Transferable arrays leaked during MessagePort.postMessage() to the disentangled port
Reported by
cool...@gmail.com,
Feb 5 2017
|
||||||
Issue descriptionSteps to reproduce the problem: Run attached testcase. var c = new MessageChannel(); c.port2.close(); c.port1.postMessage(a.buffer, [a.buffer]); // REPEAT What is the expected behavior? GC must free memory. What went wrong? Chrome allocates memory for ArrayBuffer and never free it. After some iterations Chrome crashes due to insufficient memory. I think this is regression after fixing issue 334408 . Did this work before? Yes Chrome 55 Chrome version: 56.0.2924.87 (64-bit) Channel: stable OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Shockwave Flash 24.0 r0
,
Feb 6 2017
,
Feb 6 2017
Able to reproduce the issue on Windows 10, Ubuntu 14.04 and Mac 10.12.2 using reported version #56.0.2924.87 and latest canary #58.0.3003.0. Bisect Information: ===================== Good build: 56.0.2899.0 Revision(426989) Bad Build : 56.0.2900.0 Revision(427219) Change Log URL: https://chromium.googlesource.com/chromium/src/+log/0500571c0a41d977f64653eeaed4809351205a35..99a2756462a76ca70613375784a1a4fa8f3576bb From the above change log suspecting below change Review URL: https://codereview.chromium.org/2414333003 nhiroki@ - Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner. Thanks...!!
,
Feb 7 2017
Thank you for reporting this. This is on my TODO list but I haven't had time to take a look at this yet. For now, I'll add an appropriate label for triage.
,
Feb 17 2017
Started looking into this.
,
Feb 17 2017
I suspect that this could be caused by an overflow of a message queue, and my patch couldn't be a direct cause. Actually, I can reproduce this with a following modified script that sends an array buffer as non-transferable: // c.port1.postMessage(a.buffer, [a.buffer]); c.port1.postMessage(a.buffer); Before my patch, transferable objects passed to postMessage() was just ignored and an actual message didn't contain them, so the message size is relatively small. After my change, transferable objects are copied into a message and the message size becomes bigger, so we hit OOM crash easier. To avoid the OOM crash, we could... - teach a sender port that a target port is already closed and stop it from sending messages anymore, or - limit the message queue size and throw an exception when it reaches the limit, ... I'm not sure if these are spec-compatible behavior though.
,
Feb 17 2017
jbroman@, could you triage this issue?
,
Feb 17 2017
Additional notes: This also happens when a target port is NOT closed. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by woxxom@gmail.com
, Feb 5 2017