Closed Bug 226692 Opened 21 years ago Closed 21 years ago

[FIXr]mXBLDocInfoWeak (on nsXBLPrototypeBinding) could probably just be a raw ptr

Categories

(Core :: XBL, defect, P1)

Product:
Core
Component:
XBL
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.7alpha

People

(Reporter: bzbarsky, Assigned: bzbarsky)

References

Details

Attachments

(1 file, 1 obsolete file)

Proposed fix
17.02 KB, patch
timeless
: review+
bryner
: superreview+
brendan
: approval1.7a+
Details | Diff | Splinter Review 
As it is, the code assumes that it'll be non-null (the retval of
GetXBLDocumentInfo is not really checked).  I don't see any circumstances under
which it could really become null, short of someone holding on to prototype
bindings or bindings outside XBL past document info destruction and then trying
to do something with them...
Surprise.

We're seeing a crash in GKLAYOUT on the GCC OS/2 build.

In particular here:

http://lxr.mozilla.org/seamonkey/source/content/xbl/src/nsXBLPrototypeBinding.cpp#332

332   nsCOMPtr<nsIXBLDocumentInfo> info = GetXBLDocumentInfo(nsnull);
333   
334   return info->DocumentURI();

info is null....

This is after going to  a particular preference page, changing a preference and
clicking OK.
Attached patch Patch to work around crash (obsolete) — Splinter Review 
Here's what the patch looks like that works around the crash.

I had to null check in two places.
mkaply, which preference page and which preference?  That function should never
be returning null (or we need to rename it back and fix all its callers to
null-check (which they currently do not)).
Here's the scenario (it seems to happen mostly with a new profile)

Go to preferences->Debug->Networking

Change Diretcory Listing format from HTML to XUL. Then click OK.

On the OS/2 GCC build, we then crash. 

Doesn't happen on the OS/2 VACPP build.

I can't figure out why this would be compiler specific, except GCC is more
sensitive about uninitialized variables.

Ok, thanks.  I'll try to debug that when I get back (3 weeks or so).  Either I
will need to change some teardown order somewhere, or the ownership model here
will change.
I thought about this some more, and it's safest to change the ownership model as
follows:

1)  nsXBLDocumentInfo holds strong refs to the prototype bindings via
    mBindingTable
2)  The prototype bindings hold strong refs to the nsXBLDocumentInfo
3)  nsXBLDocumentInfo::Release checks whether the new refcount is equal to the
    number of objects in mBindingTable; if it is, it clears mBindingTable.

That should make sure things stay alive for the right length of time, and
shouldn't leak.
I have a simpler model that I've implemented in Safari.  The simplification could be applied to Gecko.

(1) Instead of having an nsXBLDocInfo object in Safari, I just made an XBLDocument class that 
subclasses XMLDocument.  The XBLDocument is reference-counted.
(2) A memory cache can addref the XBLDocument to pin it.  This would be somewhat analogous to 
Gecko's chrome cache (which would cache XBL documents).
(3) The XBLDocument owns all the prototype bindings.  The prototype bindings are not reference 
counted.  They die when the XBLDocument dies.
(4) XBLBindings (real bindings, not prototypes) then add refs to the XBLDocument.

With this model, prototype bindings needn't be reference counted, and the XBLDocument can be pulled 
out of a memory cache safely even if XBL bindings are still referencing the document.
Blocks: 228730
Attached patch Proposed fixSplinter Review 
This is more or less hyatt's suggestion, except I kept nsIXBLDocumentInfo,
since we have no sane way to create different document types based on root
namespace.

So the model this patch implents is:

1)  nsXLBDocumentInfo owns all prototype bindings and deletes them in its
    destructor
2)  Everyone else just has weak refs to prototype bindings
3)  nsXBLBinding holds a weak ref to the proto binding and a strong ref to the
    document info
4)  The document info is what's stored in the chrome cache.
Attachment #137262 - Attachment is obsolete: true
Comment on attachment 140790 [details] [diff] [review]
Proposed fix

Thoughts?  mkaply, does this fix your crash?
Attachment #140790 - Flags: superreview?(bryner)
Attachment #140790 - Flags: review?(timeless)
Status: NEW → ASSIGNED
Priority: -- → P1
Summary: mXBLDocInfoWeak (on nsXBLPrototypeBinding) could probably just be a raw ptr → [FIX]mXBLDocInfoWeak (on nsXBLPrototypeBinding) could probably just be a raw ptr
Target Milestone: --- → mozilla1.7alpha
Attachment #140790 - Flags: superreview?(bryner) → superreview+
Yes, this fixes the OS/2 crash.

Ganesh - we need this for the OS/2 IWB build.
Comment on attachment 140790 [details] [diff] [review]
Proposed fix

I think I flagged the unchecked new in nsXBLDocumentInfo::SetPrototypeBinding
as an OOM concern, but otherwise this looks fine :)
Attachment #140790 - Flags: review?(timeless) → review+
Comment on attachment 140790 [details] [diff] [review]
Proposed fix

Could this possibly be approved for 1.7a?  Fixes some crashes by changing the
ownership model around	a bit...
Attachment #140790 - Flags: approval1.7a?
Summary: [FIX]mXBLDocInfoWeak (on nsXBLPrototypeBinding) could probably just be a raw ptr → [FIXr]mXBLDocInfoWeak (on nsXBLPrototypeBinding) could probably just be a raw ptr
Comment on attachment 140790 [details] [diff] [review]
Proposed fix

a=brendan@mozilla.org for 1.7a.

/be
Attachment #140790 - Flags: approval1.7a? → approval1.7a+
Checked in for 1.7a
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
<OT>
Wouah. 
David (from Apple) proposes an implementation.
Michael (from IBM) helps investigation.
Boris (from MIT) fixes it.
Ian (from Opera) is QA contact.

This is sooooo open source. Thank you guys!

This was my first and last post off topic on that system, but I couldn't find a
better way to thank you all for your work.
</OT>
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: