loke.dev
Header image for The Ghost in the Heap: How I Finally Tracked Down a Node.js Leak That Chrome DevTools Couldn't See

The Ghost in the Heap: How I Finally Tracked Down a Node.js Leak That Chrome DevTools Couldn't See

Standard heap snapshots are useless when your memory leak lives in the C++ layer; here is how to profile the hidden 'off-heap' memory that Node.js hides from you.

· 9 min read

You’ve been told that if you have a memory leak in Node.js, the Chrome DevTools Heap Snapshot is your source of truth. It’s the standard advice: take a snapshot, wait ten minutes, take another, and look for the objects that didn't get garbage collected. But this advice assumes your leak lives inside the V8 heap. It assumes the "ghost" haunting your server is a Javascript object—a stray closure, a massive array, or a forgotten cache.

The reality is that Node.js is a Frankenstein’s monster of C++, Libuv, and V8. When your application’s Resident Set Size (RSS) keeps climbing until the OOM-killer nukes your process, but your Heap Snapshot stays perfectly flat at 50MB, you aren't crazy. You're dealing with an off-heap leak. And in that scenario, the standard DevTools are worse than useless—they’re a distraction that sends you chasing ghosts in the wrong house.

The Lie of the Heap Snapshot

Most developers treat node --inspect like a magic wand. You connect the debugger, look at the "Summary" view, and see that (string) or (compiled code) is taking up most of the space. You fix a few leaks there, and you feel productive.

But the V8 heap is just one room in the mansion. Node.js memory usage looks more like this:

1. V8 Heap: Where your objects, strings, and closures live.
2. External: Memory used by C++ objects that are "linked" to JS objects (like Buffer contents or ArrayBuffers).
3. Code Space: Where the JIT compiler stores machine code.
4. Native C++ Memory: Memory allocated directly via malloc or new in the Node.js core or in native addons (like bcrypt, sharp, or zlib).

The Chrome DevTools "Heap Snapshot" essentially ignores category #4. If you are using a native library to process images or handle specialized networking, and that library has a bug, it will allocate memory that V8 never sees. Your process will consume 4GB of RAM, while your heap snapshot reports a healthy 100MB.

A Practical Example of the "Invisible" Leak

To understand this, let's look at how we might accidentally trigger an off-heap surge. Historically, Buffer was the most common culprit. In older versions of Node, buffers were allocated outside the V8 heap. Today, they are mostly inside, but native modules still play by their own rules.

Imagine you're using a hypothetical native addon that processes logs.

const nativeAddon = require('./build/Release/log_processor');
const http = require('http');

http.createServer((req, res) => {
    // Let's say this native function allocates memory for a buffer 
    // in C++ but fails to free it correctly if the JS callback isn't called.
    nativeAddon.processLogAsync(req.url, (err, result) => {
        res.end(result);
    });
}).listen(3000);

If processLogAsync allocates 1MB of system memory per request and has a bug where it doesn't free() that memory, your RSS will grow by 1MB per request. If you take a Heap Snapshot, you will see nothing. The Javascript side only sees a tiny "pointer" or a small object representing the task. The 1MB is "invisible."

Identifying the Gap

The first step to tracking this down is admitting you have a problem that DevTools can’t see. You need to monitor the discrepancy between the Heap and the RSS.

I use a simple interval script when I'm debugging locally to see where the blood is actually flowing:

setInterval(() => {
  const usage = process.memoryUsage();
  const toMB = (bytes) => (bytes / 1024 / 1024).toFixed(2);
  
  console.log(`[${new Date().toISOString()}]`);
  console.log(`  RSS:        ${toMB(usage.rss)} MB`);
  console.log(`  Heap Total: ${toMB(usage.heapTotal)} MB`);
  console.log(`  Heap Used:  ${toMB(usage.heapUsed)} MB`);
  console.log(`  External:   ${toMB(usage.external)} MB`);
  console.log(`  ArrayBuffs: ${toMB(usage.arrayBuffers)} MB`);
  console.log('---------------------------');
}, 5000);

If rss is climbing and heapUsed is staying flat, you are looking for a native leak. If external is climbing, you are looking at Buffer or ArrayBuffer objects that V8 knows about but doesn't store on its primary heap.

Why Native Modules Leak

C++ doesn't have a garbage collector. When a developer writes a Node addon, they have to manually manage the lifecycle of the memory. They use Nan::Persistent or Napi::Reference to keep track of Javascript objects, but the actual raw data (pixels of an image, decrypted byte streams) is often allocated with malloc.

The "Ghost" usually appears in one of three places:
1. Improper cleanup in a C++ destructor: The JS object is garbage collected, but the C++ object it was attached to didn't properly free its internal buffers.
2. Forgotten Handles: In the N-API, if you create a napi_create_reference and never call napi_delete_reference, that memory stays pinned forever.
3. Third-party C libraries: The Node addon might be fine, but the underlying C library it wraps (like libpng or OpenSSL) has a leak.

Using jemalloc to See the Unseen

Since DevTools won't help, we have to go lower. We need to profile the system-level memory allocator. On Linux and macOS, the most effective tool I’ve found for this is jemalloc with its profiling features enabled.

jemalloc is a memory allocator that can be told to take "snapshots" of system memory allocations. It tracks what function called malloc and how much memory was requested.

