227 bytes, text/html
336 bytes, text/html
95.12 KB, application/x-bzip
Move the fragment mode flag upwards, avoid running some nsContentSink initialization steps if it is set
6.29 KB, patch
|Details | Diff | Splinter Review|
Attachment #529472 - Attachment mime type: text/plain → text/html
[Changed platform to x86; since WOW64 in user agent indicates 32bit build of Firefox (platform refers to browser build, not OS)].
OK, I can _definitely_ reproduce on the attached testcase. Henri, any idea what's going on here? roc, do we have a good way of dumping out the heap to see where the memory is used?
tracking-firefox5: --- → ?
tracking-firefox6: --- → ?
Hardware: x86 → x86_64
Status: UNCONFIRMED → NEW
Component: General → HTML: Parser
Ever confirmed: true
QA Contact: general → parser
Created attachment 529477 [details] Less minimal testcase to show its not just document.body or empty string Ed: I will remember that for next time.
Comment on attachment 529477 [details] Less minimal testcase to show its not just document.body or empty string That select box for text/html when adding an attachment keeps setting it as text/plain...
Attachment #529477 - Attachment mime type: text/plain → text/html
(In reply to comment #0) > This memory will not be freed until the page is > refreshed or tab closed. I can even navigate other pages in the same tab > without a memory free occurring. Sure sounds like the cached fragment parsing holding onto something that it shouldn't hold onto. (In reply to comment #3) > Henri, any idea what's going on here? Not right away, no. http://mxr.mozilla.org/mozilla-central/source/parser/html/nsHtml5Parser.cpp#553 is supposed to drop what there is to drop at the end of each fragment parse.
Created attachment 529488 [details] Massif output This is a massif output I got from running iceweasel 4.0 (basically, the same as firefox 4.0) with a more or less fresh profile, starting directly on the less minimal testcase.
OK, well, the first thing that shows is that nsHtml5Parser::ParseHtml5Fragment calls nsContentSink::Init which calls nsScriptLoader::AddObserver (passing a shim that makes sure that the content sink is not holding a strong ref to the sink). There is no corresponding RemoveObserver call, as far as I can see. So the script loader's observer array keeps growing at one word per innerHTML set (modulo whatever reallocation algorithm that code actually uses). The page does 0xFFF sets per interval firing; that's every 10ms in Fx4 and every 4ms on trunk if the processor is keeping up. So we should expect about 3.3MB/s growth on 64-bit in Fx4 and about 9MB on trunk. That actually matches my numbers pretty closely.
Henri, the fragment parser doesn't even need to be a script loader observer, right?
Created attachment 529520 [details] [diff] [review] Hackeypatch to test that theory With this change, memory usage on the testcase in this bug is stable for me.
/me is watching this bug with *intense* interest :)
Hughmann: BTW, thanks for a *wonderful* bug report and test case. We get so many vague leak reports -- "I browse for a while, close all my tabs, and Firefox still holds onto lots of memory" -- that specific reports like this are extremely valuable.
Yeah, I meant to say that, actually. This is by far the best "memory leaks" report I've seen, complete with steps to reproduce and a characterization of how long the memory leaks for. This made hunting this down much much easier!
FWIW this is good stuff but I don't think it explains bugs like 653817, where memory usage persists after closing all tabs that contained Web apps.
Indeed. There's not a "the leak"...
I was actually trying to make a memory rise/leak around bug 650350 comment 10 at the time without much success before finding that the line I was using for clearing the page was eating memory... not helpful for that test. I have just run the test in Firefox 3.6.14 where it does not cause any memory rise. So its a regression of some sort for 4.0.
Yeah, this is specific to the HTML5 parser, which first shipped in 4.0.
Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
Created attachment 529685 [details] [diff] [review] Move the fragment mode flag upwards, avoid running some nsContentSink initialization steps if it is set (In reply to comment #9) > Henri, the fragment parser doesn't even need to be a script loader observer, > right? Right, AFAICT. (In reply to comment #12) > Hughmann: BTW, thanks for a *wonderful* bug report and test case. Indeed. Very useful. Thank you.
Attachment #529520 - Attachment is obsolete: true
OS: Windows 7 → All
Hardware: x86_64 → All
Attachment #529685 - Flags: review?(bzbarsky)
Comment on attachment 529685 [details] [diff] [review] Move the fragment mode flag upwards, avoid running some nsContentSink initialization steps if it is set >+ mCanInterruptParser = mFragmentMode ? PR_FALSE : sCanInterruptParser; I'd prefer: mCanInterruptParser = !mFragmentMode && sCanInterruptParser; r=me with that.
Attachment #529685 - Flags: review?(bzbarsky) → review+
This isn't FF5-specific, so minusing for tracking-firefox5, but once this lands and is happy on central, would be nice to see an approval nom for aurora
tracking-firefox5: ? → -
(In reply to comment #19) > I'd prefer: > > mCanInterruptParser = !mFragmentMode && sCanInterruptParser; > > r=me with that. Thanks. Landed with the change: http://hg.mozilla.org/mozilla-central/rev/c3c4c902e9cd
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla6
Great work Hughmann, Henri and bz!
Keywords: mlk, testcase
Summary: Setting innerHTML on anything contributes to memory problem → Setting innerHTML leaks an observer until the page is closed
Comment on attachment 529685 [details] [diff] [review] Move the fragment mode flag upwards, avoid running some nsContentSink initialization steps if it is set I think we'll want this for 5.
Attachment #529685 - Flags: approval-mozilla-aurora?
Attachment #529685 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Should the mozilla-2.0 branch also be patched? If there is going to be a security update for 4.0 before 5.0 then I think it would be a good idea.
Barring a zero-day there are no more security updates planned before 5.0.
Landed in Aurora: http://hg.mozilla.org/releases/mozilla-aurora/rev/e56b37ce413b
status-firefox5: affected → fixed
Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0 I've tried to verify whether this issue was fixed using the following steps: 1. Opened the attached testcase: "Simplest testcase that still...." 2. Opened a task manager and start observing memory and CPU consumption What happened is that memory didn't increase. Is this the intended behavior for this patch? Thanks!
George: yes. If you try Firefox 4 you should see the memory usage increase.
(In reply to comment #29) > George: yes. If you try Firefox 4 you should see the memory usage increase. Great! Considering your comment and the fact that this is no longer reproducible on Firefox 6.0b3 I am setting the status to Verified Fixed. Thanks!
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.