[Webkit-unassigned] [Bug 172728] Page that allocates and destroys canvas elements in a loop gets jettisoned on iOS

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue May 30 21:56:55 PDT 2017 

https://bugs.webkit.org/show_bug.cgi?id=172728

--- Comment #6 from Joseph Pecoraro <joepeck at webkit.org> ---
I think this is primarily a programming error in the page that will cause the "fabric.Canvas" instances to be kept alive by leaked global resize listeners being registered.

I boiled it down to:

    <script>
    MyCanvas = function() {
        this.initialize();
    };

    MyCanvas.prototype.initialize = function() {
        this.a = document.createElement('canvas');
        this.f = (function() {}).bind(this); // 2nd time this will overwrite "this.f"
        window.addEventListener('resize', this.f);
    };

    MyCanvas.prototype.dispose = function() {
        window.removeEventListener('resize', this.f);
    };

    window.addEventListener("load", function() {
        var canvas;
        for (var count = 0; count < 100; count++){
            console.log("count", count);
            canvas = new MyCanvas(); // initialize once
            canvas.initialize(); // initialize again
            canvas.dispose();
        }
    }, false);
    </script>

It looks like the page effectively calls initialize twice. This means:

  1. First call to initialize happens via new fabric.Canvas constructor:
      - creates the 1st this._onResize = this._onResize.bind()
      - adds this as a "resize" listener
      - note this constructor is generated within fabric.util.createClass as this.initialize.apply(this, args)

  2. Second call to initialize is explicit in the loop
      - overwrites the 1st this._onResize with a second
      - adds this as a "resize" listener

  3. Dispose clears the second this._onResize

Nobody ever clears the first resize listener added to the window as part of (1). And nobody can do that as nobody holds a reference to the function to the original onResize before it was rewritten. The reason why the resize handler is significant is because it is on the window, therefore global and will stay around forever unless removed. The others are localized to an element and can be collected with the element.

---

Compare to this fiddle:
http://jsfiddle.net/hjnhfk5L/

Before:

> for(var count = 1; count < 100; count++){
>    console.log("count", count);
>    canvas = new fabric.Canvas();
>    canvas.initialize(canvasElement, {height:2000, width: 2000});
>    canvas.add(rect);
>    canvas.dispose();
> }

After:

> for (var count = 1; count < 100; count++){
>     console.log("count", count);
>     canvas = new fabric.Canvas(canvasElement, {height:2000, width: 2000});
>     canvas.add(rect);
>     canvas.dispose();
> }

This doesn't call initialize twice, and doesn't have the same leaks.

---

Now, even after diagnosing this as the issue doesn't mean we can't make a change to WebKit to improve WebKit's behavior in these situations. I don't think any of these Canvas elements are actually attached to the page, so maybe we can free some of the memory held by them.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170531/5fb01372/attachment.html>

More information about the webkit-unassigned mailing list