Closed Bug 654106 Opened 13 years ago Closed 13 years ago

Setting innerHTML leaks an observer until the page is closed

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla6
Tracking Flags:
Tracking Status
firefox5 - fixed

People

(Reporter: Hughman, Assigned: hsivonen)

References

Details

(Keywords: memory-leak, testcase)

Attachments

(4 files, 1 obsolete file)

Simplest testcase that still easily identifies the problem
227 bytes, text/html
Details
Less minimal testcase to show its not just document.body or empty string
336 bytes, text/html
Details
Massif output
95.12 KB, application/x-bzip
Details
Move the fragment mode flag upwards, avoid running some nsContentSink initialization steps if it is set
6.29 KB, patch
bzbarsky
: review+
johnath
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Build Identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

This could be a cause for many other bugs in bug 640452.

In my findings, setting innerHTML on an element will extra memory to be used every time something is set to it. Even setting it to an empty string causes memory problems.

Using the almost minimal test case(s) that I will attach, I can get Firefox 4.0.1, Aurora 5.0a2 2011-05-01 and Nightly 6.0a1 2011-05-01 to use over 1GB of RAM in around 3 minutes. This memory will not be freed until the page is refreshed or tab closed. I can even navigate other pages in the same tab without a memory free occurring.

I have had javascript.options.mem.log enabled while testing and CC/GC have definitely been running without freeing the memory.

Reproducible: Always

Steps to Reproduce:
1. Start some version of Firefox in a new profile.
2. Run test case (note that the test case does not actually make anything appear to change).
3. Monitor the memory usage using whatever method you can think of (about:memory, task manager, etc).
4. Click on page when you wish for the memory usage to stop rising (this is an event listener I placed in there to see if the memory cleared when left alone, does not seem to affect results).



I am wondering if this is used in some addons and if so, is it causing the same leak? Since they likely would never close/refresh without the browser closing it could cause problems without even loading a web page.
Blocks: mlk-fx5+
Attachment #529472 - Attachment mime type: text/plain → text/html
Keywords: mlk
Hardware: x86_64 → x86
[Changed platform to x86; since WOW64 in user agent indicates 32bit build of Firefox (platform refers to browser build, not OS)].
OK, I can _definitely_ reproduce on the attached testcase.

Henri, any idea what's going on here?

roc, do we have a good way of dumping out the heap to see where the memory is used?
tracking-firefox5: --- → ?
tracking-firefox6: --- → ?
Keywords: mlk
Hardware: x86 → x86_64
Status: UNCONFIRMED → NEW
Component: General → HTML: Parser
Ever confirmed: true
QA Contact: general → parser
Ed: I will remember that for next time.
Comment on attachment 529477 [details]
Less minimal testcase to show its not just document.body or empty string

That select box for text/html when adding an attachment keeps setting it as text/plain...
Attachment #529477 - Attachment mime type: text/plain → text/html
(In reply to comment #0)
> This memory will not be freed until the page is
> refreshed or tab closed. I can even navigate other pages in the same tab
> without a memory free occurring.

Sure sounds like the cached fragment parsing holding onto something that it shouldn't hold onto.

(In reply to comment #3)
> Henri, any idea what's going on here?

Not right away, no.

http://mxr.mozilla.org/mozilla-central/source/parser/html/nsHtml5Parser.cpp#553 is supposed to drop what there is to drop at the end of each fragment parse.
Attached file Massif output 
This is a massif output I got from running iceweasel 4.0 (basically, the same as firefox 4.0) with a more or less fresh profile, starting directly on the less minimal testcase.
OK, well, the first thing that shows is that nsHtml5Parser::ParseHtml5Fragment calls nsContentSink::Init which calls nsScriptLoader::AddObserver (passing a shim that makes sure that the content sink is not holding a strong ref to the sink).

There is no corresponding RemoveObserver call, as far as I can see.  So the script loader's observer array keeps growing at one word per innerHTML set (modulo whatever reallocation algorithm that code actually uses).

The page does 0xFFF sets per interval firing; that's every 10ms in Fx4 and every 4ms on trunk if the processor is keeping up.  So we should expect about 3.3MB/s growth on 64-bit in Fx4 and about 9MB on trunk.  That actually matches my numbers pretty closely.
Henri, the fragment parser doesn't even need to be a script loader observer, right?
Attached patch Hackeypatch to test that theory (obsolete) — Splinter Review 
With this change, memory usage on the testcase in this bug is stable for me.
/me is watching this bug with *intense* interest :)
Hughmann:  BTW, thanks for a *wonderful* bug report and test case.  We get so many vague leak reports -- "I browse for a while, close all my tabs, and Firefox still holds onto lots of memory" -- that specific reports like this are extremely valuable.
Yeah, I meant to say that, actually.  This is by far the best "memory leaks" report I've seen, complete with steps to reproduce and a characterization of how long the memory leaks for.  This made hunting this down much much easier!
FWIW this is good stuff but I don't think it explains bugs like 653817, where memory usage persists after closing all tabs that contained Web apps.
Indeed.  There's not a "the leak"...
I was actually trying to make a memory rise/leak around bug 650350 comment 10
at the time without much success before finding that the line I was using for
clearing the page was eating memory... not helpful for that test.

I have just run the test in Firefox 3.6.14 where it does not cause any memory
rise. So its a regression of some sort for 4.0.
Yeah, this is specific to the HTML5 parser, which first shipped in 4.0.
Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
(In reply to comment #9)
> Henri, the fragment parser doesn't even need to be a script loader observer,
> right?

Right, AFAICT.

(In reply to comment #12)
> Hughmann:  BTW, thanks for a *wonderful* bug report and test case.

Indeed. Very useful. Thank you.
Attachment #529520 - Attachment is obsolete: true
OS: Windows 7 → All
Hardware: x86_64 → All
Attachment #529685 - Flags: review?(bzbarsky)
Comment on attachment 529685 [details] [diff] [review]
Move the fragment mode flag upwards, avoid running some nsContentSink initialization steps if it is set

>+  mCanInterruptParser = mFragmentMode ? PR_FALSE : sCanInterruptParser;

I'd prefer:

  mCanInterruptParser = !mFragmentMode && sCanInterruptParser;

r=me with that.
Attachment #529685 - Flags: review?(bzbarsky) → review+
This isn't FF5-specific, so minusing for tracking-firefox5, but once this lands and is happy on central, would be nice to see an approval nom for aurora
tracking-firefox5: ?-
(In reply to comment #19)
> I'd prefer:
> 
>   mCanInterruptParser = !mFragmentMode && sCanInterruptParser;
> 
> r=me with that.

Thanks. Landed with the change:
http://hg.mozilla.org/mozilla-central/rev/c3c4c902e9cd
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla6
status-firefox5: --- → affected
Great work Hughmann, Henri and bz!
Keywords: mlk, testcase
Summary: Setting innerHTML on anything contributes to memory problem → Setting innerHTML leaks an observer until the page is closed
Comment on attachment 529685 [details] [diff] [review]
Move the fragment mode flag upwards, avoid running some nsContentSink initialization steps if it is set

I think we'll want this for 5.
Attachment #529685 - Flags: approval-mozilla-aurora?
Attachment #529685 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Should the mozilla-2.0 branch also be patched?
If there is going to be a security update for 4.0 before 5.0 then I think it would be a good idea.
Barring a zero-day there are no more security updates planned before 5.0.
No longer blocks: mlk-fx5+
Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0

I've tried to verify whether this issue was fixed using the following steps:
 1. Opened the attached testcase: "Simplest testcase that still...."
 2. Opened a task manager and start observing memory and CPU consumption

What happened is that memory didn't increase. Is this the intended behavior for this patch?

Thanks!
George: yes.  If you try Firefox 4 you should see the memory usage increase.
(In reply to comment #29)
> George: yes.  If you try Firefox 4 you should see the memory usage increase.

Great! Considering your comment and the fact that this is no longer reproducible on Firefox 6.0b3 I am setting the status to Verified Fixed.

Thanks!
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: