UStrings used for several purposes. Valgrind reports that many of them are not freed (1491). To be more precise, their UString::Rep is not freed. Unfortunately this happens only when heavy scripting is used on the opened page, like www.google.com. I couldn't make a small example so far. Note: https://bugs.webkit.org/show_bug.cgi?id=27980 This patch applied to the source, so many global objects are freed (UStrings as well). Finally, I have found useful unfreed range of objects. I mean their rc (ref count) is not overwritten too many times. (I just make the long story short here) One of them is "moveBy". (I am sure it is not a builtin string) Created here: #0 JSC::UString::Rep::repCreated (this=0x83edf80) at ../../../JavaScriptCore/runtime/UString.cpp:280 #1 0xb6842b22 in Rep (this=0x83edf80, length=6) at ../../../JavaScriptCore/runtime/UString.h:166 #2 0xb6842b76 in BaseString (this=0x83edf80, buffer=0x83edf70, length=6, additionalCapacity=0) at ../../../JavaScriptCore/runtime/UString.h:226 #3 0xb68ac05e in JSC::UString::Rep::create (buffer=0x83edf70, length=6) at ../../../JavaScriptCore/runtime/UString.h:88 #4 0xb68ad8fa in JSC::CStringTranslator::translate (location=@0x83ea750, c=0xb793c897 "moveBy", hash=230789120) at ../../../JavaScriptCore/runtime/Identifier.cpp:117 #5 0xb68ad959 in WTF::HashSetTranslatorAdapter<JSC::UString::Rep*, WTF::HashTraits<JSC::UString::Rep*>, char const*, JSC::CStringTranslator>::translate (location=@0x83ea750, key=@0xbfd23e78, hashCode=230789120) at ../../../JavaScriptCore/wtf/HashSet.h:108 #6 0xb68adcc3 in WTF::HashTable<JSC::UString::Rep*, JSC::UString::Rep*, WTF::IdentityExtractor<JSC::UString::Rep*>, WTF::StrHash<JSC::UString::Rep*>, WTF::HashTraits<JSC::UString::Rep*>, WTF::HashTraits<JSC::UString::Rep*> >::addPassingHashCode<char const*, char const*, WTF::HashSetTranslatorAdapter<JSC::UString::Rep*, WTF::HashTraits<JSC::UString::Rep*>, char const*, JSC::CStringTranslator> > (this=0x83d12ec, key=@0xbfd23e78, extra=@0xbfd23e78) at ../../../JavaScriptCore/wtf/HashTable.h:728 #7 0xb68adf75 in WTF::HashSet<JSC::UString::Rep*, WTF::StrHash<JSC::UString::Rep*>, WTF::HashTraits<JSC::UString::Rep*> >::add<char const*, JSC::CStringTranslator> (this=0x83d12ec, value=@0xbfd23e78) at ../../../JavaScriptCore/wtf/HashSet.h:216 #8 0xb68adff6 in JSC::IdentifierTable::add<char const*, JSC::CStringTranslator> (this=0x83d12e8, value=0xb793c897 "moveBy") at ../../../JavaScriptCore/runtime/Identifier.cpp:54 #9 0xb68ae1f4 in JSC::Identifier::add (globalData=0x83d0658, c=0xb793c897 "moveBy") at ../../../JavaScriptCore/runtime/Identifier.cpp:144 #10 0xb68c5281 in JSC::HashTable::createTable (this=0xb7eddb10, globalData=0x83d0658) at ../../../JavaScriptCore/runtime/Lookup.cpp:36 #11 0xb67ff9e4 in JSC::HashTable::initializeIfNeeded (this=0xb7eddb10, exec=0x83de6bc) at ../../../JavaScriptCore/runtime/Lookup.h:124 #12 0xb67ffa0e in JSC::HashTable::entry (this=0xb7eddb10, exec=0x83de6bc, identifier=@0x83d2d80) at ../../../JavaScriptCore/runtime/Lookup.h:138 #13 0xb696b9fe in WebCore::JSDOMWindow::getOwnPropertySlot (this=0xb3200080, exec=0x83de6bc, propertyName=@0x83d2d80, slot=@0xbfd240d8) at ../../../WebCore/bindings/js/JSDOMWindowCustom.cpp:184 #14 0xb67dabfd in JSC::JSCell::fastGetOwnPropertySlot (this=0xb3200080, exec=0x83de6bc, propertyName=@0x83d2d80, slot=@0xbfd240d8) at ../../../JavaScriptCore/runtime/JSObject.h:363 (More stack frames follow...) Its reference counter is accessed here (watch *(int*)address_of(rc)): Old value = 1 New value = 2 #0 0xb67bdd9a in JSC::UString::Rep::ref (this=0x83edf80) at ../../../JavaScriptCore/runtime/UString.h:135 #1 0xb67c2070 in RefPtr (this=0xbfd23efc, ptr=0x83edf80) at ../../../JavaScriptCore/wtf/RefPtr.h:39 #2 0xb68ae273 in JSC::Identifier::add (globalData=0x83d0658, c=0xb793c897 "moveBy") at ../../../JavaScriptCore/runtime/Identifier.cpp:150 #3 0xb68c5281 in JSC::HashTable::createTable (this=0xb7eddb10, globalData=0x83d0658) at ../../../JavaScriptCore/runtime/Lookup.cpp:36 #4 0xb67ff9e4 in JSC::HashTable::initializeIfNeeded (this=0xb7eddb10, exec=0x83de6bc) at ../../../JavaScriptCore/runtime/Lookup.h:124 #5 0xb67ffa0e in JSC::HashTable::entry (this=0xb7eddb10, exec=0x83de6bc, identifier=@0x83d2d80) at ../../../JavaScriptCore/runtime/Lookup.h:138 #6 0xb696b9fe in WebCore::JSDOMWindow::getOwnPropertySlot (this=0xb3200080, exec=0x83de6bc, propertyName=@0x83d2d80, slot=@0xbfd240d8) at ../../../WebCore/bindings/js/JSDOMWindowCustom.cpp:184 #7 0xb67dabfd in JSC::JSCell::fastGetOwnPropertySlot (this=0xb3200080, exec=0x83de6bc, propertyName=@0x83d2d80, slot=@0xbfd240d8) at ../../../JavaScriptCore/runtime/JSObject.h:363 #8 0xb67dac42 in JSC::JSObject::getPropertySlot (this=0xb3200080, exec=0x83de6bc, propertyName=@0x83d2d80, slot=@0xbfd240d8) at ../../../JavaScriptCore/runtime/JSObject.h:372 #9 0xb68bce5d in JSC::JSObject::hasProperty (this=0xb3200080, exec=0x83de6bc, propertyName=@0x83d2d80) at ../../../JavaScriptCore/runtime/JSObject.cpp:172 #10 0xb6838da0 in BytecodeGenerator (this=0x83ebad8, programNode=0x83eb638, debugger=0x0, scopeChain=@0xbfd242c0, symbolTable=0x83de74c, codeBlock=0x83eb868) at ../../../JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:266 #11 0xb68a5e74 in JSC::ProgramExecutable::compile (this=0xbfd24328, exec=0x83de6bc, scopeChainNode=0x83df248) at ../../../JavaScriptCore/runtime/Executable.cpp:107 #12 0xb68aee4e in JSC::evaluate (exec=0x83de6bc, scopeChain=@0x83de678, source=@0xbfd24778, thisValue= {u = {asEncodedJSValue = -5584715776, asDouble = -nan(0xffffeb3200000), asBits = {payload = -1289748480, tag = -2}}}) at ../../../JavaScriptCore/runtime/Completion.cpp:53 #13 0xb69b5c42 in WebCore::ScriptController::evaluate (this=0x813d410, sourceCode=@0xbfd24774) at ../../../WebCore/bindings/js/ScriptController.cpp:115 #14 0xb6d83070 in WebCore::FrameLoader::executeScript (this=0x813d18c, sourceCode=@0xbfd24774) at ../../../WebCore/loader/FrameLoader.cpp:776 (More stack frames follow...) Old value = 2 New value = 3 #0 0xb67bdd9a in JSC::UString::Rep::ref (this=0x83edf80) at ../../../JavaScriptCore/runtime/UString.h:135 #1 0xb67c6941 in WTF::RefPtr<JSC::UString::Rep>::operator= (this=0x83e7bcc, o=@0xbfd23efc) at ../../../JavaScriptCore/wtf/RefPtr.h:96 #2 0xb68ac854 in WTF::HashMapTranslator<std::pair<char const*, WTF::RefPtr<JSC::UString::Rep> >, WTF::PairHashTraits<WTF::HashTraits<char const*>, WTF::HashTraits<WTF::RefPtr<JSC::UString::Rep> > >, WTF::PtrHash<char const*> >::translate (location=@0x83e7bc8, key=@0xbfd23f28, mapped=@0xbfd23efc) at ../../../JavaScriptCore/wtf/HashMap.h:106 #3 0xb68ad532 in WTF::HashTable<char const*, std::pair<char const*, WTF::RefPtr<JSC::UString::Rep> >, WTF::PairFirstExtractor<std::pair<char const*, WTF::RefPtr<JSC::UString::Rep> > >, WTF::PtrHash<char const*>, WTF::PairHashTraits<WTF::HashTraits<char const*>, WTF::HashTraits<WTF::RefPtr<JSC::UString::Rep> > >, WTF::HashTraits<char const*> >::add<char const*, WTF::RefPtr<JSC::UString::Rep>, WTF::HashMapTranslator<std::pair<char const*, WTF::RefPtr<JSC::UString::Rep> >, WTF::PairHashTraits<WTF::HashTraits<char const*>, WTF::HashTraits<WTF::RefPtr<JSC::UString::Rep> > >, WTF::PtrHash<char const*> > > (this=0x83d1308, key=@0xbfd23f28, extra=@0xbfd23efc) at ../../../JavaScriptCore/wtf/HashTable.h:681 #4 0xb68ad7eb in WTF::HashMap<char const*, WTF::RefPtr<JSC::UString::Rep>, WTF::PtrHash<char const*>, WTF::HashTraits<char const*>, WTF::HashTraits<WTF::RefPtr<JSC::UString::Rep> > >::inlineAdd (this=0x83d1308, key=@0xbfd23f28, mapped=@0xbfd23efc) at ../../../JavaScriptCore/wtf/HashMap.h:181 #5 0xb68ad871 in WTF::HashMap<char const*, WTF::RefPtr<JSC::UString::Rep>, WTF::PtrHash<char const*>, WTF::HashTraits<char const*>, WTF::HashTraits<WTF::RefPtr<JSC::UString::Rep> > >::add (this=0x83d1308, key=@0xbfd23f28, mapped=@0xbfd23efc) at ../../../JavaScriptCore/wtf/HashMap.h:200 #6 0xb68ae293 in JSC::Identifier::add (globalData=0x83d0658, c=0xb793c897 "moveBy") at ../../../JavaScriptCore/runtime/Identifier.cpp:150 #7 0xb68c5281 in JSC::HashTable::createTable (this=0xb7eddb10, globalData=0x83d0658) at ../../../JavaScriptCore/runtime/Lookup.cpp:36 #8 0xb67ff9e4 in JSC::HashTable::initializeIfNeeded (this=0xb7eddb10, exec=0x83de6bc) at ../../../JavaScriptCore/runtime/Lookup.h:124 #9 0xb67ffa0e in JSC::HashTable::entry (this=0xb7eddb10, exec=0x83de6bc, identifier=@0x83d2d80) at ../../../JavaScriptCore/runtime/Lookup.h:138 #10 