Closed
Bug 556241
Opened 14 years ago
Closed 14 years ago
HTMLContentSink needs to participate in cycle collection
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
People
(Reporter: peterv, Assigned: peterv)
References
Details
Attachments
(2 files, 1 obsolete file)
7.45 KB,
patch
|
peterv
:
review+
dveditz
:
approval1.9.2.3+
christian
:
approval1.9.1.10+
|
Details | Diff | Splinter Review |
489 bytes,
text/html
|
Details |
It holds a document and it can end up in a cycle with the parser and that document. Patch has r=jst. I'll try to write a testcase for this.
Attachment #436160 -
Flags: review+
Comment 1•14 years ago
|
||
I thought we always broke this cycle as needed.... when do we fail to do it?
Assignee | ||
Comment 2•14 years ago
|
||
Still working on the testcase, but note that the nsContentSink already unlinks its document.
Assignee | ||
Comment 3•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/86fd7df36a31
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 4•14 years ago
|
||
This is the simplest testcase that leaks for me. I'm also seeing two assertions: ###!!! ASSERTION: Non-global object has the wrong flags: '!(jsclazz->flags & JSCLASS_IS_GLOBAL)', file js/src/xpconnect/src/xpcwrappednative.cpp, line 1118 ###!!! ASSERTION: Overwriting an existing document channel!: '(loadFlags & nsIChannel::LOAD_REPLACE) || !(mDocumentRequest.get())', file uriloader/base/nsDocLoader.cpp, line 532 Need to figure out a way to stop the reloads after a while too. Who is supposed to break the cycle without CC? We should be able to check that in this testcase.
Assignee | ||
Comment 5•14 years ago
|
||
This one reloads the main page twice. When shutting down I get in the leaked urls: file:///Users/peterv/test_bug556241.html file:///Users/peterv/test_bug556241.html file:///Users/peterv/test_bug556241.html?1
Attachment #436192 -
Attachment is obsolete: true
Comment 6•14 years ago
|
||
> Who is supposed to break the cycle without CC?
Used to be that DidBuildModel on the sink would drop refs as needed.... But maybe we changed that.
Assignee | ||
Comment 7•14 years ago
|
||
Ah, but that drops the reference from sink to parser iirc. I think the issue here is that the testcase just calls document.open, so the document holds a reference to the parser, the parser holds a reference to the sink and the sink holds two references to the document (one in nsContentSink and one in HTMLContentSink). CC knows about all of these, except for HTMLContentSink->document.
Comment 8•14 years ago
|
||
Ah, I see. OK, thanks!
Updated•14 years ago
|
Attachment #436160 -
Flags: approval1.9.2.3?
Comment 9•14 years ago
|
||
Comment on attachment 436160 [details] [diff] [review] v1 I think we wanted to take this as well...
Updated•14 years ago
|
blocking1.9.1: --- → .10+
blocking1.9.2: --- → .3+
status1.9.1:
--- → wanted
status1.9.2:
--- → wanted
Updated•14 years ago
|
Blocks: CVE-2010-1121
Comment 10•14 years ago
|
||
Comment on attachment 436160 [details] [diff] [review] v1 Approved for 1.9.2.3, a=dveditz for release-drivers
Attachment #436160 -
Flags: approval1.9.2.3? → approval1.9.2.3+
Updated•14 years ago
|
blocking1.9.2: .4+ → .3+
Updated•14 years ago
|
Attachment #436160 -
Flags: approval1.9.2.4+ → approval1.9.2.3+
Comment 13•14 years ago
|
||
Can we get this fixed on the 1.9.1 branch, by tomorrow if possible?
Assignee | ||
Comment 14•14 years ago
|
||
Comment on attachment 436160 [details] [diff] [review] v1 The patch works as-is on 1.9.1 too.
Attachment #436160 -
Flags: approval1.9.1.10?
Comment 15•14 years ago
|
||
Comment on attachment 436160 [details] [diff] [review] v1 a=LegNeato for 1.9.1.10
Attachment #436160 -
Flags: approval1.9.1.10? → approval1.9.1.10+
Assignee | ||
Comment 16•14 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/fe14252a861d
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•