The default bug view has changed. See this FAQ.

Setting innerHTML leaks an observer until the page is closed

VERIFIED FIXED in Firefox 5

Status

()

Core
HTML: Parser
--
major
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: Hughman, Assigned: hsivonen)

Tracking

({mlk, testcase})

unspecified
mozilla6
mlk, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox5- fixed)

Details

Attachments

(4 attachments, 1 obsolete attachment)

(Reporter)

Description

6 years ago
User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Build Identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

This could be a cause for many other bugs in bug 640452.

In my findings, setting innerHTML on an element will extra memory to be used every time something is set to it. Even setting it to an empty string causes memory problems.

Using the almost minimal test case(s) that I will attach, I can get Firefox 4.0.1, Aurora 5.0a2 2011-05-01 and Nightly 6.0a1 2011-05-01 to use over 1GB of RAM in around 3 minutes. This memory will not be freed until the page is refreshed or tab closed. I can even navigate other pages in the same tab without a memory free occurring.

I have had javascript.options.mem.log enabled while testing and CC/GC have definitely been running without freeing the memory.

Reproducible: Always

Steps to Reproduce:
1. Start some version of Firefox in a new profile.
2. Run test case (note that the test case does not actually make anything appear to change).
3. Monitor the memory usage using whatever method you can think of (about:memory, task manager, etc).
4. Click on page when you wish for the memory usage to stop rising (this is an event listener I placed in there to see if the memory cleared when left alone, does not seem to affect results).



I am wondering if this is used in some addons and if so, is it causing the same leak? Since they likely would never close/refresh without the browser closing it could cause problems without even loading a web page.
(Reporter)

Comment 1

6 years ago
Created attachment 529472 [details]
Simplest testcase that still easily identifies the problem
(Reporter)

Updated

6 years ago
Blocks: 640452
(Reporter)

Updated

6 years ago
Attachment #529472 - Attachment mime type: text/plain → text/html
Keywords: mlk
Hardware: x86_64 → x86
[Changed platform to x86; since WOW64 in user agent indicates 32bit build of Firefox (platform refers to browser build, not OS)].
OK, I can _definitely_ reproduce on the attached testcase.

Henri, any idea what's going on here?

roc, do we have a good way of dumping out the heap to see where the memory is used?
tracking-firefox5: --- → ?
tracking-firefox6: --- → ?
Keywords: mlk
Hardware: x86 → x86_64
Status: UNCONFIRMED → NEW
Component: General → HTML: Parser
Ever confirmed: true
QA Contact: general → parser
(Reporter)

Comment 4

6 years ago
Created attachment 529477 [details]
Less minimal testcase to show its not just document.body or empty string

Ed: I will remember that for next time.
(Reporter)

Comment 5

6 years ago
Comment on attachment 529477 [details]
Less minimal testcase to show its not just document.body or empty string

That select box for text/html when adding an attachment keeps setting it as text/plain...
Attachment #529477 - Attachment mime type: text/plain → text/html
(Assignee)

Comment 6

6 years ago
(In reply to comment #0)
> This memory will not be freed until the page is
> refreshed or tab closed. I can even navigate other pages in the same tab
> without a memory free occurring.

Sure sounds like the cached fragment parsing holding onto something that it shouldn't hold onto.

(In reply to comment #3)
> Henri, any idea what's going on here?

Not right away, no.

http://mxr.mozilla.org/mozilla-central/source/parser/html/nsHtml5Parser.cpp#553 is supposed to drop what there is to drop at the end of each fragment parse.
Created attachment 529488 [details]
Massif output

This is a massif output I got from running iceweasel 4.0 (basically, the same as firefox 4.0) with a more or less fresh profile, starting directly on the less minimal testcase.
OK, well, the first thing that shows is that nsHtml5Parser::ParseHtml5Fragment calls nsContentSink::Init which calls nsScriptLoader::AddObserver (passing a shim that makes sure that the content sink is not holding a strong ref to the sink).

There is no corresponding RemoveObserver call, as far as I can see.  So the script loader's observer array keeps growing at one word per innerHTML set (modulo whatever reallocation algorithm that code actually uses).