0xb696b9fe in WebCore::JSDOMWindow::getOwnPropertySlot (this=0xb3200080, exec=0x83de6bc, propertyName=@0x83d2d80, slot=@0xbfd240d8) at ../../../WebCore/bindings/js/JSDOMWindowCustom.cpp:184 #11 0xb67dabfd in JSC::JSCell::fastGetOwnPropertySlot (this=0xb3200080, exec=0x83de6bc, propertyName=@0x83d2d80, slot=@0xbfd240d8) at ../../../JavaScriptCore/runtime/JSObject.h:363 #12 0xb67dac42 in JSC::JSObject::getPropertySlot (this=0xb3200080, exec=0x83de6bc, propertyName=@0x83d2d80, slot=@0xbfd240d8) at ../../../JavaScriptCore/runtime/JSObject.h:372 #13 0xb68bce5d in JSC::JSObject::hasProperty (this=0xb3200080, exec=0x83de6bc, propertyName=@0x83d2d80) at ../../../JavaScriptCore/runtime/JSObject.cpp:172 #14 0xb6838da0 in BytecodeGenerator (this=0x83ebad8, programNode=0x83eb638, debugger=0x0, scopeChain=@0xbfd242c0, symbolTable=0x83de74c, codeBlock=0x83eb868) at ../../../JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:266 (More stack frames follow...) Old value = 3 New value = 2 #0 0xb67bedf3 in JSC::UString::Rep::deref (this=0x83edf80) at ../../../JavaScriptCore/runtime/UString.h:136 #1 0xb67bee3f in ~RefPtr (this=0xbfd23efc) at ../../../JavaScriptCore/wtf/RefPtr.h:51 #2 0xb68ae2b2 in JSC::Identifier::add (globalData=0x83d0658, c=0xb793c897 "moveBy") at ../../../JavaScriptCore/runtime/Identifier.cpp:150 #3 0xb68c5281 in JSC::HashTable::createTable (this=0xb7eddb10, globalData=0x83d0658) at ../../../JavaScriptCore/runtime/Lookup.cpp:36 #4 0xb67ff9e4 in JSC::HashTable::initializeIfNeeded (this=0xb7eddb10, exec=0x83de6bc) at ../../../JavaScriptCore/runtime/Lookup.h:124 #5 0xb67ffa0e in JSC::HashTable::entry (this=0xb7eddb10, exec=0x83de6bc, identifier=@0x83d2d80) at ../../../JavaScriptCore/runtime/Lookup.h:138 #6 0xb696b9fe in WebCore::JSDOMWindow::getOwnPropertySlot (this=0xb3200080, exec=0x83de6bc, propertyName=@0x83d2d80, slot=@0xbfd240d8) at ../../../WebCore/bindings/js/JSDOMWindowCustom.cpp:184 #7 0xb67dabfd in JSC::JSCell::fastGetOwnPropertySlot (this=0xb3200080, exec=0x83de6bc, propertyName=@0x83d2d80, slot=@0xbfd240d8) at ../../../JavaScriptCore/runtime/JSObject.h:363 #8 0xb67dac42 in JSC::JSObject::getPropertySlot (this=0xb3200080, exec=0x83de6bc, propertyName=@0x83d2d80, slot=@0xbfd240d8) at ../../../JavaScriptCore/runtime/JSObject.h:372 #9 0xb68bce5d in JSC::JSObject::hasProperty (this=0xb3200080, exec=0x83de6bc, propertyName=@0x83d2d80) at ../../../JavaScriptCore/runtime/JSObject.cpp:172 #10 0xb6838da0 in BytecodeGenerator (this=0x83ebad8, programNode=0x83eb638, debugger=0x0, scopeChain=@0xbfd242c0, symbolTable=0x83de74c, codeBlock=0x83eb868) at ../../../JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:266 #11 0xb68a5e74 in JSC::ProgramExecutable::compile (this=0xbfd24328, exec=0x83de6bc, scopeChainNode=0x83df248) at ../../../JavaScriptCore/runtime/Executable.cpp:107 #12 0xb68aee4e in JSC::evaluate (exec=0x83de6bc, scopeChain=@0x83de678, source=@0xbfd24778, thisValue= {u = {asEncodedJSValue = -5584715776, asDouble = -nan(0xffffeb3200000), asBits = {payload = -1289748480, tag = -2}}}) at ../../../JavaScriptCore/runtime/Completion.cpp:53 #13 0xb69b5c42 in WebCore::ScriptController::evaluate (this=0x813d410, sourceCode=@0xbfd24774) at ../../../WebCore/bindings/js/ScriptController.cpp:115 #14 0xb6d83070 in WebCore::FrameLoader::executeScript (this=0x813d18c, sourceCode=@0xbfd24774) at ../../../WebCore/loader/FrameLoader.cpp:776 (More stack frames follow...) Old value = 2 New value = 1 #0 0xb67bedf3 in JSC::UString::Rep::deref (this=0x83edf80) at ../../../JavaScriptCore/runtime/UString.h:136 #1 0xb67bee3f in ~RefPtr (this=0x843100c) at ../../../JavaScriptCore/wtf/RefPtr.h:51 #2 0xb68ac950 in ~pair (this=0x8431008) at /nfs_root_dir/usr/bin/../lib/gcc/../../include/c++/4.3/bits/stl_pair.h:73 #3 0xb68ad1de in WTF::HashTable<char const*, std::pair<char const*, WTF::RefPtr<JSC::UString::Rep> >, WTF::PairFirstExtractor<std::pair<char const*, WTF::RefPtr<JSC::UString::Rep> > >, WTF::PtrHash<char const*>, WTF::PairHashTraits<WTF::HashTraits<char const*>, WTF::HashTraits<WTF::RefPtr<JSC::UString::Rep> > >, WTF::HashTraits<char const*> >::deallocateTable (table=0x842eb18, size=2048) at ../../../JavaScriptCore/wtf/HashTable.h:872 #4 0xb68ae454 in ~HashTable (this=0x83d1308) at ../../../JavaScriptCore/wtf/HashTable.h:296 #5 0xb68ae4c3 in ~HashMap (this=0x83d1308) at ../../../JavaScriptCore/wtf/HashMap.h:32 #6 0xb68ae624 in ~IdentifierTable (this=0x83d12e8) at ../../../JavaScriptCore/runtime/Identifier.cpp:42 #7 0xb68ae702 in JSC::deleteIdentifierTable (table=0x83d12e8) at ../../../JavaScriptCore/runtime/Identifier.cpp:75 #8 0xb67e3f3f in ~JSGlobalData (this=0x83d0658) at ../../../JavaScriptCore/runtime/JSGlobalData.cpp:193 #9 0xb6960bb2 in globalDataFree (ptr=0xb7edf854) at ../../../WebCore/bindings/js/JSDOMWindowBase.cpp:169 #10 0xb67bcfbc in WTF::StaticPtrBase::freeStaticPtrs () at ../../../JavaScriptCore/wtf/StaticPtrBase.cpp:41 #11 0xb70923b1 in qt_drt_freeStaticPtrs () at ../../../WebKit/qt/Api/qwebframe.cpp:196 #12 0x080591e4 in launcherMain (app=@0xbfd254b8) at /home/hzoli/Webkit-ARM/WebKit-arm/WebKit/qt/QtLauncher/main.cpp:426 #13 0x08059ae1 in main (argc=Cannot access memory at address 0x39 ) at /home/hzoli/Webkit-ARM/WebKit-arm/WebKit/qt/QtLauncher/main.cpp:478 The last deref is called by the static pointers patch (freeStaticPtrs). RefCount transition to 2->3->2 is caused by an access in Identifier.cpp:150 Apart from the last deref, the object is only accessed inside: JSC::HashTable::initializeIfNeeded (this=0xb7eddb10, ...) Probably the second ref() keeps the object alive forever. Any idea would be apprecaited.