[Webkit-unassigned] [Bug 119718] New: Fix Document leak from NodeFilter

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Aug 12 20:22:55 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=119718

           Summary: Fix Document leak from NodeFilter
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Keywords: BlinkMergeCandidate
          Severity: Normal
          Priority: P2
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: rniwa at webkit.org
                CC: mjs at apple.com, sam at webkit.org, ggaren at apple.com,
                    oliver at apple.com, barraclough at apple.com


Fix the problem https://chromium.googlesource.com/chromium/blink/+/65db79784ecd4a7e744d10a26befe5159638a56c fixed in WebKit if applicable.

* Problem Description
When NodeIterator/TreeWalker with filter JS callback is created, the following reference chain was created:
NodeIterator -(RefPtr)-> NodeFilter -(RefPtr)-> V8NodeFilterCondition -(ScopedPersistent)-> JS callback object -> window

This caused the whole document to be leaked when NodeIterator was referenced from window. 
For example, the following script created a circular reference which could not be collected.
<script> window.foobar = document.createNodeIterator(document, NodeFilter.SHOW_ELEMENT, function(node) { return NodeFilter.FILTER_ACCEPT; }); </script>

* Proposal
This patch modifies the reference chain to avoid leak. The basic idea is to move the callback's whole reference chain to the V8 side.

We change the strong reference to the JS callback object held by V8NodeFilterCondition to a weak reference.
The JS callback is instead kept alive by a wrapper of NodeFilter, referenced from NodeIterator wrapper.

The new reference chain is illustrated as follows:
Blink world:    NodeIterator      -(RefPtr)->        NodeFilter       -(RefPtr)->     V8NodeFilterCondition
                     ^^^                                 ^^^                             vvv(weakref)vvv
   V8 world: NodeIterator wrap -(HiddenProperty)-> NodeFilter wrap -(HiddenProperty)->   JS callback obj. -> window

The new reference chain can be collected correctly, as the whole circular reference chain is visible from V8 GC.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list