I'm investigating a leak in the MessagePort/MessageChannel code. Basically,
if I have a page that looks like this:
<script>
new MessageChannel();
</script>
We leak two MessagePorts every time we reload the page.
The WebCore::MessageChannel impl object has two RefPtrs to two MessagePort
objects. When I reload the page, the MessageChannel DOMWrapper V8 object is
GC'd, leading to the MessageChannel impl object getting deref'd and freed.
The problem is that the V8 MessageChannel constructor has this code:
// Create references from the MessageChannel wrapper to the two
// MessagePort wrappers to make sure that the MessagePort wrappers
// stay alive as long as the MessageChannel wrapper is around.
* messageChannel->SetInternalField(kMessageChannelPort1Index,
V8DOMWrapper::convertToV8Object(V8ClassIndex::MESSAGEPORT, obj->port1()));*
* messageChannel->SetInternalField(kMessageChannelPort2Index,
V8DOMWrapper::convertToV8Object(V8ClassIndex::MESSAGEPORT, obj->port2()));*
// Setup the standard wrapper object internal fields.
V8DOMWrapper::setDOMWrapper(messageChannel,
V8ClassIndex::MESSAGECHANNEL, obj.get());
Those two MessagePort DOMWrappers don't seem to get freed, so they hold a
reference to the underlying MessagePort impl objects.
There are a few things I don't understand here:
1) I don't get why we need to explicitly keep a special reference to the
MessagePorts here in internal fields - we don't seem to do that for other
DOM Wrappers that have references like this (e.g. SharedWorker.port).
2) Is there a good way to figure out why the garbage collector isn't
collecting these references also, short of stepping through the V8 GC code?
How do people typically track this stuff?
Any pointers would be much appreciated.
-atw
--
Chromium Developers mailing list: chromium-dev@googlegroups.com
View archives, change email options, or unsubscribe:
http://groups.google.com/group/chromium-dev
