Open
Bug 114221
Opened 23 years ago
Updated 2 years ago
view interfaces implemented on frames cause frames to be accessed after destruction
Categories
(Core :: Web Painting, defect, P2)
Tracking
()
NEW
Future
People
(Reporter: dbaron, Unassigned)
References
Details
(Keywords: perf)
Attachments
(1 file, 3 obsolete files)
|
21.92 KB,
patch
|
Details | Diff | Splinter Review |
I've been looking into the cases where frames are accessed after they are freed to the pres shell arena (see bug 114219, which I started to try and debug another problem I thought was related to accessing freed data, but wasn't). One of the two things I've found that does this is releases of frames implementing nsIScrollPositionListener. There shouldn't really be a need to release frames. There are a number of ways to solve this -- I'll attach a patch that does one of them, which is to disinherit nsIScrollPositionListener and nsICompositeListener (which got dragged in because the only non-frame implementation of nsIScrollPositionListener is the only implementation of nsICompositeListener) from nsISupports. If this is a good approach the "nsI" shouuld probably change to "nsA". Better unregistration of the listeners would be another approach.
|
Reporter | |
Updated•23 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P2
Target Milestone: --- → mozilla0.9.8
|
|
Reporter | |
Comment 1•23 years ago
|
||
|
|
Reporter | |
Updated•23 years ago
|
Target Milestone: mozilla0.9.8 → mozilla0.9.9
|
||
Updated•23 years ago
|
|
|
Reporter | |
Updated•23 years ago
|
Target Milestone: mozilla0.9.9 → Future
|
|
Reporter | |
Comment 2•22 years ago
|
||
Attachment #60946 -
Attachment is obsolete: true
|
||
Comment 3•22 years ago
|
||
Is bug 133655 the same issue?
|
|
Reporter | |
Comment 4•22 years ago
|
||
smontagu: What makes you think that? I think you commented on the wrong bug.
|
|
||
Comment 5•22 years ago
|
||
Sorry, I meant to write bug 136552.
|
||
Comment 6•22 years ago
|
||
I'm not very familiar with this area of the code, so forgive some dumb questions: 1. Are frames the _only_ scroll position listeners that we have? (If not, are there others that need reference counting to maintain the ownership model.) 2. While this seems reasonable, does it in fact fix anything? Or is it just cleanup? I think that changing the listeners to be un-owned is fine, assuming there are no other listeners that need to be kept alive by the view.
|
|
Reporter | |
Comment 7•22 years ago
|
||
The only listener that wasn't a frame is the one in the pres shell that is changed in the above patch.
|
|
Reporter | |
Comment 8•22 years ago
|
||
This is an attempt to solve the problem by unregistration, but it crashes within CanvasFrame::Destroy because the view manager is no longer connected to the pres shell, so we dereference a null pointer. I wonder if it's possible to get the view manager some other way, or whether, instead, the mPresContext should be an mViewManager.
|
|
Reporter | |
Comment 9•22 years ago
|
||
This is a working patch doing unregistration instead. Could this cause the lifetime of the view manager to be extended? Would that be bad?
Attachment #82643 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•22 years ago
|
Target Milestone: Future → mozilla1.1alpha
|
|
||
Comment 10•22 years ago
|
||
Presumably this _does_ extend the lifetime of the view manager. (Otherwise, couldn't you just get it from the pres context when you needed to unregister?) It seems sort of fortuitous the way we stagger from the view manage to the pres context in one spot, but it appears to be #ifdef DEBUG_CANVAS_FOCUS, so it's probably not a big deal.
|
|
||
Comment 11•22 years ago
|
||
Comment on attachment 82645 [details] [diff] [review] working unregistration patch sr=waterson
Attachment #82645 -
Flags: superreview+
|
|
Reporter | |
Comment 12•22 years ago
|
||
I think it actually doesn't extend the life of the VM in the normal case, since the doc viewer holds the view manager past the |Destroy| call on the pres shell (in fact, I think all the way until its own destructor), but the pres shell nulls out its own *weak* pointer to the view manager at the beginning of its |Destroy| method, and then destroys the frames. That said, I could move the nulling of the view manager pointer to later in PresShell::Destroy to work around the problem...
|
||
Comment 13•22 years ago
|
||
Comment on attachment 82645 [details] [diff] [review] working unregistration patch r=attinasi, but it seems a little presumptuous to assume that GetViewManager will always succeed in nsHTMLFrame - if that fails the result code shoudl be returned from Init, though you might want to check it in Destroy as well (or just assert that it is not null). Also, can nsGfxScrollFrame have a null mInner in Destroy? I guess the constructor would crash if the allocation failed anyway...
Attachment #82645 -
Flags: review+
|
|
Reporter | |
Updated•22 years ago
|
Target Milestone: mozilla1.1alpha → mozilla1.1beta
|
|
Reporter | |
Comment 14•22 years ago
|
||
*** Bug 130154 has been marked as a duplicate of this bug. ***
|
|
Reporter | |
Comment 15•22 years ago
|
||
Comment on attachment 82645 [details] [diff] [review] working unregistration patch This patch was checked in 2002-07-08 21:30 PDT, so the main problem is fixed. However, I think I still want to get the other patch in too.
Attachment #82645 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•22 years ago
|
Target Milestone: mozilla1.1beta → Future
|
||
Updated•15 years ago
|
QA Contact: chrispetersen → layout.view-rendering
|
Assignee | |
Updated•6 years ago
|
Component: Layout: View Rendering → Layout: Web Painting
|
|
Reporter | |
Updated•3 years ago
|
Assignee: dbaron → nobody
Status: ASSIGNED → NEW
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•