Status: Accepted
Owner: [email protected]
CC: [email protected], [email protected], [email protected]
Labels: Type-Bug Priority-Medium
New issue 3877 by [email protected]: Memory leak caused by field type
tracking
https://code.google.com/p/v8/issues/detail?id=3877
Field type generalization stores a union of the previous field type and the
new field type in a data descriptor of a map.
The descriptor keeps the old field type alive. If the old field type is a
map than this can cause a memory leak.
The following script demonstrate the leak, where all four constructor
functions (and their contexts) survive even though the JS code retains only
the last constructor.
==================
function cls(a) {
var huge = []; // huge array to affect memory usage
for (var i = 0; i < 2000; i++) huge[i] = new Array(1000);
function bar() {
// Make "huge" context allocated.
return huge;
}
return (function() {
this.z = a;
})
}
function write(o, a) {
var constructor = cls(a);
o.x = new constructor();
}
function foo() {
var a = { };
write(a, 10);
return a;
}
gc();
var retainer;
for (var i = 0; i < 4; i++) retainer = foo();
gc();
gc();
gc();
==================
Running the script with "--expose-gc --trace-gc --trace-generalization":
[16676] 1332 ms: Mark-sweep 24.1 (38.6) -> 24.1 (45.6) MB, 357.1 ms (+
488.0 ms in 143 steps since start of marking, biggest step 10.3 ms) [GC
interrupt] [GC in old space requested].
[generalizing Object] x:h{(Class(0x56010281 < OtherObject) |
Class(0x560101e1 < OtherObject))}->h{(Class(0x56010281 < OtherObject) |
Class(0x560101e1 < OtherObject) | Class(0x560102f9 < OtherObject))} (field
type generalization) [~write+127 at repa.js:14]
[16676] 1391 ms: Scavenge 30.9 (45.6) -> 30.9 (46.6) MB, 55.7 ms
[allocation failure].
[generalizing Object] x:h{(Class(0x56010281 < OtherObject) |
Class(0x560101e1 < OtherObject) | Class(0x560102f9 <
OtherObject))}->h{(Class(0x560101e1 < OtherObject) | Class(0x560102f9 <
OtherObject) | Class(0x56010399 < OtherObject) | Class(0x56010281 <
OtherObject))} (field type generalization) [~write+127 at repa.js:14]
[16676] 2348 ms: Mark-sweep 31.8 (46.6) -> 31.8 (53.6) MB, 955.8 ms
[Isolate::RequestGarbageCollection] [GC in old space requested].
[16676] 3189 ms: Mark-sweep 31.8 (53.6) -> 31.8 (54.6) MB, 841.3 ms
[Isolate::RequestGarbageCollection] [GC in old space requested].
[16676] 4017 ms: Mark-sweep 31.8 (54.6) -> 31.8 (54.6) MB, 827.7 ms
[Isolate::RequestGarbageCollection] [GC in old space requested].
Running the script with --expose-gc --trace-gc --notrack_field_types
[16702] 1305 ms: Mark-sweep 24.1 (38.6) -> 24.1 (45.6) MB, 329.4 ms (+
490.5 ms in 143 steps since start of marking, biggest step 10.2 ms) [GC
interrupt] [GC in old space requested].
[16702] 1364 ms: Scavenge 30.9 (45.6) -> 30.9 (46.6) MB, 57.4 ms
[allocation failure].
[16702] 1735 ms: Mark-sweep 31.8 (46.6) -> 8.7 (29.6) MB, 369.7 ms
[Isolate::RequestGarbageCollection] [GC in old space requested].
[16702] 2003 ms: Mark-sweep 8.7 (29.6) -> 8.7 (30.6) MB, 268.6 ms
[Isolate::RequestGarbageCollection] [GC in old space requested].
[16702] 2257 ms: Mark-sweep 8.7 (30.6) -> 8.7 (30.6) MB, 253.5 ms
[Isolate::RequestGarbageCollection] [GC in old space requested].
The total memory usage:
- with field type tracking: 32MB (~ size of 4 "huge" arrays in the
contexts of all constructors).
- without field type tracking: 9MB (~ size of 1 "huge" array in the
context of the retained constructor).
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
