Bug 29093 - [V8] HTML attribute listeners leak memory.
Summary: [V8] HTML attribute listeners leak memory.
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC All
: P2 Normal
Assignee: Nobody
Depends on:
Reported: 2009-09-09 10:29 PDT by Vitaly Repeshko
Modified: 2014-12-16 00:48 PST (History)
1 user (show)

See Also:

Test page to demonstrate the leak. (335 bytes, text/html)
2009-09-09 10:32 PDT, Vitaly Repeshko
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Vitaly Repeshko 2009-09-09 10:29:58 PDT
[V8] HTML attribute listeners leak memory.

Creating DOM elements using innerHTML with listeners will leak memory in case these listeners are invoked at least once.

function leak() {
  var node = document.createElement("span");
  node.innerHTML = "<span onclick=''></span>";
  node.childNodes[0].onclick();  // (*)

If you remove (*) line everything is back to normal. The cycle looks like this:

  C++ Span Element <---------------------- JS node wrapper
        |                                        ^
        v                                        |
V8LazyEventListener --[strong handle]--> JS function (onclick)

The reference between JS function and JS wrapper gets created in V8LazyEventListener when it lazily compiles the function. This is very similar to http://crbug.com/17400 but with a different C++ listener type.

This can be fixed like http://crbug.com/17400 by making the handle in V8LazyEventListener weak and adding a hidden dependency from JS wrapper to JS function to prevent the function from being collected.
Comment 1 Vitaly Repeshko 2009-09-09 10:32:07 PDT
Created attachment 39277 [details]
Test page to demonstrate the leak.
Comment 2 Brian Burg 2014-12-16 00:48:28 PST
Closing some V8-related work items.