On Sep 29, 2009, at 10:31 AM, Anton Muhin wrote:
> This 5 number looks really odd. Do you have a simple way to reproduce
> it? I'd love to have a look.
Ivan suggested to me that it might take five to ten GCs; he said
something about cached generated (JITted?) functions that have a
context pointer referencing that context, and that it takes a number
of GCs for those to be evicted from the cache.
The newer (two-file) test case in the bug report I linked to
demonstrates the problem. The symptom is the second instance of
WebCore::Document, the one corresponding to the closed tab, not being
freed. You may want to set a breakpoint on the destructor, or add a
printf, to watch this.
> The only hypothesis I immediately have
> a long chain of JS wrapper - native something: wrapper gets collected,
> releases native wrapper which makes another JS wrapper collectable...
I don't think that's the case. There are very few DOM objects left
around in this test case, mostly just the Documents themselves.
Running with the --print_global_handles flag, I didn't see handles
going away after each collection, only after the fifth.
> There are indeed two global objects (and it is explicitly required by
> HTML 5 and it's the way most of browser implements it): global object
> proxy which forwards everything to a 'real' global object which is a
> window. If you can give more explanations which of properties should
> be retained after context disposal and when it's free to clear them,
> that'd be really helpful.
This relates to the WebCore::V8Proxy object, which manages V8 global
state for a document. It keeps a persistent handle to a v8::Context
and another to its globals. In some cases I don't entirely understand
(when navigating to a new page?) it's told to dispose the context, but
it detaches the globals and keeps the handle. Then later, I think, it
can be told to regenerate a context using those globals, maybe when
the user goes back to that page. But when the tab is closed or the
frame is otherwise disposed, the V8Proxy is also disposed, and its
destructor disposes the handle to the globals as well as the context.
So at the point that the V8Proxy disposes its context handle, I would
like the v8::Context object not to have any more references to the
globals, so that if the frame is closed (and the proxy deleted) the
DOM objects pointed to by the globals can be collected.
I don't think it's safe to selectively pull properties out of the
globals, because the globals might be re-used later for a new context
and they need to be in the same shape they were in before. The only
point where I know it's safe to delete properties is in the V8Proxy's
destructor, because I know it's not going to be re-used; but by that
point there is no context anymore so it's difficult to invoke V8 calls
to modify the global properties.
—Jens
--~--~---------~--~----~------------~-------~--~----~
Chromium Developers mailing list: chromium-dev@googlegroups.com
View archives, change email options, or unsubscribe:
http://groups.google.com/group/chromium-dev
-~----------~----~----~----~------~----~------~--~---
