Closed Bug 324465 Opened 19 years ago Closed 17 years ago

<span style="-moz-binding: url(#t);"></span> causes document to leak

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mozbugs, Unassigned)

References

(
URL
)

Details

(Keywords: memory-leak, testcase)

Attachments

(2 files)

testcase
181 bytes, text/html
Details
this one hangs the browser
38 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20060120 Firefox/1.6a1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20060120 Firefox/1.6a1

See steps to reproduce

Reproducible: Always

Steps to Reproduce:
1.Go to URL
2.Run test #34845199
3.Run leak-gauge

Actual Results:  
Leaked document at address 95dc600.
 ... with URI
"http://toadstool.se/software/iexploder/demo/iexploder.cgi?lookup=1&test=34845199&subtest=".
Summary:
Leaked 0 out of 8 DOM Windows
Leaked 1 out of 29 documents
Leaked 0 out of 3 docshells
Keywords: mlk
Summary: Leak Document with IExploder test #34845199 - mlk → Leak Document with IExploder test #34845199
Attached file testcase 
This is minimised from the exploder page, basically this seems to be enough to cause the memory leak:
<span style="-moz-binding: url(#t);"></span>

I also get this assertion in a debug build:
###!!! ASSERTION: *** XBL doc with no root element! Something went horribly wron
g! ***: 'Error', file c:/mozilla/mozilla/content/xbl/src/nsXBLService.cpp, line
396
Failed to load XBL document file:///C:/Documents%20and%20Settings/mw22/Bureaubla
d/iexploder.cgi324465_leak_exploder.htm
overflow!
Assignee: nobody → general
Status: UNCONFIRMED → NEW
Component: General → XBL
Ever confirmed: true
Keywords: testcase
Product: Firefox → Core
QA Contact: general → ian
Version: unspecified → Trunk
Blocks: iexploder
Summary: Leak Document with IExploder test #34845199 → <span style="-moz-binding: url(#t);"></span> causes document to leak
The problem is that nsXBLStreamListener::Load doesn't break the reference cycle between the listener and its mBindingDocument in a lot of cases.

That said, I'd rather we didn't have a cycle at all...  mrbkap, does your work on breaking the document/sink/parser cycle mean to have the parser own the doc, or the other way around?  That is, do you think it would be reasonable to not hold a ref to the doc here in the first place and rely on the parser to keep it alive?  I doubt we make that work now, but perhaps we should?
Flags: blocking1.9a1?
Flags: blocking1.8.1?
My goal was to make the document hold the parser and the content sink, with a weak reference between the content sink and the document, thus breaking the circular reference there.

I don't think it makes sense for the parser to hold the document, especially since the content viewer always has a strong ref to the document, and the strong refs to the parser (considering that the strong ref that necko keeps on it goes away after the stream finishes loading).
OK.  I was suspecting something like that.  The issues arise when documents are _not_ handled via a content viewer, as here.  I guess we just need to have that circular reference for the duration of the load, then.  Or we need to have the listener be a separate object that holds a weak ref to our nsXBLStreamListener...

Anyway, I'll post a patch shortly.
Not all is so simple; I'm not quite seeing a good way to deal here yet... :(  In particular, it's not clear to me why this code can assume that the Load() event will fire in all error conditions.  Is it?
<select style="-moz-binding: url(#t)"> hangs the browser (iExploder test 10030070). Is this helpful or should I file another bug for this hang?
Joonas, please file a new bug on it, file it under Core->XBL.
The hang in comment 6 was filed as bug 329410.
Not going to block 1.8.1 for this since the leak is particular to XBL used on the web.
Flags: blocking1.8.1? → blocking1.8.1-
Flags: blocking1.9a1? → blocking1.9-
I wonder whether we could just use the cycle collector here.  This is the sort of thing it should be great for (no JS in the cycle and all).
Depends on: 394052
Blocks: 398292
WFM: no leaks shown by trace-refcnt after loading either testcase.  I get a warning

WARNING: *** XBL doc with no root element! Something went horribly wrong! ***: file /Users/jruderman/trunk/mozilla/content/xbl/src/nsXBLService.cpp, line 388

but there are no other signs of bad things happening.

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b2pre) Gecko/2007111918 Minefield/3.0b2pre
Status: NEW → RESOLVED
Closed: 17 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: