Closed
Bug 129620
Opened 22 years ago
Closed 3 years ago
theme switch can cause nsDocument to be asked to remove same stylesheet twice
Categories
(Core :: CSS Parsing and Computation, defect, P5)
Tracking
()
RESOLVED
INCOMPLETE
Future
People
(Reporter: dbaron, Unassigned, NeedInfo)
References
Details
Attachments
(3 files, 1 obsolete file)
|
243.82 KB,
text/plain
|
Details | |
|
112.67 KB,
text/plain
|
Details | |
|
1.51 KB,
patch
|
peterv
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
I've been tracking down a skin-switching crash that I've managed to figure out a way to reproduce about half the time. This may be related to bug 127716. The steps to reproduce are roughly the following: * start the browser (initially in Modern) * pres control-two to get into mail * cancel at the password dialog * click on my news server in the folder pane * click on one of the news groups under the server * scroll the thread pane using both the slider thumb and the arrows * click on one of the articles in the thread pane, so that it shows up * ctrl-click on the article above/below that article, so no article is displaying * in the browser window, click View | Apply Theme | Classic * switch back to the mail window, and click on another article, so that that article is displaying * focus (raise) the browser window * click View | Apply Theme | Modern * focus the mail window * click the X in the corner of the mail window to close the mail window * click the X in the corner of the browser window to close the browser window At some point near the end of this chain, it crashes. (I actually stubbed out CSSStyleSheetImpl::Release so it doesn't crash but I can still get debugging info for the refcount log.) I took a refcount log where everything on the over-released sheet is balanced except for nsDocument's handling of stylesheets. (Note that the refcounting described in bug 129618 is rather bizarre.) So at the lowest level the problem seems to be that nsDocument doesn't check the return value when it calls mStyleSheets.RemoveElement(), and then proceeds to release the sheets as if it owns a reference. If the sheet isn't in mStyleSheets (I've yet to figure out why *this* is the case beyond that mStyleSheets.RemoveElement() is being called from both callsites in nsDocument.cpp for a single stylesheet) this can end up over-releasing the stylesheets. I'll attach the excerpts from the refcount log (in order) and the balance tree showing the problem.
|
Reporter | |
Comment 1•22 years ago
|
||
|
|
Reporter | |
Comment 2•22 years ago
|
||
|
|
Reporter | |
Comment 3•22 years ago
|
||
Comment on attachment 73129 [details]
refcount log for over-released stylesheet
It should be clear in this log that the final "Release 6" and the final
"Release 2" both correspnd to the second "AddRef 7".|
|
Reporter | |
Comment 4•22 years ago
|
||
|
|
Reporter | |
Comment 5•22 years ago
|
||
|
|
Reporter | |
Updated•22 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla1.0
|
|
Reporter | |
Comment 6•22 years ago
|
||
I'm wondering if this is happening because mail inserts a LINK element into the email message being displayed or something like that. I don't see why a HTML document would link to a chrome stylesheet, and I don't think the ChromeRegistry code should be doing anything to non-chrome stylesheets, although I could be wrong. It seems like the problem that causes is that the style link element code (nsHTMLLinkElement) doesn't know that the link it represents now maps to a different stylesheet object. (Perhaps the same problem could happen for PIs in XUL?)
|
||
Comment 7•22 years ago
|
||
Comment on attachment 73136 [details] [diff] [review] bulletproofing patch (diff -uw, for reading but not applying) sr=jst
Attachment #73136 -
Flags: superreview+
|
|
||
Updated•22 years ago
|
Attachment #73135 -
Flags: superreview+
|
||
Comment 8•22 years ago
|
||
Comment on attachment 73135 [details] [diff] [review] bulletproofing patch (diff -u) r=peterv, but it'd be good to figure out why this happens exactly. Should we leave the bug open?
Attachment #73135 -
Flags: review+
|
|
Reporter | |
Comment 9•22 years ago
|
||
Comment on attachment 73135 [details] [diff] [review] bulletproofing patch (diff -u) So that this will compile on Windows I need to write the first change as: - mStyleSheets.RemoveElement(aSheet); + if (!mStyleSheets.RemoveElement(aSheet)) { + NS_NOTREACHED("stylesheet not found"); + return; + } (Why does gcc only warn about returning something in a void function rather than giving an error?)
|
||
Updated•22 years ago
|
Attachment #73136 -
Flags: approval+
|
|
||
Comment 10•22 years ago
|
||
Comment on attachment 73136 [details] [diff] [review] bulletproofing patch (diff -uw, for reading but not applying) a=asa (on behalf of drivers) for checkin to the 0.9.9 branch and the 1.0 trunk
|
|
Reporter | |
Comment 11•22 years ago
|
||
OK, that patch was checked in to: * trunk, 2002-03-08 13:05 PST * MOZILLA_0_9_9_BRANCH, 2002-03-08 13:09 PST. Retitling this bug to cover the remaining problem and pushing it off to mozilla1.1.
Severity: critical → major
Priority: P1 → P3
Summary: nsDocument can over-release stylesheets → theme switch can cause nsDocument to be asked to remove same stylesheet twice
Target Milestone: mozilla1.0 → mozilla1.1
|
|
Reporter | |
Comment 12•22 years ago
|
||
*** Bug 122111 has been marked as a duplicate of this bug. ***
|
|
Reporter | |
Comment 13•22 years ago
|
||
*** Bug 127716 has been marked as a duplicate of this bug. ***
|
|
||
Comment 14•22 years ago
|
||
Comment on attachment 73136 [details] [diff] [review] bulletproofing patch (diff -uw, for reading but not applying) obsoleting checked in patche.
Attachment #73136 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•22 years ago
|
Target Milestone: mozilla1.1alpha → Future
|
|
Reporter | |
Updated•17 years ago
|
Assignee: dbaron → nobody
Status: ASSIGNED → NEW
QA Contact: ian → style-system
|
||
Comment 15•14 years ago
|
||
Marking as fixed, as the patch has been applied (7 years ago), and this issue (crash caused by removing an non-existing stylesheet) is confirmed fixed by that patch.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 16•14 years ago
|
||
Reopening per comment 11.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Reporter | |
Updated•13 years ago
|
Priority: P3 → P5
|
||
Comment 17•3 years ago
|
||
Hey David,
Can you still reproduce this or should we close it?
Flags: needinfo?(dbaron)
|
|
||
Comment 18•3 years ago
|
||
Marking this as Resolved > Incomplete since the last activity on this issue was 12 years ago and it might not be relevant anymore.
Feel free to re-open if the issue is still reproducible on your end in the latest FF versions.
Status: REOPENED → RESOLVED
Closed: 14 years ago → 3 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•