npm

npm’s 2019 JavaScript ecosystem survey analysis is now available! Get your copy here »

v8-mat

1.0.3 • Public • Published

Automatic leak detection for V8 heap snapshots

npm Build Status

This project implements the algorithm used by the Eclipse Memory Analyzer on V8 heap snapshots to automatically detect leak suspects in JavaScript processes. It analyzes a heap snapshot to find:

  1. Leak suspect: an object that retains a big chunk of memory in the heap. Due to the nature of JavaScript applications this tend to be a context object of a closure.
  2. Accumulation point: an object retained by the leak suspect where the majority of the memory retained by that suspect is accumulated.

The leak identified by this tool can be fixed by breaking the reference somewhere in the path from the leak suspect to the accumulation point, or stop the accumulation point from accumulating memory.

Usage

npm install -g v8-mat
v8-mat path/to.heapsnapshot [path/to/result.json]

Example

The following Node.js script leaks memory by adding listeners that retain large strings to an emitter. It then create a snapshot before exiting.

'use strict';
 
const inspector = require('inspector');
const fs = require('fs');
const EventEmitter = require('events');
const session = new inspector.Session();
session.connect();
 
const TIME = parseInt(process.argv[2] || 10);
 
function randomString() {
  return Math.random().toFixed(16).slice(2);
}
 
function run() {
  function closureFactory() {
    const hugeString = 'x'.repeat(1e6);
 
    function unused() {
      return hugeString;
    }
 
    return function createdClosure() {
      // This is a bug of the VM
      return 'I retain the hugeString even though I do not reference it';
    };
  }
  const emitter = new EventEmitter();
  for (let i = 0; i < 5e3; ++i) {
    emitter.on(randomString(), closureFactory());
  }
  return Promise.resolve({
    emitter
  });
}
 
function teardown({ emitter }) {
  console.log(emitter.eventNames().length);
}
 
run().then(function onFullFilled(result) {
  setTimeout(() => {
    let buf = '';
    session.on('HeapProfiler.addHeapSnapshotChunk', function(res) {
      buf += res.params.chunk;
    });
    session.post('HeapProfiler.takeHeapSnapshot', () => {
      const file = './event-emitter.heapsnapshot';
      fs.writeFileSync(file, buf);
      console.log(`Written snapshot to ${file}`);
      teardown(result);
    });
  }, TIME * 1000);
});

Running v8-mat on the generated event-emitter.heapsnapshot:

> v8-mat event-emitter.heapsnapshot
Total Heap Size:  9817128
=============== Suspect ========
Name         : system / Context
Class Name   : system / Context
Edges Count  : 5
Retained Size: 5401160
Self Size    : 56
ID           : 897
=============== Accumulation Point ========
Name         : Object
Class Name   : Object
Edges Count  : 5003
Retained Size: 5397616
Self Size    : 24
ID           : 17507
=============== Retaining Path ========
5.1509MB system / Context@897
(context of onFullFilled() /Users/joyee/projects/v8-mat/test/fixtures/event-emitter.js) <--- Suspect
  |
  | ->result
  v
5.1482MB Object(Object) @311289
  |
  | .emitter
  v
5.1481MB EventEmitter(EventEmitter) @17505
  |
  | ._events
  v
5.1476MB Object(Object) @17507 <--- Accumulation Point
  |
  | {properties}
  v
192.0547KB (object properties)((array)) @29667
............

Explanation:

  1. The leak suspect is the context of onFullFilled(), where the result of run() is passed into the scope as a variable named result. Obviously if onFullFilled() does not put the result into the scope, the leak will not exist since the result will not be referenced and can be garbage-collected.
    • Notice in the output of v8-mat, the annotation beside the first arrow (edge) displays the variable name result in the context.
    • v8-mat also tries to extract the function and the file where the closure context is created and display it in its output.
  2. result has a member .emitter which is assigned at the end of run.
  3. result.emitter has an internal member ._events where Node.js stores the listeners.

Looking up the suspect and following the retaining path from the suspect to the accumulation point in the DevTools:

Reference

Keywords

none

install

npm i v8-mat

Downloadsweekly downloads

1

version

1.0.3

license

MIT

homepage

github.com

repository

Gitgithub

last publish

collaborators

  • avatar
Report a vulnerability