Closed Bug 41608 Opened 24 years ago Closed 24 years ago

how to destroy named roots when we have no context

Categories

(Core :: DOM: Core & HTML, defect, P3)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: alecf, Assigned: alecf)

Details

(Keywords: crash, Whiteboard: [nsbeta2+]fix in hand and reviewed)

Attachments

(1 file)

fix for removal of global window root
984 bytes, patch
Details | Diff | Splinter Review 
The bug is in nsGlobalWindow.cpp.. the issue is basically that during
construction of nsGlobalWindowImpl, we add a named root, "window_object" with
the current script context. Shaver just helped me find that we weren't ever
removing the named reference, the mScriptObject when the object cleans up. This
really screwed with the JS engine's GC and I got alot of fatal assertions about
root_points_to_gcArenaPool

***PDT: This eventually leads to a crash in the mail account wizard if you open
it more than one or two times. ***

So we added this to nsGlobalWindowImpl::Cleanup()

  if (mContext)
    mContext->RemoveReference(&mScriptObject, mScriptObject);

shaver and jst seem to agree this is the right thing to do... filing this bug so
that it gets marked nsbeta2+ so I can check in.
add nsbeta2 and crash keyword, and dogfood so it gets quick attention,
reassigning to myself
Assignee: jst → alecf
Keywords: crash, dogfood, nsbeta2
Whiteboard: fix in hand and reviewed
marking M17.
Target Milestone: --- → M17
marking critical
Severity: normal → critical
Approving for beta2 plus checkin.
Sounds like a small and valuable fix
Whiteboard: fix in hand and reviewed → [nsbeta2+]fix in hand and reviewed
What's the fix?  JS_RemoveRootRT is ready and waiting in the JS API -- it's been
there for a while.

/be
well, the fix is to add mContext->RemoveReference(), which I assume will call a 
JS_* API of some sort.. after talking with jst and shaver s'more, I've also 
added this to GlobalWindowImp::SetContext... here, I'll attach a patch..
Status: NEW → ASSIGNED
ok, that patch is in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Verified with 2000-07-06-08.
Status: RESOLVED → VERIFIED
There is still a way this can happen. If you open a dialog window (File->Open
File) and close it (click on cancel) the code in
nsJSUtils::nsConvertObjectToJSVal() (called by WindowOpenDialog()) will call
GlobalWindowImpl::GetScriptObject() on the Closed window. This will allocate a
new ScriptObject, which is returned. This object is never RemoveReferenced(),
since mContext == NULL in CleanUp(). 

In fact the whole GlobalWindow is leaked, so CleanUp() is never called. But it
wouldn't work even if it weren't leaked.

I think this is a dup of bug 43466 and bug 38951.  They're all dups of each
other if you ask me.

Alex correctly identified one part of the problem behind all these bugs, that is
indeed still with us: the premature nulling of mScriptObject in
GlobalWindowImpl::SetDocShell(nsnull) -- more travis damage that danm and I
worked all day yesterday to undo.  Dan has a fix in sight, which involves
handing off the window's mScriptObject root to its nsJSContext when the
SetDocShell(nsnull) happens.  If it fixes all these bugs, we should close them. 
I don't think we need to reopen this bug, however.

/be
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: