Closed
Bug 401393
Opened 17 years ago
Closed 17 years ago
"ASSERTION: Event listener manager hash not empty at shutdown!" with Flash and Greasemonkey
Categories
(Core Graveyard :: Plug-ins, defect, P3)
Tracking
(Not tracked)
RESOLVED
FIXED
mozilla1.9beta2
People
(Reporter: jruderman, Assigned: jruderman)
References
Details
(Keywords: assertion, memory-leak, testcase)
Attachments
(9 files)
301 bytes,
text/html
|
Details | |
5.30 KB,
text/plain
|
Details | |
136.22 KB,
text/plain
|
Details | |
59.37 KB,
text/plain
|
Details | |
89.76 KB,
text/plain
|
Details | |
4.46 KB,
patch
|
Details | Diff | Splinter Review | |
8.17 KB,
text/plain
|
Details | |
926 bytes,
patch
|
sicking
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
10.28 KB,
text/plain
|
Details |
Loading the testcase (in Mac trunk debug Firefox) triggers: ###!!! ASSERTION: Event listener manager hash not empty at shutdown!: 'sEventListenerManagersHash.entryCount == 0', file /Users/jruderman/trunk/mozilla/content/base/src/nsContentUtils.cpp, line 708 It also makes Firefox leak 1 nsEventListenerManager, 1 nsGenericElement, 1 nsHTMLSharedObjectElement, and a bunch of other objects.
Assignee | ||
Comment 1•17 years ago
|
||
Assignee | ||
Comment 2•17 years ago
|
||
Comment 3•17 years ago
|
||
You'll get that assert any time you leak an element, basically. Can you get a balance tree for that nsHTMLSharedObjectElement leak? And possibly for the nsPluginInstanceOwner and ns4xPluginInstance? I would assume the nsPluginInstanceOwner leaks the element, but not sure how the plugin stuff ends up leaking itself here.
Comment 4•17 years ago
|
||
This doesn't leak for me.
Assignee | ||
Comment 5•17 years ago
|
||
This is my first time trying to make a balance tree, so I don't know whether I did it correctly.
Comment 6•17 years ago
|
||
Hmm. What command line did you use? That tree has some really odd things going on...
Assignee | ||
Comment 7•17 years ago
|
||
The command line is included in the attachment.
Comment 8•17 years ago
|
||
Ah, ok. Try something more like: export XPCOM_MEM_REFCNT_LOG=log-file.dat export XPCOM_MEM_COMPTR_LOG=log-comptr.dat export XPCOM_MEM_LOG_CLASSES=nsHTMLSharedObjectElement Run firefox. Run find-leakers.pl on log-file.dat to find the address. make-tree.pl --object ADDRESS_HERE --comptr log-comptr.dat --ignore-balanced < ~/log-file.dat | fix-macosx-stack.pl The difference with what you did is logging all the nsCOMPtr activity and getting rid of the matching addrefs/releases from that even if they're in different parts of the balance tree. Makes the tree smaller and simpler to read.
Assignee | ||
Comment 9•17 years ago
|
||
Ignoring nsCOMPtr activity made the whole tree go away?
Assignee | ||
Comment 10•17 years ago
|
||
This log makes more sense. There's even some stuff at the bottom involving "scroll position listeners".
(In reply to comment #9) > Ignoring nsCOMPtr activity made the whole tree go away? When that's the case, generally find-comptr-leakers will show some leaks.
Assignee | ||
Comment 12•17 years ago
|
||
find-comptr-leakers.pl tells me that it's the nsPluginInstanceOwner's mContent pointer that continues to hold onto the nsHTMLSharedObjectElement.
Assignee | ||
Comment 13•17 years ago
|
||
nsPluginInstanceOwner::ScrollPositionDidChange's use of timers is Mac-specific.
Comment 14•17 years ago
|
||
Note that the leak log (XPCOM_MEM_LEAK_LOG) will say for the leaked things how many refs were from COMPtrs, so you can tell whether to use find-comptr-leakers or find-leakers.
Comment 15•17 years ago
|
||
Hmm. So there are all sorts of CancelTimer() calls in nsPluginInstanceOwner. So I'd expect this cycle to be broken... Why aren't we hitting any of them? Should the frame Destroy() method make sure the timer gets killed?
Flags: blocking1.9?
