17523 2008-02-24 13:26:01 -0800 Javascript creating a protected object for onclick and not GCing once no-longer shown 2009-04-19 23:37:46 -0700 1 1 1 Unclassified WebKit WebCore JavaScript 523.x (Safari 3) Mac OS X 10.5 RESOLVED INVALID http://yuuzhan.selfip.net:81/runner/?sec=view InRadar P2 Normal --- 1 kb1ibt webkit-unassigned oldest_to_newest 71775 0 kb1ibt 2008-02-24 13:26:01 -0800 On the page there are new protected objects being created for every element assigned with a onclick function. Specifically looking at the runner.js file inside the createLI function there is an object being assigned with a function via onclick which seems to cause the object to become protected. Since that page updates every 5 seconds after a couple hours safari will report an out of memory issue in the javascript console. 71780 1 19326 kb1ibt 2008-02-24 13:47:45 -0800 Created attachment 19326 reduction of error This file is a reduction of the bug, it refreshes every 5 seconds and every refresh creates a new protected object. 71783 2 mrowe 2008-02-24 13:48:49 -0800 With TOT the "Out of Memory" error will no longer occur, but the increase in the number of protected objects is a bit suspicious. 71784 3 mrowe 2008-02-24 13:49:46 -0800 <rdar://problem/5762351> 85824 4 ggaren 2008-07-11 16:18:08 -0700 I don't really see how we can avoid this memory use. It would be an error to strip the element of its event handlers just because it was removed from the document, since the element can be re-added to the document. 85825 5 ggaren 2008-07-11 16:25:05 -0700 Sorry -- I realize now that the node is no longer reachable after it's removed from the document, so, in theory, it should be GC'd along with its event handler. 118086 6 ggaren 2009-04-19 23:37:46 -0700 Turns out this bug is invalid. The reduction says: var existingDiv = document.getElementById('test'); ... newDiv.onclick = function(){alert("You clicked me")}; The function expression assigned to the "onclick" handler implicitly captures "existingDiv" in its scope chain / closure. So, each new div inserted into the document references an event handler that references the last div inserted into the document. It's a giant linked list, implicitly created by closures. In theory, an optimizing compiler could prove that the event handler did not actually reference "existingDiv", and optimize it out of the closure. But that's probably beyond the scope of what this bug intended. Work around: Remove "existingDiv" from the scope in which the event handler is defined. 19326 2008-02-24 13:47:45 -0800 2008-02-24 13:47:45 -0800 reduction of error test.html text/html 560 kb1ibt PGh0bWw+CjxoZWFkPgo8c2NyaXB0Pgp2YXIgbG9hZCA9IGZ1bmN0aW9uKCl7CnNldEludGVydmFs KHRlc3QsIDUwMDApOwp9Owp2YXIgdGVzdCA9IGZ1bmN0aW9uKCl7CnZhciBjb250ZW50ID0gZG9j dW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ2NvbnRlbnQnKTsKdmFyIGV4aXN0aW5nRGl2ID0gZG9jdW1l bnQuZ2V0RWxlbWVudEJ5SWQoJ3Rlc3QnKTsKdmFyIG5ld0RpdiA9IGRvY3VtZW50LmNyZWF0ZUVs ZW1lbnQoJ2RpdicpOwpuZXdEaXYuc2V0QXR0cmlidXRlKCdpZCcsJ3Rlc3QnKTsKbmV3RGl2Lmlu bmVySFRNTCA9ICJDbGljayBNZSIKbmV3RGl2Lm9uY2xpY2sgPSBmdW5jdGlvbigpe2FsZXJ0KCJZ b3UgY2xpY2tlZCBtZSIpfTsKaWYoZXhpc3RpbmdEaXYpewoJZXhpc3RpbmdEaXYucGFyZW50Tm9k ZS5yZXBsYWNlQ2hpbGQobmV3RGl2LGV4aXN0aW5nRGl2KTsKCX1lbHNlewoJY29udGVudC5hcHBl bmRDaGlsZChuZXdEaXYpOwoJfQp9Owo8L3NjcmlwdD4KPC9oZWFkPgo8Ym9keSBvbmxvYWQ9Imxv YWQoKSI+CjxkaXYgaWQ9J2NvbnRlbnQnPjwvZGl2Pgo8L2JvZHk+CjwvaHRtbD4=