Document DOM tree <--> CSSStyleDeclaration <--> Group with style decls. <--> CSSStyleDeclaration <--> Detached DOM subtree

Thanks to Rick Byers for providing the example.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.