Closed Bug 613174 Opened 9 years ago Closed 9 years ago

###!!! ASSERTION: Changing refcount of nsDocument object during Traverse is not permitted!: 'Error', file content/base/src/nsDocument.cpp, line 1709

Categories

(Core :: Disability Access APIs, defect)

x86
All
defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: neil, Assigned: neil)

References

Details

(Keywords: assertion)

Attachments

(1 file)

(From update of attachment 450372 [details] [diff] [review])
> NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION_INHERITED(nsDocAccessible)
>   NS_INTERFACE_MAP_STATIC_AMBIGUOUS(nsDocAccessible)
>   NS_INTERFACE_MAP_ENTRY(nsIAccessibleDocument)
>   NS_INTERFACE_MAP_ENTRY(nsIDocumentObserver)
>   NS_INTERFACE_MAP_ENTRY(nsIMutationObserver)
>   NS_INTERFACE_MAP_ENTRY(nsISupportsWeakReference)
>   NS_INTERFACE_MAP_ENTRY(nsIObserver)
>   NS_INTERFACE_MAP_ENTRY_AMBIGUOUS(nsISupports, nsIAccessibleDocument)
>-NS_INTERFACE_MAP_END_INHERITING(nsHyperTextAccessible)
>+    foundInterface = 0;
>+
>+  nsresult status;
>+  if (!foundInterface) {
>+    // HTML document accessible must inherit from nsHyperTextAccessible to get
>+    // support text interfaces. XUL document accessible doesn't need this.
>+    // However at some point we may push <body> to implement the interfaces and
>+    // return nsDocAccessible to inherit from nsAccessibleWrap.
>+
>+    nsCOMPtr<nsIDOMXULDocument> xulDoc(do_QueryInterface(mDocument));
Unfortunately cycle collection can call QueryInterface and you're not allowed
to change reference counts of cycle collected objects during cycle collection.
Attached patch Proposed patchSplinter Review
Assignee: nobody → neil
Status: NEW → ASSIGNED
Attachment #491497 - Flags: review?(surkov.alexander)
Attachment #491497 - Flags: review?(surkov.alexander) → review+
(In reply to comment #0)

> >+    nsCOMPtr<nsIDOMXULDocument> xulDoc(do_QueryInterface(mDocument));
> Unfortunately cycle collection can call QueryInterface and you're not allowed
> to change reference counts of cycle collected objects during cycle collection.

Does it mean queryinterface can be called during cycle collection and to be on safe side we shouldn't do query interface for any object inside queryInterface of this object?
(In reply to comment #2)
> Does it mean queryinterface can be called during cycle collection
Yes. See canonicalize in nsCycleCollector.cpp (note that this is one of the special IIDs which doesn't addref/release like QueryInterface normally does.)

> we shouldn't do query interface for any object inside queryInterface
> of this object?
Well, definitely not for cycle collected objects but I guess it's possible that other objects might inadvertently addref/release cycle collected objects.
sounds fair, thank you for the catch and the patch.
Comment on attachment 491497 [details] [diff] [review]
Proposed patch

David, we need an approval for this.
Attachment #491497 - Flags: approval2.0?
Comment on attachment 491497 [details] [diff] [review]
Proposed patch

Nice. (approved)
Attachment #491497 - Flags: approval2.0? → approval2.0+
Pushed changeset ac10b874d3fa to mozilla-central.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.