Comment 16•17 years ago
|
||
And for what it's worth, I can't reproduce on Mac either.
Assignee | ||
Comment 17•17 years ago
|
||
Hmm, so it's up to me to debug it, then?
Comment 18•17 years ago
|
||
If it's consistently reproducible, yes.... I'd start by adding printfs to the places where the timer is set up and to CancelTimer and seeing whether the latter is being hit at all, I guess. Does this perhaps depend on Flash version?
Jesse, here's your first blocker :) Let me know if you need help and I'll do my best.
Assignee: nobody → jruderman
Flags: blocking1.9? → blocking1.9+
Assignee | ||
Comment 20•17 years ago
|
||
I can't reproduce in a completely clean profile, but once I install Greasemonkey (even without installing any user scripts), I can reproduce. It seems like two nsPluginInstanceOwner objects are being created for the same frame, and one of them isn't getting torn down properly. More soon.
Summary: "ASSERTION: Event listener manager hash not empty at shutdown!" with Flash → "ASSERTION: Event listener manager hash not empty at shutdown!" with Flash and Greasemonkey
Assignee | ||
Comment 21•17 years ago
|
||
I might have figured out what's going wrong. nsPluginInstanceOwner::PrepareToStop is called on the first nsPluginInstanceOwner object, but mWidget is null, so PrepareToStop bails out early and doesn't unregister its scroll listener. Later, the scroll listener is notified, setting up a cycle between the timer and the nsPluginInstanceOwner. nsPluginInstanceOwner::Destroy doesn't get to break this cycle because it is called before the cycle is set up. If I change the mWidget null check in nsPluginInstanceOwner::PrepareToStop to only wrap the code added in bug 347743 (which uses mWidget) instead of bailing early (and skipping the "Unregister scroll position listener" code), the leak goes away. Eli and jst, do you remember why you made the null check do that in bug 347743? I don't know why Greasemonkey causes two nsPluginInstanceOwners to be created, though. I wonder if that's related to bug 390183.
Blocks: 347743
Assignee | ||
Comment 22•17 years ago
|
||
This is what I used to debug the leak so far.
Assignee | ||
Comment 23•17 years ago
|
||
Assignee | ||
Comment 24•17 years ago
|
||
Attachment #287474 -
Flags: superreview?(jst)
Attachment #287474 -
Flags: review?(sharparrow1)
Updated•17 years ago
|
Attachment #287474 -
Flags: superreview?(jst) → superreview+
Assignee | ||
Updated•17 years ago
|
Target Milestone: --- → mozilla1.9 M10
Assignee | ||
Updated•17 years ago
|
Status: NEW → ASSIGNED
Comment 25•17 years ago
|
||
> It seems like two nsPluginInstanceOwner objects are being created
What are the stacks to those creations?
Assignee | ||
Comment 26•17 years ago
|
||
Comment 27•17 years ago
|
||
Uh. So we reenter nsObjectFrame::Instantiate, looks like. I think we need to flag ourselves as being inside Instantiate and bail out if it's reentered. Probably a separate (blocking1.9) bug on that? It looks like greasemonkey installs a content policy implementation? I wonder what they do in it...
Assignee | ||
Comment 28•17 years ago
|
||
http://greasemonkey.devjavu.com/browser/trunk/src/components/greasemonkey.js#L119
Comment 29•17 years ago
|
||
Huh. OK, that's kinda cute.
Assignee | ||
Comment 30•17 years ago
|
||
Are Greasemonkey's nsIContentPolicy callbacks doing anything that's disallowed? Do we have assertions to catch that kind of thing? Boris, can you file the bug you mentioned in comment 27? I think you can describe it better than I can.
Comment 31•17 years ago
|
||
> Are Greasemonkey's nsIContentPolicy callbacks doing anything that's disallowed? Not offhand, no. > Do we have assertions to catch that kind of thing? For the most part, yeah. I filed bug 402937.
Attachment #287474 -
Flags: review?(sharparrow1) → review+
Priority: -- → P3
Assignee | ||
Comment 32•17 years ago
|
||
Patch checked in. For automated testing: once bug 397725 is fixed, I can check the testcase in as a crashtest, but the tests would have to be run with Greasemonkey installed to trigger the assertion and leak. Hmm.
Group: security
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Assignee | ||
Updated•17 years ago
|
Group: security
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•