[Webkit-unassigned] [Bug 219232] New: [GLib] Leaked RunLoop objects on worker threads

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Nov 21 00:44:27 PST 2020 

https://bugs.webkit.org/show_bug.cgi?id=219232

            Bug ID: 219232
           Summary: [GLib] Leaked RunLoop objects on worker threads
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: zan at falconsigh.net
                CC: aperez at igalia.com

On JS worker threads, the thread-specific RunLoop object remains alive, along with all its resources, even after the thread is destroyed.

I've only observed this with WPE on JetStream2.0, subtest bomb-workers. For GLib implementation of RunLoop, the internal GMainContext manages an eventfd file descriptor. With large amounts of workers and corresponding RunLoops, these file descriptors grow in number until they hit the user limit for the number of allowed file descriptors, at which point the executable is terminated.

It could still be a problem on other ports, but like said, I haven't tested there.


Once the worker thread is terminated, the thread-specific RunLoop object outlives that thread with one reference remaining. This reference is stuck in a RunLoop::Timer object that is spawned in the per-VM data for JSRunLoopTimer. When the owner VM is being unregistered and the per-VM data destroyed, the unique_ptr owning the timer is taken and pushed into the RunLoop's dispatch queue in order to be destroyed on the thread it is associated with. At that point, the thread is already being shut down, and the dispatch of the clean-up functor is never performed, leaving the RunLoop::Timer dangling inside the queue owned by the RunLoop instance, which never gets destroyed because of the remaining reference on the RunLoop::Timer.
https://trac.webkit.org/browser/webkit/trunk/Source/JavaScriptCore/runtime/JSRunLoopTimer.cpp#L61

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201121/caafa704/attachment-0001.htm>

More information about the webkit-unassigned mailing list