WARN: Skype, IE Triggers Memory Leak in Flash

[Arodicus]

A warning to all:

Having Skype installed triggers *huge* memory leaks in Internet Explorer 7 on Windows (possibly other versions) if the webpage you are viewing uses Ajax/DOM commands to load/unload Flash/Flex content that use ExternalInterface commands.

At this writing the only known fix is to tell your users to disable Skype.

Some testers have reported improved results by upgrading Skype to 3.8.0.154 (released August 14th, 2008) or later, although the memory leak seems to persist to some degree.

The core problem (we think) is a bug in IE: If any javascript var has a reference to a Flash/Flex app, and that app is removed from the page using Ajax-style DOM commands (innerHTML, removeChild, etc.), the javascript reference to the app remains, preventing garbage collection and triggering a memory leak. The SWF will then remain in memory, even on a full page refresh.

Traditionally, the solution (as used by SWFObject 2.1, which first solved the IE bug) is to destroy all scripts and functions within the object/embed that displays the flash/flex app, prior to physically removing the element:

ActionScript Code:

function removeObjectInIE(id) {
    var obj = getElementById(id);
    if (obj) {
      for (var i in obj) {
          if (typeof obj[i] == "function") {
            obj[i] = null;
          }
      }
      obj.parentNode.removeChild(obj);
    }
}

This effectively kills any reference that ExternalInterfaces may have created, allowing a removed flash app to garbage-collect.

This solution does not appear to work for Skype, however, which injects about a dozen javascript functions and variables into every page you visit. Several of these javascripts contain references to various page objects. Since these references exist outside of the Flash/Flex element, they are not cleaned by traditional cleaner functions and thus trigger the memory leak.

Verified in Skype 3.8.0.134. Appears to be at least partially fixed in the August 14th, 2008 release of Skype (3.8.0.154) and in the beta for Skype 4.0, but we're still looking into it.

The bigger question is WHY is Skype making a javascript reference to every Flash app on every page I visit? Sounds a little bit like spyware to me...

[Bombdogs]

Something to do with the horrible phone numbers plug-in? You know, where every set of numbers on a page that has even a passing resemblance to a phone number get skypified. Damn thing gets installed as default now I think, tho not 100% sure.

PMF

[wvxvw]

Can you elaborate a bit? Which functions does it add? My guess would be it may use the same function which ExternalInterface does (like flash__argumentsToXML() etc...) by using ExternalInterface itself and not removing itself after the page unloads... As far as my understanding, ExternalInterface creates a JavaScript object on the browser level, then each flash in the page gets some sort of ID, which is generated by that object by creating dynamic "proxy-like" object which is it's property. So, after the page is unloaded, all these child "proxy" objects should be destroyed together with the content for which they ware used as mediators. And Skype has that stupid plug-in which replaces any 8-digit number in the page by an SWF. If you click it, you'll call that number via Skype... So, probably, this plugin is never removed from the browser memory, making all other SWFs stay along with it...
So, may be, if you can discover which functions / variables adds this plugin, there may me a workaround for removing them...

[Arodicus]

I don't know how to detect them in IE, at least with the developer toolbar, but using Firebug in Firefox you can see them. I'm going to assume IE uses the same formats, though; all the Skype functions include "Skype" somehwhere in the name, and almost all the vars seem to begin with "skype_" .

e.g.: DoShowSkype(), SkypeGetBounds(), skype_active, skype_tool

At least one of the functions I checked seems to contain a reference to the global document object, which may be part of the problem.

skype_tool in particular could be useful; it contains another object called PNRComponent which in turn contains functions like GetSkypeMajVersion(); it's possible an enterprising individual could write a script that detects if Skype is in use, and if so what version it is, and then issue a warning to the user if they have the bugged version of skype.

Actually, it's a perfect scenario for the script injection article posted here a few months ago, since the leak only affect a very specific combination of events

[Arodicus]

Ooops, and my sample code is JAVAScript, not ActionScript, and is paraphrased from SWFObject 2.1. In other words, it won't run as-is; I'm just showing it for clarity: it would take some modification to actually run without SWFObject on your page as well.