Memory management is the process of usage of memory from our machine by the application and release the memory when in no use.
Memory leaks are unnoticed and not cause any harm initially,but once leaks are strong they can cause high latencies and crashes of our application.
According to OWASP :
A memory leak is an unintentional form of memory consumption whereby the developer fails to free an allocated block of memory when no longer needed. The consequences of such an issue depend on the application itself. Consider the following general three cases:
| Case | Description of Consequence |
| Short Lived User-land Application | Little if any noticeable effect. Modern operating system recollects lost memory after program termination. |
| Long Lived User-land Application | Potentially dangerous. These applications continue to waste memory over time, eventually consuming all RAM resources. Leads to abnormal system behavior. |
| Kernel-land Process | Very dangerous. Memory leaks in the kernel level lead to serious system stability issues. Kernel memory is very limited compared to user land memory and should be handled cautiously. |
A developer is responsible for assigning and releasing the memory.Some of the ways of memory management.
- Manual Management: Here, The programming language does not provide any automated tools to do any memory management.
C/ C++ uses this approach by providing methods like malloc() and free() to interact with machine memory.
2. Garbage Collection: Programmers no need to worry about freeing the memory as most of the modern languages come up with inbuilt garbage collectors (JavaScript, JVM based languages, Golang,Python, Ruby etc.
3. Ownership: In this approach, each variable have its owner and once the owner goes out of scope, the value in the variable will be wiped off and releasing the memory. Rust uses such an approach for memory management.
We are focused into JavaScript and Node JS so we will be focused on Garbage Collector. Garbage collector runs periodically and checks the allocation of memory by using an algorithm called “Mark and sweep”.Reference Counting is an algorithm which is used by python and PHP.
Mark and Sweep algorithm creates roots which are global variables in the environment (window objects) and it traverses the tree from roots to leaf nodes and mark all objects it encounters. Any memory not taken up by marked objects in the heap is marked as free.
Browsers like chrome provide a variety of solutions to the memory crisis by providing specialized tools to the developers. Using Chrome task manager you can easily manage and keep track of the heap memory(allocated to JS) as well as DOM nodes. It informs you about how much memory the page is using in totality. If the Memory is increasing that means more and more DOM nodes are getting created.
We can compare the different snapshots by changing the page state’s and make sure no refresh occurs or else it will completely wipe the memory and waste our efforts.
Reference : https://developers.google.com/web/tools/chrome-devtools/memory-problems
Also we can use heapdump library
To install: npm i heapdump
curl –location –request GET ‘http://localhost:4000/heapdump
We are making the API call to take a heapdump. This heapdump will contains all the objects which GC wasn’t able to collect.
Once you get your hands on both the heapdumps (fresh and long running server) we can start comparing.
Most memory leaks result in general software reliability problems, but if an attacker can intentionally trigger a memory leak, the attacker might be able to launch a common denial of service attack (by crashing the program) or come up with different attack vectors by taking advantage of leaks.
If you are new try https://github.com/s3r10usB14ck/JS-memory-leak-Lab , start debugging with Chrome Dev tools and find the leakage.
https://hackerone.com/reports/783360
Oscar Wilde once said “Memory is the diary that we all carry about with us”.