The page does 0xFFF sets per interval firing; that's every 10ms in Fx4 and every 4ms on trunk if the processor is keeping up.  So we should expect about 3.3MB/s growth on 64-bit in Fx4 and about 9MB on trunk.  That actually matches my numbers pretty closely.
Henri, the fragment parser doesn't even need to be a script loader observer, right?
Created attachment 529520 [details] [diff] [review]
Hackeypatch to test that theory

With this change, memory usage on the testcase in this bug is stable for me.
/me is watching this bug with *intense* interest :)
Hughmann:  BTW, thanks for a *wonderful* bug report and test case.  We get so many vague leak reports -- "I browse for a while, close all my tabs, and Firefox still holds onto lots of memory" -- that specific reports like this are extremely valuable.
Yeah, I meant to say that, actually.  This is by far the best "memory leaks" report I've seen, complete with steps to reproduce and a characterization of how long the memory leaks for.  This made hunting this down much much easier!
FWIW this is good stuff but I don't think it explains bugs like 653817, where memory usage persists after closing all tabs that contained Web apps.
Indeed.  There's not a "the leak"...
(Reporter)

Comment 16

6 years ago
I was actually trying to make a memory rise/leak around bug 650350 comment 10
at the time without much success before finding that the line I was using for
clearing the page was eating memory... not helpful for that test.

I have just run the test in Firefox 3.6.14 where it does not cause any memory
rise. So its a regression of some sort for 4.0.
Yeah, this is specific to the HTML5 parser, which first shipped in 4.0.
(Assignee)

Updated

6 years ago
Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
(Assignee)

Comment 18

6 years ago
Created attachment 529685 [details] [diff] [review]
Move the fragment mode flag upwards, avoid running some nsContentSink initialization steps if it is set

(In reply to comment #9)
> Henri, the fragment parser doesn't even need to be a script loader observer,
> right?

Right, AFAICT.

(In reply to comment #12)
> Hughmann:  BTW, thanks for a *wonderful* bug report and test case.

Indeed. Very useful. Thank you.
Attachment #529520 - Attachment is obsolete: true
(Assignee)

Updated

6 years ago
OS: Windows 7 → All
Hardware: x86_64 → All
(Assignee)

Updated

6 years ago
Attachment #529685 - Flags: review?(bzbarsky)
Comment on attachment 529685 [details] [diff] [review]
Move the fragment mode flag upwards, avoid running some nsContentSink initialization steps if it is set

>+  mCanInterruptParser = mFragmentMode ? PR_FALSE : sCanInterruptParser;

I'd prefer:

  mCanInterruptParser = !mFragmentMode && sCanInterruptParser;

r=me with that.
Attachment #529685 - Flags: review?(bzbarsky) → review+
This isn't FF5-specific, so minusing for tracking-firefox5, but once this lands and is happy on central, would be nice to see an approval nom for aurora
tracking-firefox5: ? → -
(Assignee)

Comment 21

6 years ago
(In reply to comment #19)
> I'd prefer:
> 
>   mCanInterruptParser = !mFragmentMode && sCanInterruptParser;
> 
> r=me with that.

Thanks. Landed with the change:
http://hg.mozilla.org/mozilla-central/rev/c3c4c902e9cd
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla6
(Assignee)

Updated

6 years ago
status-firefox5: --- → affected
Great work Hughmann, Henri and bz!

Updated

6 years ago
Keywords: mlk, testcase
Summary: Setting innerHTML on anything contributes to memory problem → Setting innerHTML leaks an observer until the page is closed
Comment on attachment 529685 [details] [diff] [review]
Move the fragment mode flag upwards, avoid running some nsContentSink initialization steps if it is set

I think we'll want this for 5.
Attachment #529685 - Flags: approval-mozilla-aurora?
Attachment #529685 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(Reporter)

Comment 24

6 years ago
Should the mozilla-2.0 branch also be patched?
If there is going to be a security update for 4.0 before 5.0 then I think it would be a good idea.
Barring a zero-day there are no more security updates planned before 5.0.
Blocks: 653817

Updated

6 years ago
tracking-firefox6: ? → ---
(Assignee)

Comment 26

6 years ago
Landed in Aurora:
http://hg.mozilla.org/releases/mozilla-aurora/rev/e56b37ce413b
status-firefox5: affected → fixed
Blocks: 659856
No longer blocks: 640452
Duplicate of this bug: 643940

Comment 28

6 years ago
Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0

I've tried to verify whether this issue was fixed using the following steps:
 1. Opened the attached testcase: "Simplest testcase that still...."
 2. Opened a task manager and start observing memory and CPU consumption

What happened is that memory didn't increase. Is this the intended behavior for this patch?

Thanks!
George: yes.  If you try Firefox 4 you should see the memory usage increase.

Comment 30

6 years ago
(In reply to comment #29)
> George: yes.  If you try Firefox 4 you should see the memory usage increase.

Great! Considering your comment and the fact that this is no longer reproducible on Firefox 6.0b3 I am setting the status to Verified Fixed.

Thanks!
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.