[Webkit-unassigned] [Bug 195322] New: REGRESSION(r236862): early frame decoupling leaves JSC ArrayBuffer objects lingering

Tue Mar 5 01:52:55 PST 2019

https://bugs.webkit.org/show_bug.cgi?id=195322

            Bug ID: 195322
           Summary: REGRESSION(r236862): early frame decoupling leaves JSC
                    ArrayBuffer objects lingering
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: zan at falconsigh.net
                CC: cdumez at apple.com, rniwa at webkit.org

With frame detachment changes made in r236862, it seems JSC resources can persist beyond frame destruction.
https://trac.webkit.org/changeset/236862/webkit

The observed case is the one of ArrayBuffer resources that are kept alive during the JetStream benchmark execution. After r236862, at the end of a JetStream run there can be about 25 ArrayBuffer objects still referenced in the JSC heap and thus deferred for allocation through the GCIncomingRefCountedSet mechanism. This totals to over 700MB of extra memory at the end of a JetStream run. Before r236862 these ArrayBuffer objects were properly cleaned up during the run with only one or two objects remaining alive at the end of the run due to being used in the last few test cases, totalling ~150MB in size.

In r236862 specifically, the problem is a side effect of the early decoupling from the Frame object in DOMWindow::willDetachDocumentFromFrame(). This was further reorganized in later changes, but the problem remains present and can be observed on both Mac and Linux ports.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190305/da4da42b/attachment.html>