New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 739371 link

Starred by 1 user
Status: WontFix
Owner:
u...@chromium.org
Closed: Jul 2017
Cc:
mlippautz@chromium.org
w...@chromium.org
puneetster@chromium.org
lfg@chromium.org
hpayer@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Window object leak on cnn.com

Project Member Reported by u...@chromium.org, Jul 5 2017 
This issue was reported internally by wez@.

Steps to reproduce:
1. Open http://edition.cnn.com
2. Decrease the window size to ~200px.
3. Maximize the window.

Repeat steps 2, 3 and observe increase in memory usage. The number of window objects also increases with every window resize (this can be checked by taking a heap snapshot in DevTools and looking up "Window /" object count).

The leak of window object is caused either by a bug in JS code of the webpage or by a bug in Chrome.

Comment 1 by w...@chromium.org, Jul 5 2017 

FWIW it looks like the site chooses which ads to show based on the size of the window, presumably to pick ones that fit the content layout best. If they're adding and removing iframes then, given the steadily increasing event-listener counts in Dev Tools when you repro this, could registered event listeners be keeping the removed iframe window/document objects live?

Comment 2 by puneetster@chromium.org, Jul 5 2017

Cc: puneetster@chromium.org

Comment 3 by u...@chromium.org, Jul 6 2017

Status: WontFix (was: Assigned)
TL;DR: the leak is caused by moatad.js script that adds (and never removes) event listeners that retain iframe window objects.
The event type is "webdriver-evaluate", "webdriver-evaluate-response", which explains why the listeners never fire in Chrome.

Details follow.

I instrumented V8 GC to print retaining paths for all window objects during marking.

Here is what a typical retaining path looks like
1. A leaking window object
2. which is stored in field "target" of a JS object with fields {evt, target}
3. which is stored in field "ME-271255637387" of a JS object with properties {ME-271255637387, ME-678715737272, globalMouseDown1eb9-1156-106c-124d, ...}
4. which is stored in field "xscd" of a JS object with properties {sxdc, cdxs, xscd, swde}
5. which is stored in a single element JS array
6. which is a context allocated variable of a JS function with source code "(){c.apply(d||null,b.concat(b.slice.call(arguments)))}"
8. which is a context allocated variable of a JS function with source code "(c){return b(c)}"
10. which is stored in a JS array of listeners.
11. which is stored in an internal field of the main window object.

Searching the JS source code for these field names, I found that moatad.js creates listeners that captures the leaking window objects.
A breakpoint in moatad.js showed that it is adding two listeners for events "webdriver-evaluate", "webdriver-evaluate-response" for document on every window resize (screenshot attached).

I instrumented EventListenerMap::Add in Blink and confirmed that the size of the listener vector corresponding to the webdriver events is growing after every window resize.

This proves wez@'s theory in comment #1 that the leak is caused by listeners.
cnn-1.png
95.9 KB View Download

Sign in to add a comment