Closed Bug 462788 Opened 16 years ago Closed 16 years ago

Bug 462392 testcase causes rule trees to leak

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.2a1

People

(Reporter: jruderman, Assigned: dbaron)

References

Details

(Keywords: assertion, memory-leak, testcase)

The testcase in bug 462392 triggers this assertion: ###!!! ASSERTION: Some objects allocated with AllocateFrame were not freed: 'mFrameCount == 0', file /Users/jruderman/central/layout/base/nsPresShell.cpp, line 676 Rule trees, rather than frames, are leaking here. See bug 462392 comment 7 through 9. This isn't exploitable, but in the future it could prevent me from using the assertion to look for exploitable bugs. I say "in the future" because four other bugs (tracked in bug 334514's dependency list) already prevent me from using the assertion in this way.
Keywords: mlk
It's not actually a leak. What happens is that nsPresContext::FreeToShell is called after nsPresShell::Destroy. (FreeToShell should probably have an assertion about mShell being null.) But the pres shell arena isn't destroyed until ~nsPresContext. So we're running destructors but not calling the FrameArena::FreeFrame, and then almost immediately afterwards destroying the arena.
Can we just tear down the ruletree when we tear down the frame tree?
I think the objects in question were actually part of mOldRuleTree. We could free mOldRuleTree where we free mRuleTree; I think that would fix this.
Fixed by checkin of bug 475128.
Assignee: nobody → dbaron
Status: NEW → RESOLVED
Closed: 16 years ago
OS: Mac OS X → All
Priority: -- → P3
Hardware: x86 → All
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.2a1
You need to log in before you can comment on or make changes to this bug.