First, you need to install jemalloc. On Ubuntu:
sudo apt-get install libjemalloc-dev

Then, you run Node with jemalloc preloaded and profiling turned on:

MALLOC_CONF="prof:true,lg_prof_interval:25,lg_prof_sample:17" \
LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so \
node your-app.js

- prof:true: Enables the profiler.
- lg_prof_interval:25: Tells it to dump a profile every $2^{25}$ bytes (32MB) of allocation.
- LD_PRELOAD: Forces Node to use jemalloc instead of the standard glibc allocator.

This will generate several .heap files. These aren't V8 heap snapshots; they are maps of the C++ memory space. You can analyze them using jeprof.

jeprof --show_bytes --pdf $(which node) jeprof.1234.0.f.heap > output.pdf

When I did this for a production leak recently, the PDF didn't show my Javascript code. Instead, it showed a massive cluster of memory attributed to node::crypto::SSLWrap. The leak wasn't in my code at all; it was an edge case in how we were handling TLS socket closures in a specific version of Node.

The Case of the Abandoned Buffer

Sometimes the leak isn't in C++, but in how V8 *thinks* about C++. This is a subtle "Ghost."

V8 triggers a Garbage Collection (GC) based on how full the heap is. If your heap limit is 2GB and you are using 100MB, V8 might not feel the need to run a full GC for a long time.

However, imagine you are allocating External memory—specifically Buffer.allocUnsafe().

const fs = require('fs');

function leakSmallButDeadly() {
    // We allocate a huge buffer but only keep a tiny slice of it
    const bigBuffer = Buffer.allocUnsafe(1024 * 1024 * 10); // 10MB
    const tinySlice = bigBuffer.slice(0, 10);
    
    // We store the tiny slice in a global array
    global.cache = global.cache || [];
    global.cache.push(tinySlice);
}

setInterval(leakSmallButDeadly, 100);

In older versions of Node, tinySlice keeps a reference to the entire bigBuffer (the parent ArrayBuffer). Because the JS object tinySlice is very small, V8 doesn't think the heap is growing. It sees a few bytes being added to the global.cache array. It doesn't realize that each of those few bytes is "holding hostage" 10MB of external memory.

The result? RSS balloons to gigabytes while the Heap Snapshot shows a tiny array of tiny objects.

The Fix: If you only need a small part of a large buffer that you won't be freeing immediately, use Buffer.copy() or Uint8Array.prototype.slice() (which creates a copy in modern Node) instead of Buffer.slice() (which creates a view).

// Safer way to store small parts of large chunks
const tinySlice = Buffer.alloc(10);
bigBuffer.copy(tinySlice, 0, 0, 10);
global.cache.push(tinySlice);

Advanced Tooling: clinic.js

If jemalloc feels too "low-level" or intimidating, the team at NearForm built a tool called clinic.js. Specifically, clinic heapgraph is excellent.

What makes heapgraph different from DevTools is that it visualizes the relationship between the V8 heap and the RSS. It can help you spot the "Ghost" by highlighting when the native memory is growing out of proportion to the JS objects.

To run it:

npm install -g clinic
clinic heapgraph -- node your-app.js

Then, put your app under load (using wrk or autocannon).

autocannon -c 100 -d 30 http://localhost:3000

When you stop the process, clinic generates an HTML report. If you see the "Total Allocated" line trending upward while the "V8 Heap Used" stays wavy (indicating successful GCs), you've confirmed the leak is off-heap.

Tracking Down Native Addon Leaks with Valgrind

If you've identified that a native addon is the culprit, and you have access to the C++ source, valgrind is the nuclear option. It is slow—it will make your Node app run 10-50x slower—but it is incredibly thorough.

valgrind --leak-check=full --show-leak-kinds=all --track-origins=yes node your-app.js

When you shut down the app, Valgrind will output a detailed trace of every single byte that was allocated but not freed. It will point to the exact line of C++ code.

*Note: You will get a lot of noise from Node's internal startup. Focus on the traces that involve your specific addon's filename.*

Common Off-Heap Culprits in the Wild

Through my experience and helping others debug their "ghosts," a few usual suspects tend to appear:

1. Image Processing (`sharp`, `canvas`): These libraries deal with raw pixel data. If you don't call .toBuffer() or .destroy() correctly, or if you create too many instances in a loop, the C++ memory will stack up.
2. Compression (`zlib`): Specifically, when using custom streams or failing to close a zlib handle.
3. Database Drivers: Some drivers use native C++ bindings for performance (like node-sqlite3 or certain pg configurations). Improperly closed statements or connections can leak native memory.
4. Logging/Contextual Tracing: Libraries like AsyncLocalStorage are generally safe, but older native "hooks" into the async lifecycle could occasionally leak the context metadata.

Summary Checklist for the Invisible Leak

If your Node process is dying and the Heap Snapshot looks fine, stop looking at the snapshot. Follow this hierarchy of debugging:

1. Monitor `process.memoryUsage()`: Compare rss to heapUsed. If the gap is widening, it's off-heap.
2. Check `external`: If external is high, look for Buffer or ArrayBuffer mismanagement (like slices of large buffers being kept in global scope).
3. Run with `--trace-gc`: See if the garbage collector is even trying to run. If it's running and the RSS isn't dropping, the memory isn't in V8's control.
4. Use `jemalloc`: Profile the system allocations to see if a native library is hogging memory.
5. Audit Native Addons: If you find the leak in a native module, use valgrind or check the C++ source for missing free() or napi_delete_reference() calls.

Understanding the "Ghost in the Heap" is about realizing that Node.js is more than just Javascript. It’s a complex bridge between a high-level garbage-collected environment and a low-level manual-memory environment. The tools that work for one side often fail for the other. When the standard tools lie to you, you have to go deeper.