Closed
Bug 1130128
Opened 10 years ago
Closed 10 years ago
Scripts cached by nsFrameScriptExecutor leak when compiled in the current global
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla38
People
(Reporter: mccr8, Assigned: mccr8)
References
Details
(Whiteboard: [MemShrink])
Attachments
(3 files, 1 obsolete file)
1.43 KB,
patch
|
bholley
:
review+
|
Details | Diff | Splinter Review |
2.93 KB,
patch
|
bholley
:
review+
|
Details | Diff | Splinter Review |
979 bytes,
patch
|
Details | Diff | Splinter Review |
Billm and I were looking into a docshell leaks-until-shutdown, and noticed that some scripts being held alive by the nsFrameScriptExecutor are entraining a ContentFrameMessageManager, which in turn is holding alive the XPCWN for a docshell, which keeps the doc shell alive. It looks like some self-hosted code is getting compiled against whatever page happens to load it first, which ends up keeping the docshell for that page alive. If we compile this cached code (in nsFrameScriptExecutor::TryCacheLoadAndCompileScript) against the junk scope, then the doc shell's XPCWN is no longer being held alive. (The doc shell is still leaking from C++, so maybe this is a red herring...)
Assignee | ||
Updated•10 years ago
|
tracking-e10s:
--- → ?
Whiteboard: [MemShrink]
Assignee | ||
Comment 1•10 years ago
|
||
Assignee | ||
Comment 2•10 years ago
|
||
Comment on attachment 8560760 [details] [diff] [review] Compile scripts cached by nsFrameScriptExecutor in the junk scope to avoid leaking the compartment. WIP Bobby, is PrivilegedJunkScope() the right scope for this do you think? Or maybe CompilationScope()? The comment near those explicitly tells you to ask the XPConnect module owner so that's what I'm doing. ;) I think we don't ever run this code, and with the current set up you end up compiling it in some random scope which leaks the associated compartment.
Attachment #8560760 -
Flags: feedback?(bobbyholley)
Comment 3•10 years ago
|
||
Comment on attachment 8560760 [details] [diff] [review] Compile scripts cached by nsFrameScriptExecutor in the junk scope to avoid leaking the compartment. WIP Review of attachment 8560760 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/base/nsFrameMessageManager.cpp @@ +1538,5 @@ > if (dataStringBuf && dataStringLength > 0) { > AutoSafeJSContext cx; > + // We compile in the junk scope instead of the current JS object to avoid > + // entraining whatever random stuff is on the current global, which could > + // be for some random page. Maybe xpc::CompilationScope() makes more sense? These cached scripts are always cloned into another compartment before they're run, right? If so then yeah, do xpc::CompilationScope.
Attachment #8560760 -
Flags: feedback?(bobbyholley) → feedback+
Assignee | ||
Comment 4•10 years ago
|
||
Attachment #8560760 -
Attachment is obsolete: true
Attachment #8561428 -
Flags: review?(bobbyholley)
Assignee | ||
Comment 5•10 years ago
|
||
I'll attach the trivial -w patch in a moment.
Attachment #8561429 -
Flags: review?(bobbyholley)
Assignee | ||
Comment 6•10 years ago
|
||
Updated•10 years ago
|
Attachment #8561428 -
Flags: review?(bobbyholley) → review+
Comment 7•10 years ago
|
||
Comment on attachment 8561429 [details] [diff] [review] part 2 - CompilationScope() is infallible. Review of attachment 8561429 [details] [diff] [review]: ----------------------------------------------------------------- Thanks for the diff -w. ;-)
Attachment #8561429 -
Flags: review?(bobbyholley) → review+
Assignee | ||
Comment 8•10 years ago
|
||
No problem. The regular diff is completely awful. ;)
Assignee | ||
Comment 9•10 years ago
|
||
remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/9a8d5d816871 remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/4a114ab2fcca
Comment 10•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/9a8d5d816871 https://hg.mozilla.org/mozilla-central/rev/4a114ab2fcca
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox38:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•