Bug 29093 - [V8] HTML attribute listeners leak memory.
Summary: [V8] HTML attribute listeners leak memory.
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC All
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-09-09 10:29 PDT by Vitaly Repeshko
Modified: 2014-12-16 00:48 PST (History)
1 user (show)

See Also:

Attachments
Test page to demonstrate the leak. (335 bytes, text/html)
2009-09-09 10:32 PDT, Vitaly Repeshko 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vitaly Repeshko 2009-09-09 10:29:58 PDT 
[V8] HTML attribute listeners leak memory.

Creating DOM elements using innerHTML with listeners will leak memory in case these listeners are invoked at least once.

function leak() {
  var node = document.createElement("span");
  node.innerHTML = "<span onclick=''></span>";
  node.childNodes[0].onclick();  // (*)
}

If you remove (*) line everything is back to normal. The cycle looks like this:

  C++ Span Element <---------------------- JS node wrapper
        |                                        ^
        v                                        |
V8LazyEventListener --[strong handle]--> JS function (onclick)

The reference between JS function and JS wrapper gets created in V8LazyEventListener when it lazily compiles the function. This is very similar to http://crbug.com/17400 but with a different C++ listener type.

This can be fixed like http://crbug.com/17400 by making the handle in V8LazyEventListener weak and adding a hidden dependency from JS wrapper to JS function to prevent the function from being collected.
Comment 1 Vitaly Repeshko 2009-09-09 10:32:07 PDT 
Created attachment 39277 [details]
Test page to demonstrate the leak.
Comment 2 Brian Burg 2014-12-16 00:48:28 PST 
Closing some V8-related work items.