416175 - nsHttpConnectionMgr::AddTransactionToPipeline leaks nsHttpConnectionInfo and nsStringBuffer

Status: VERIFIED FIXED

(Core :: General, defect, P1)

Description

[Carsten Book [:Tomcat]]

Attachment: leak log

Mozilla/5.0 (Macintosh;
U; Intel Mac OS X 10.5; en-US; rv:1.9b4pre) Gecko/2008020717 Firefox/3.0b4pre

Steps to reproduce:
-> New profile
-> Having 3 tabs open(firefox default start page, apple.com and bug 414482).
-> Copy some text from Bug 411482
Leak

nsTraceRefcntImpl::DumpStatistics: 783 entries
nsStringStats
 => mAllocCount:          24559
 => mReallocCount:         3574
 => mFreeCount:           24557  --  LEAKED 2 !!!
 => mShareCount:          20297
 => mAdoptCount:           1934
 => mAdoptFreeCount:       1934

Comment 1

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Can't reproduce this one.

Comment 2

[Carsten Book [:Tomcat]]

it seems that this leak is (when its happening) building up over time. As example i had Firefox open with some tabs and left this Firefox untouched for the monday meetings time and some other Firefox Testing on a different computer and after i have quit firefox i got :

nsStringStats
 => mAllocCount:        1046492
 => mReallocCount:       127712
 => mFreeCount:         1046472  --  LEAKED 20 !!!
 => mShareCount:        1088280
 => mAdoptCount:         122818
 => mAdoptFreeCount:     122818


and  0 TOTAL                                          22      160 126349292       20 (19950.99 +/-  8013.20) 262745088       20 ( 8905.62 +/- 10484.02)
 744 nsStringBuffer                                  8      160  1174204       20 (15392.35 +/-  4147.37)  2262484       20 (18709.63 +/-  5227.82)
 

Comment 3

[Martijn Wargers (dead)]

This seems to be related to https sites. I seem to get this leak for instance when copying the url from the url bar on a bugzilla page.
And I seem to get it directly just by visiting https://www.spamklacht.nl/asp/ .

Comment 4

[Martijn Wargers (dead)]

Related to bug 391892, perhaps?

Comment 5

[Robert O'Callahan (:roc) (email my personal email if necessary)]

This is the stack for one of the leaked strings visiting https://www.spamklacht.nl/asp/:

<nsStringBuffer> 0x39C53400 18362 AddRef 1
nsStringBuffer::Realloc(nsStringBuffer*, unsigned long) (/Users/roc/mozilla-trunk/xpcom/string/src/nsTSubstring.cpp:239)
nsACString_internal::MutatePrep(unsigned int, char**, unsigned int*) (/Users/roc/mozilla-trunk/xpcom/string/src/nsTSubstring.cpp:135)
nsACString_internal::ReplacePrep(unsigned int, unsigned int, unsigned int) (/Users/roc/mozilla-trunk/xpcom/string/src/nsTSubstring.cpp:209)
nsACString_internal::Replace(unsigned int, unsigned int, char const*, unsigned int) (/Users/roc/mozilla-trunk/xpcom/string/src/nsTSubstring.cpp:502)
nsDefaultCStringComparator::nsDefaultCStringComparator()+0x000000F0  (/Users/roc/objdirs/mozilla-trunk/ff-debug/intl/unicharutil/util/internal/../../../dist/include/string/nsTSubstring.h:361)
nsHttpConnectionInfo::SetOriginServer(nsACString_internal const&, int) (/Users/roc/mozilla-trunk/netwerk/protocol/http/src/nsHttpConnectionInfo.cpp:68)
nsCRT::strcmp(char const*, char const*)+0x000033F2  (/Users/roc/mozilla-trunk/netwerk/protocol/http/src/nsHttpConnectionInfo.h:68)
nsHttpChannel::Init(nsIURI*, unsigned char, nsProxyInfo*) (/Users/roc/mozilla-trunk/netwerk/protocol/http/src/nsHttpChannel.cpp:197)
nsHttpHandler::NewProxiedChannel(nsIURI*, nsIProxyInfo*, nsIChannel**) (/Users/roc/mozilla-trunk/netwerk/protocol/http/src/nsHttpHandler.cpp:1518)
nsHttpHandler::NewChannel(nsIURI*, nsIChannel**) (/Users/roc/mozilla-trunk/netwerk/protocol/http/src/nsHttpHandler.cpp:1455)
nsHttpsHandler::NewChannel(nsIURI*, nsIChannel**) (/Users/roc/mozilla-trunk/netwerk/protocol/http/src/nsHttpHandler.cpp:1792)
nsIOService::NewChannelFromURI(nsIURI*, nsIChannel**) (/Users/roc/mozilla-trunk/netwerk/base/src/nsIOService.cpp:564)
nsQueryElementAt::nsQueryElementAt(nsICollection*, unsigned int, unsigned int*)+0x0000797E  (/Users/roc/objdirs/mozilla-trunk/ff-debug/intl/unicharutil/util/internal/../../dist/include/necko/nsNetUtil.h:177)
nsDocShell::DoURILoad(nsIURI*, nsIURI*, int, nsISupports*, char const*, nsIInputStream*, nsIInputStream*, int, nsIDocShell**, nsIRequest**, int, int) (/Users/roc/mozilla-trunk/docshell/base/nsDocShell.cpp:7162)
nsDocShell::InternalLoad(nsIURI*, nsIURI*, nsISupports*, unsigned int, unsigned short const*, char const*, nsIInputStream*, nsIInputStream*, unsigned int, nsISHEntry*, int, nsIDocShell**, nsIRequest**) (/Users/roc/mozilla-trunk/docshell/base/nsDocShell.cpp:7064)
nsDocShell::LoadURI(nsIURI*, nsIDocShellLoadInfo*, unsigned int, int) (/Users/roc/mozilla-trunk/docshell/base/nsDocShell.cpp:902)
nsDocShell::LoadURI(unsigned short const*, unsigned int, nsIURI*, nsIInputStream*, nsIInputStream*) (/Users/roc/mozilla-trunk/docshell/base/nsDocShell.cpp:2891)
NS_InvokeByIndex_P (/Users/roc/mozilla-trunk/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179)
XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (/Users/roc/mozilla-trunk/js/src/xpconnect/src/xpcwrappednative.cpp:2339)
XPC_WN_CallMethod(JSContext*, JSObject*, unsigned int, long*, long*) (/Users/roc/mozilla-trunk/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1470)
js_Invoke (/Users/roc/mozilla-trunk/js/src/jsinterp.c:1409)
js_Interpret (/Users/roc/mozilla-trunk/js/src/jsinterp.c:4640)
js_Invoke (/Users/roc/mozilla-trunk/js/src/jsinterp.c:1425)
js_InternalInvoke (/Users/roc/mozilla-trunk/js/src/jsinterp.c:1481)
JS_CallFunctionValue (/Users/roc/mozilla-trunk/js/src/jsapi.c:4982)
nsJSContext::CallEventHandler(nsISupports*, void*, void*, nsIArray*, nsIVariant**) (/Users/roc/mozilla-trunk/dom/src/base/nsJSEnvironment.cpp:1947)
nsJSEventListener::HandleEvent(nsIDOMEvent*) (/Users/roc/mozilla-trunk/dom/src/events/nsJSEventListener.cpp:248)
nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsISupports*, unsigned int) (/Users/roc/mozilla-trunk/content/events/src/nsEventListenerManager.cpp:1082)
nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsISupports*, unsigned int, nsEventStatus*) (/Users/roc/mozilla-trunk/content/events/src/nsEventListenerManager.cpp:1184)
nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int) (/Users/roc/mozilla-trunk/content/events/src/nsEventDispatcher.cpp:206)
nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*) (/Users/roc/mozilla-trunk/content/events/src/nsEventDispatcher.cpp:264)
nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*) (/Users/roc/mozilla-trunk/content/events/src/nsEventDispatcher.cpp:479)
DocumentViewerImpl::LoadComplete(unsigned int) (/Users/roc/mozilla-trunk/layout/base/nsDocumentViewer.cpp:979)
nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned int) (/Users/roc/mozilla-trunk/docshell/base/nsDocShell.cpp:5030)
nsWebShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned int) (/Users/roc/mozilla-trunk/docshell/base/nsWebShell.cpp:1013)
nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) (/Users/roc/mozilla-trunk/docshell/base/nsDocShell.cpp:4930)
nsDocLoader::FireOnStateChange(nsIWebProgress*, nsIRequest*, int, unsigned int) (/Users/roc/mozilla-trunk/uriloader/base/nsDocLoader.cpp:1235)
nsDocLoader::doStopDocumentLoad(nsIRequest*, unsigned int) (/Users/roc/mozilla-trunk/uriloader/base/nsDocLoader.cpp:858)
nsDocLoader::DocLoaderIsEmpty() (/Users/roc/mozilla-trunk/uriloader/base/nsDocLoader.cpp:763)
nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) (/Users/roc/mozilla-trunk/uriloader/base/nsDocLoader.cpp:679)
nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, unsigned int) (/Users/roc/mozilla-trunk/netwerk/base/src/nsLoadGroup.cpp:688)
imgRequestProxy::RemoveFromLoadGroup(int) (/Users/roc/mozilla-trunk/modules/libpr0n/src/imgRequestProxy.cpp:157)
imgRequestProxy::OnStopRequest(nsIRequest*, nsISupports*, unsigned int, int) (/Users/roc/mozilla-trunk/modules/libpr0n/src/imgRequestProxy.cpp:506)
imgRequest::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) (/Users/roc/mozilla-trunk/modules/libpr0n/src/imgRequest.cpp:736)
ProxyListener::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) (/Users/roc/mozilla-trunk/modules/libpr0n/src/imgLoader.cpp:866)
nsBaseChannel::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) (/Users/roc/mozilla-trunk/netwerk/base/src/nsBaseChannel.cpp:610)
nsInputStreamPump::OnStateStop() (/Users/roc/mozilla-trunk/netwerk/base/src/nsInputStreamPump.cpp:576)
nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) (/Users/roc/mozilla-trunk/netwerk/base/src/nsInputStreamPump.cpp:401)
nsCRT::strncasecmp(char const*, char const*, unsigned int)+0x00001FCC  (/Users/roc/mozilla-trunk/xpcom/io/nsStreamUtils.cpp:111)
nsThread::ProcessNextEvent(int, int*) (/Users/roc/mozilla-trunk/xpcom/threads/nsThread.cpp:510)
NS_ProcessPendingEvents_P(nsIThread*, unsigned int) (/Users/roc/objdirs/mozilla-trunk/ff-debug/xpcom/build/nsThreadUtils.cpp:180)
nsBaseAppShell::NativeEventCallback() (/Users/roc/mozilla-trunk/widget/src/xpwidgets/nsBaseAppShell.cpp:112)
nsAppShell::ProcessGeckoEvents(void*) (/Users/roc/mozilla-trunk/widget/src/cocoa/nsAppShell.mm:305)
CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation)
CFRunLoopRunInMode (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation)
RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox)
ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox)
BlockUntilNextEventMatchingListInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox)
_DPSNextEvent (Text.subproj/TextGlobals.m:)
-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (Text.subproj/TextGlobals.m:)
-[NSApplication run] (Text.subproj/TextGlobals.m:)
nsAppShell::Run() (/Users/roc/mozilla-trunk/widget/src/cocoa/nsAppShell.mm:587)
nsAppStartup::Run() (/Users/roc/mozilla-trunk/toolkit/components/startup/src/nsAppStartup.cpp:181)
XRE_main (/Users/roc/mozilla-trunk/toolkit/xre/nsAppRunner.cpp:3149)
main (/Users/roc/mozilla-trunk/browser/app/nsBrowserApp.cpp:158)
_start (/Users/roc/mozilla-trunk/browser/app/nsBrowserApp.cpp:61)
start (/Users/roc/mozilla-trunk/browser/app/nsBrowserApp.cpp:61)

Comment 6

[Robert O'Callahan (:roc) (email my personal email if necessary)]

That string is allocated there and never shows up in the refcount log again.

Comment 7

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Ok, I added MOZ_COUNT_CTOR/DTOR to nsHttpConnectionInfo and we're actually leaking one of those.

Comment 8

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Attachment: fix

This fixes a leak. I don't know if it's the leak that originally was described by this bug, but it's the leak Martijn was seeing on SSL sites. Now we've turned on pipelining for https, we're hitting a simple fail-to-release bug in nsHttpConnectionMgr::AddTransactionToPipeline.

Comment 9

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Since Carsten's original STR included viewing a Bugzilla page (https), it's likely that this was in fact the leak he saw, and the "copy text" step was a red herring.

Comment 10

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 304712 [details] [diff] [review]
fix

Makes sense.

Comment 11

[Robert O'Callahan (:roc) (email my personal email if necessary)]

checked in.

I guess to test this, we'd need to have the memory-leak Tinderboxes make SSL connections with pipelining.

Comment 12

[Carsten Book [:Tomcat]]

verified fixed , its not leaking anymore, thanks guys