Created attachment 542444 [details] [diff] [review] Patch v1
Attachment #542444 - Flags: review?(jst)
This is wrong. Mapped attributes are shared across elements, so adding them to the size of mAttrsAndChildren is wrong. You want to add them to the size of the document itself, by going through the HTML stylesheet.
Created attachment 542636 [details] [diff] [review] Patch v2 This patch tries to take into account Boris comment.
Comment on attachment 542636 [details] [diff] [review] Patch v2 So this sets the size to: sizeof(nsMappedAttributes) + mAttrCount * (sizeof(void*) + sizeof(InternalAttr)) This looks wrong. The correct size of an nsMappedAttributes, from |nsMappedAttributes::operator new| is: sizeof(nsMappedAttributes) - sizeof(void*) + mBufferSize*sizeof(InternalAttr) In particular, nsMappedAttributes allocates all its storage for InternalAttr structs inline. Now your first problem is that mBufferSize is debug-only.... I wonder whether using mAttrCount in practice is ok because we never have long-lived nsMappedAttributes for mAttrCount != mBufferSize.
Attachment #542636 - Flags: review?(bzbarsky) → review-
Created attachment 543969 [details] [diff] [review] Patch v3
Comment on attachment 543969 [details] [diff] [review] Patch v3 Can you add an assert that mAttrCount == mBufferSize in SizeOf? If that ever fails to be true, we want to know. r=me with that.
Attachment #543969 - Flags: review?(bzbarsky) → review+
Whiteboard: [needs review] → [inbound]
this has been backed out by ehsan due to bustage with all the other changesets in the same push
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
You need to log in before you can comment on or make changes to this bug.