384844 - CycleCollector fault when using findbar on about:config

Status: RESOLVED DUPLICATE of bug 386947

(Core :: XPCOM, defect)

Description

[Robert Sayre]

The findbar doesn't happen to work on about:config, but I did it by accident and found this:

###!!! ASSERTION: Fault in cycle collector: traversed refs exceed refcount (ptr: 15b8e40)
: 'Not Reached', file nsCycleCollector.cpp, line 892

Comment 1

[Robert Sayre]

Steps to reproduce:

1.) start Minefield
2.) type about:config into the location bar
3.) use the findbar and try to search for a string
4.) close the browser

Comment 2

[Graydon Hoare :graydon]

Attachment: cycle collection graph at the moment of the fault

This shows the node in question that's fauling: it's an nsXULPrototypeNode that has a refcount of 1 but appears to be strongly owned by both a parent nsXULPrototypeNode and a parent nsGenericElement. 

Note that this pattern repeats across the graph. We're fauling on the first, but not only, instance of a dually-owned nsXULPrototypeNode with refcnt=1.

I don't really know the content ownership model well enough to say which of those is correct, but someone broke the rules.

Comment 3

[Benjamin Smedberg]

Boris, do you know how this ownership model works?

Comment 4

[Boris Zbarsky [:bzbarsky]]

I'm guessing the problem is that nsXULPrototypeElement::ReleaseSubtree doesn't null out the pointers in question.  So if the prototype survives past that call, any traversal through it will lead to problems, no?  Does nulling out the pointers in that method help?

This business of prototype nodes holding refs to themselves is really quite silly; we should fix it sometime...