On Dec 4, 2008, at 12:55 PM, Matt Fischer wrote:
I'm working on an embedded product which uses a WebKit-based
browser, and I've been tracking down some memory leaks we're
seeing. After a long while of digging through the codebase, I've
been able to determine that we're occasionally leaking the
WebCore::Document object when leaving certain websites. A bit more
tracing reveals that the Document object is being retained because
an HTMLImageElement holds a DocPtr reference on it, and the element
isn't going away when the normal refcount on the Document drops to
0. This pins the Document object in memory.
The specific site I've been testing with is www.yahoo.com.
Examining the source code to that page reveals the following in the
page's beforeUnload event:
window.onbeforeunload=function(){
var img=new Image;
now=new Date;
t6=now.getTime();
img.src='http://www.yahoo.com/'+(ylp?ylp:'p.gif?t=0')+cc+'&tid='+ver
+'&ni='+document.images.length+'&sss='+sss+'&t1='+t1+'&d1='+(t2-
t1)+'&d2='+(t3-t1)+'&d3='+(t4-t1)+'&d4='+(t5-t1)+'&d5='+(t6-t1)
+'&d6='+(t7-t1)+'&d7='+(t8-t1)+'&d8='+(t9-t1)+'&d9='+(t10-
t1)+'&d10='+(t11-t1)+'&d11='+(t12-t1);
}
It appears that this Image object is never being removed--I can
repeatedly navigate to and from this site and watch
HTMLImageElements (and their associated Document objects) pile up.
I'm still not convinced this is a WebKit problem specifically
(there's a fair amount of code surrounding it in our product that
could potentially have bugs in it), but to continue tracing the
problem, I need to know what the mechanism is that *ought* to be
freeing this object. I presume this is something that should be
taken care of by the JavaScript garbage collector, however I can see
JavaScriptCore::Collector::collect() calls running occasionally
after this object is created, and it never goes away. Is there some
immediately apparent reason why this wouldn't be happening? I.e.,
is there something else that would be holding a reference to an
object created by this type of script code, or is something other
than the GC responsible for freeing it, etc?
My apologies if this turns out to be a stupid question--I'm just
trying to get some context for where I ought to focus next.
Have you tried it on WebKit trunk? I think this this is fixed by r37922.
- Maciej
_______________________________________________
webkit-dev mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
