Open
Bug 1397239
Opened 7 years ago
Updated 2 years ago
nsCSSFrameConstructor::mTempFrameTreeState can leak.
Categories
(Core :: Layout, enhancement, P3)
Core
Layout
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox57 | --- | wontfix |
People
(Reporter: emilio, Unassigned)
References
Details
Attachments
(1 file)
|
400 bytes,
text/plain
|
Details |
Right now we record the frame tree state when reconstructing frames for an element, even when they're reconstructed asynchronously. The problem is that after that, but before we actually go ahead and reconstruct the frames, some DOM content may be gone from the document, and we indeterminately store the frame tree state there. Should we clear the frame tree state after a flush with FlushType >= FlushType::Frames?
|
Reporter | |
Comment 1•7 years ago
|
||
When we remove the <div id="test"> we reconstruct the <span> (and the parent <div> fwiw). We then remove the text control from the DOM, so nothing will retrieve the state back when we reconstruct, and there's nothing clearing it afterwards.
|
|
Reporter | |
Comment 2•7 years ago
|
||
(I plan to look at this more in depth when I got the chance).
Flags: needinfo?(emilio)
|
||
Comment 3•7 years ago
|
||
> Should we clear the frame tree state after a flush with FlushType >= FlushType::Frames?
That seems fairly plausible to me, but worth checking what other UAs do with testcases that send something display:none, then flush, then send it back to display:block and flush and what happens to the scroll position of things in there, including both text controls and overflow:scroll divs.|
|
Reporter | |
Comment 4•7 years ago
|
||
(In reply to Boris Zbarsky [:bz] (still digging out from vacation mail) from comment #3) > > Should we clear the frame tree state after a flush with FlushType >= FlushType::Frames? > > That seems fairly plausible to me, but worth checking what other UAs do with > testcases that send something display:none, then flush, then send it back to > display:block and flush and what happens to the scroll position of things in > there, including both text controls and overflow:scroll divs. So bad news is that they (Blink / WebKit) preserve overflow:scroll state across flushes, so this is not going to work :(. They didn't seem to preserve any kind of text control scroll state though.
|
||
Updated•7 years ago
|
Priority: -- → P3
|
|
||
Updated•7 years ago
|
status-firefox57:
--- → wontfix
|
|
Reporter | |
Comment 5•7 years ago
|
||
I haven't looked into more ways to fix it. I guess we can remove the key from UnbindFromTree or what not... I don't plan to look at this particularly soon, I'm swamped already :)
Flags: needinfo?(emilio)
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•