Open
Bug 114221
Opened 23 years ago
Updated 2 years ago
view interfaces implemented on frames cause frames to be accessed after destruction
Categories
(Core :: Web Painting, defect, P2)
Tracking
()
NEW
Future
People
(Reporter: dbaron, Unassigned)
References
Details
(Keywords: perf)
Attachments
(1 file, 3 obsolete files)
|
21.92 KB,
patch
|
Details | Diff | Splinter Review |
I've been looking into the cases where frames are accessed after they are freed
to the pres shell arena (see bug 114219, which I started to try and debug
another problem I thought was related to accessing freed data, but wasn't). One
of the two things I've found that does this is releases of frames implementing
nsIScrollPositionListener. There shouldn't really be a need to release frames.
There are a number of ways to solve this -- I'll attach a patch that does one of
them, which is to disinherit nsIScrollPositionListener and nsICompositeListener
(which got dragged in because the only non-frame implementation of
nsIScrollPositionListener is the only implementation of nsICompositeListener)
from nsISupports. If this is a good approach the "nsI" shouuld probably change
to "nsA". Better unregistration of the listeners would be another approach.
|
Reporter | |
Updated•23 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P2
Target Milestone: --- → mozilla0.9.8
|
|
Reporter | |
Comment 1•23 years ago
|
||
|
|
Reporter | |
Updated•23 years ago
|
Target Milestone: mozilla0.9.8 → mozilla0.9.9
|
||
Updated•23 years ago
|
|
|
Reporter | |
Updated•23 years ago
|
Target Milestone: mozilla0.9.9 → Future
|
|
Reporter | |
Comment 2•23 years ago
|
||
Attachment #60946 -
Attachment is obsolete: true
|
||
Comment 3•23 years ago
|
||
Is bug 133655 the same issue?
|
|
Reporter | |
Comment 4•23 years ago
|
||
smontagu: What makes you think that? I think you commented on the wrong bug.
|
|
||
Comment 5•23 years ago
|
||
Sorry, I meant to write bug 136552.
|
||
Comment 6•23 years ago
|
||
I'm not very familiar with this area of the code, so forgive some dumb questions:
1. Are frames the _only_ scroll position listeners that we have? (If not, are
there others that need reference counting to maintain the ownership model.)
2. While this seems reasonable, does it in fact fix anything? Or is it just
cleanup?
I think that changing the listeners to be un-owned is fine, assuming there are
no other listeners that need to be kept alive by the view.
|
|
Reporter | |
Comment 7•23 years ago
|
||
The only listener that wasn't a frame is the one in the pres shell that is
changed in the above patch.
|
|
Reporter | |
Comment 8•23 years ago
|
||
This is an attempt to solve the problem by unregistration, but it crashes
within CanvasFrame::Destroy because the view manager is no longer connected to
the pres shell, so we dereference a null pointer. I wonder if it's possible to
get the view manager some other way, or whether, instead, the mPresContext
should be an mViewManager.
|
|
Reporter | |
Comment 9•23 years ago
|
||
This is a working patch doing unregistration instead. Could this cause the
lifetime of the view manager to be extended? Would that be bad?
Attachment #82643 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•23 years ago
|
Target Milestone: Future → mozilla1.1alpha
|
|
||
Comment 10•23 years ago
|
||
Presumably this _does_ extend the lifetime of the view manager. (Otherwise,
couldn't you just get it from the pres context when you needed to unregister?)
It seems sort of fortuitous the way we stagger from the view manage to the pres
context in one spot, but it appears to be #ifdef DEBUG_CANVAS_FOCUS, so it's
probably not a big deal.
|
|
||
Comment 11•23 years ago
|
||
Comment on attachment 82645 [details] [diff] [review]
working unregistration patch
sr=waterson
Attachment #82645 -
Flags: superreview+
|
|
Reporter | |
Comment 12•23 years ago
|
||
I think it actually doesn't extend the life of the VM in the normal case, since
the doc viewer holds the view manager past the |Destroy| call on the pres shell
(in fact, I think all the way until its own destructor), but the pres shell
nulls out its own *weak* pointer to the view manager at the beginning of its
|Destroy| method, and then destroys the frames.
That said, I could move the nulling of the view manager pointer to later in
PresShell::Destroy to work around the problem...
|
||
Comment 13•23 years ago
|
||
Comment on attachment 82645 [details] [diff] [review]
working unregistration patch
r=attinasi, but it seems a little presumptuous to assume that GetViewManager
will always succeed in nsHTMLFrame - if that fails the result code shoudl be
returned from Init, though you might want to check it in Destroy as well (or
just assert that it is not null). Also, can nsGfxScrollFrame have a null mInner
in Destroy? I guess the constructor would crash if the allocation failed
anyway...
Attachment #82645 -
Flags: review+
|
|
Reporter | |
Updated•22 years ago
|
Target Milestone: mozilla1.1alpha → mozilla1.1beta
|
|
Reporter | |
Comment 14•22 years ago
|
||
*** Bug 130154 has been marked as a duplicate of this bug. ***
|
|
Reporter | |
Comment 15•22 years ago
|
||
Comment on attachment 82645 [details] [diff] [review]
working unregistration patch
This patch was checked in 2002-07-08 21:30 PDT, so the main problem is fixed.
However, I think I still want to get the other patch in too.
Attachment #82645 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•22 years ago
|
Target Milestone: mozilla1.1beta → Future
|
||
Updated•15 years ago
|
QA Contact: chrispetersen → layout.view-rendering
|
Assignee | |
Updated•6 years ago
|
Component: Layout: View Rendering → Layout: Web Painting
|
|
Reporter | |
Updated•4 years ago
|
Assignee: dbaron → nobody
Status: ASSIGNED → NEW
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•