227 bytes, text/html
336 bytes, text/html
95.12 KB, application/x-bzip
Move the fragment mode flag upwards, avoid running some nsContentSink initialization steps if it is set
6.29 KB, patch
|Details | Diff | Splinter Review|
[Changed platform to x86; since WOW64 in user agent indicates 32bit build of Firefox (platform refers to browser build, not OS)].
OK, I can _definitely_ reproduce on the attached testcase. Henri, any idea what's going on here? roc, do we have a good way of dumping out the heap to see where the memory is used?
6 years ago
Created attachment 529477 [details] Less minimal testcase to show its not just document.body or empty string Ed: I will remember that for next time.
Comment on attachment 529477 [details] Less minimal testcase to show its not just document.body or empty string That select box for text/html when adding an attachment keeps setting it as text/plain...
(In reply to comment #0) > This memory will not be freed until the page is > refreshed or tab closed. I can even navigate other pages in the same tab > without a memory free occurring. Sure sounds like the cached fragment parsing holding onto something that it shouldn't hold onto. (In reply to comment #3) > Henri, any idea what's going on here? Not right away, no. http://mxr.mozilla.org/mozilla-central/source/parser/html/nsHtml5Parser.cpp#553 is supposed to drop what there is to drop at the end of each fragment parse.
Created attachment 529488 [details] Massif output This is a massif output I got from running iceweasel 4.0 (basically, the same as firefox 4.0) with a more or less fresh profile, starting directly on the less minimal testcase.
OK, well, the first thing that shows is that nsHtml5Parser::ParseHtml5Fragment calls nsContentSink::Init which calls nsScriptLoader::AddObserver (passing a shim that makes sure that the content sink is not holding a strong ref to the sink). There is no corresponding RemoveObserver call, as far as I can see. So the script loader's observer array keeps growing at one word per innerHTML set (modulo whatever reallocation algorithm that code actually uses). The page does 0xFFF sets per interval firing; that's every 10ms in Fx4 and every 4ms on trunk if the processor is keeping up. So we should expect about 3.3MB/s growth on 64-bit in Fx4 and about 9MB on trunk. That actually matches my numbers pretty closely.
Henri, the fragment parser doesn't even need to be a script loader observer, right?
Created attachment 529520 [details] [diff] [review] Hackeypatch to test that theory With this change, memory usage on the testcase in this bug is stable for me.
/me is watching this bug with *intense* interest :)
Hughmann: BTW, thanks for a *wonderful* bug report and test case. We get so many vague leak reports -- "I browse for a while, close all my tabs, and Firefox still holds onto lots of memory" -- that specific reports like this are extremely valuable.
Yeah, I meant to say that, actually. This is by far the best "memory leaks" report I've seen, complete with steps to reproduce and a characterization of how long the memory leaks for. This made hunting this down much much easier!
FWIW this is good stuff but I don't think it explains bugs like 653817, where memory usage persists after closing all tabs that contained Web apps.
Indeed. There's not a "the leak"...
I was actually trying to make a memory rise/leak around bug 650350 comment 10 at the time without much success before finding that the line I was using for clearing the page was eating memory... not helpful for that test. I have just run the test in Firefox 3.6.14 where it does not cause any memory rise. So its a regression of some sort for 4.0.
Yeah, this is specific to the HTML5 parser, which first shipped in 4.0.
Created attachment 529685 [details] [diff] [review] Move the fragment mode flag upwards, avoid running some nsContentSink initialization steps if it is set (In reply to comment #9) > Henri, the fragment parser doesn't even need to be a script loader observer, > right? Right, AFAICT. (In reply to comment #12) > Hughmann: BTW, thanks for a *wonderful* bug report and test case. Indeed. Very useful. Thank you.
Comment on attachment 529685 [details] [diff] [review] Move the fragment mode flag upwards, avoid running some nsContentSink initialization steps if it is set >+ mCanInterruptParser = mFragmentMode ? PR_FALSE : sCanInterruptParser; I'd prefer: mCanInterruptParser = !mFragmentMode && sCanInterruptParser; r=me with that.
This isn't FF5-specific, so minusing for tracking-firefox5, but once this lands and is happy on central, would be nice to see an approval nom for aurora
(In reply to comment #19) > I'd prefer: > > mCanInterruptParser = !mFragmentMode && sCanInterruptParser; > > r=me with that. Thanks. Landed with the change: http://hg.mozilla.org/mozilla-central/rev/c3c4c902e9cd
Great work Hughmann, Henri and bz!
Comment on attachment 529685 [details] [diff] [review] Move the fragment mode flag upwards, avoid running some nsContentSink initialization steps if it is set I think we'll want this for 5.
Should the mozilla-2.0 branch also be patched? If there is going to be a security update for 4.0 before 5.0 then I think it would be a good idea.
Barring a zero-day there are no more security updates planned before 5.0.
Landed in Aurora: http://hg.mozilla.org/releases/mozilla-aurora/rev/e56b37ce413b
Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0 I've tried to verify whether this issue was fixed using the following steps: 1. Opened the attached testcase: "Simplest testcase that still...." 2. Opened a task manager and start observing memory and CPU consumption What happened is that memory didn't increase. Is this the intended behavior for this patch? Thanks!
George: yes. If you try Firefox 4 you should see the memory usage increase.
(In reply to comment #29) > George: yes. If you try Firefox 4 you should see the memory usage increase. Great! Considering your comment and the fact that this is no longer reproducible on Firefox 6.0b3 I am setting the status to Verified Fixed. Thanks!