[Webkit-unassigned] [Bug 119049] New: JavaScriptCore Doesn't GC Typed Arrays
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jul 24 10:41:39 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=119049
Summary: JavaScriptCore Doesn't GC Typed Arrays
Product: WebKit
Version: 528+ (Nightly build)
Platform: Macintosh
URL: http://people.cs.umass.edu/~jvilk/safari-crash.html
OS/Version: Mac OS X 10.8
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: jvilk at cs.umass.edu
CC: ggaren at apple.com, fpizlo at apple.com,
mhahnenberg at apple.com
Summary:
Safari does not appear to garbage collect typed arrays / ArrayBuffers. Once allocated, they remain a part of Safari's memory footprint, even when they are no longer reachable by the JavaScript program. As a result, a web page that makes regular use of typed arrays can crash Safari through a series of allocations.
I am unsure of which version of JavaScriptCore/WebKit is applicable. I am using the latest Safari on Mountain Lion.
Steps to Reproduce:
1) Visit http://people.cs.umass.edu/~jvilk/safari-crash.html
2) Click on one of the buttons in Safari.
(Or more generally)
1) Repeatedly allocate a 1MB ArrayBuffer to the same variable a large number of times (such that you allocate more than your system's memory). Each allocation should make the previous allocation unreachable.
Expected Results:
Safari does not freeze. The page pops up an alert with either "Congratulations, your browser didn't crash! Check your memory usage, though.", or "Looks like your browser limits how much we allocate. Received the following exception: [exception text]".
Actual Results:
Safari uses all system memory, starts swapping to disk, and either becomes completely unresponsive or crashes.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list