Updates:
Cc: [email protected]
Comment #10 on issue 2471 by [email protected]: Regression: Bogus
retaining paths in a heap snapshot
http://code.google.com/p/v8/issues/detail?id=2471
My guess would be that this path is through raw_stack trace accumulated for
new Error().stack used in goog.Disposable implementation.
In general we would expect it to be released after the formatting but I
think the one shot getter for .stack property itself got stuck in the IC
and retained the value through its context.
There are multiple indications supporting this hypothesis: the issue
disappears with --nouse-ic, the issue disappears if only one object is
allocated (IC is premonomorphic) or if >2 objects are allocated (IC becomes
megamorphic).
I think r12933 is partially responsible for this regression because it
killed the layer of indirection (DefineOneShotAccessor) that tried to
ensure that as little data is retained as possible after accessor has fired
by releasing the factory function. Current implementation of
one-shot-getter does not null-out raw_stack so values leak if getter itself
is stuck somewhere (e.g. in monomorphic IC).
This regression is unpleasant but it is unlikely to be in issue in the real
world because IC is unlikely to stay monomorphic (more than 2 objects
inherited from Disposable will be allocated).
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
