Closed
Bug 41608
Opened 24 years ago
Closed 24 years ago
how to destroy named roots when we have no context
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
VERIFIED
FIXED
M17
People
(Reporter: alecf, Assigned: alecf)
Details
(Keywords: crash, Whiteboard: [nsbeta2+]fix in hand and reviewed)
Attachments
(1 file)
984 bytes,
patch
|
Details | Diff | Splinter Review |
The bug is in nsGlobalWindow.cpp.. the issue is basically that during construction of nsGlobalWindowImpl, we add a named root, "window_object" with the current script context. Shaver just helped me find that we weren't ever removing the named reference, the mScriptObject when the object cleans up. This really screwed with the JS engine's GC and I got alot of fatal assertions about root_points_to_gcArenaPool ***PDT: This eventually leads to a crash in the mail account wizard if you open it more than one or two times. *** So we added this to nsGlobalWindowImpl::Cleanup() if (mContext) mContext->RemoveReference(&mScriptObject, mScriptObject); shaver and jst seem to agree this is the right thing to do... filing this bug so that it gets marked nsbeta2+ so I can check in.
Assignee | ||
Comment 1•24 years ago
|
||
add nsbeta2 and crash keyword, and dogfood so it gets quick attention, reassigning to myself
Comment 4•24 years ago
|
||
Approving for beta2 plus checkin. Sounds like a small and valuable fix
Whiteboard: fix in hand and reviewed → [nsbeta2+]fix in hand and reviewed
Comment 5•24 years ago
|
||
What's the fix? JS_RemoveRootRT is ready and waiting in the JS API -- it's been there for a while. /be
Assignee | ||
Comment 6•24 years ago
|
||
well, the fix is to add mContext->RemoveReference(), which I assume will call a JS_* API of some sort.. after talking with jst and shaver s'more, I've also added this to GlobalWindowImp::SetContext... here, I'll attach a patch..
Status: NEW → ASSIGNED
Assignee | ||
Comment 7•24 years ago
|
||
Assignee | ||
Comment 8•24 years ago
|
||
ok, that patch is in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Comment 10•24 years ago
|
||
There is still a way this can happen. If you open a dialog window (File->Open File) and close it (click on cancel) the code in nsJSUtils::nsConvertObjectToJSVal() (called by WindowOpenDialog()) will call GlobalWindowImpl::GetScriptObject() on the Closed window. This will allocate a new ScriptObject, which is returned. This object is never RemoveReferenced(), since mContext == NULL in CleanUp(). In fact the whole GlobalWindow is leaked, so CleanUp() is never called. But it wouldn't work even if it weren't leaked.
Comment 11•24 years ago
|
||
I think this is a dup of bug 43466 and bug 38951. They're all dups of each other if you ask me. Alex correctly identified one part of the problem behind all these bugs, that is indeed still with us: the premature nulling of mScriptObject in GlobalWindowImpl::SetDocShell(nsnull) -- more travis damage that danm and I worked all day yesterday to undo. Dan has a fix in sight, which involves handing off the window's mScriptObject root to its nsJSContext when the SetDocShell(nsnull) happens. If it fixes all these bugs, we should close them. I don't think we need to reopen this bug, however. /be
You need to log in
before you can comment on or make changes to this bug.
Description
•