Last Comment Bug 717549 - Right-click menu at editable area cause zombie compartment
: Right-click menu at editable area cause zombie compartment
Status: RESOLVED FIXED
[MemShrink][qa+][qa!:11]
:
Product: Toolkit
Classification: Components
Component: General (show other bugs)
: Trunk
: x86_64 All
: -- normal (vote)
: mozilla12
Assigned To: Kyle Huey [:khuey] (khuey@mozilla.com) (Away until 6/13)
:
Mentors:
Depends on:
Blocks: ZombieCompartments
  Show dependency treegraph
 
Reported: 2012-01-12 03:03 PST by dindog
Modified: 2012-02-24 09:12 PST (History)
11 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
verified


Attachments
Patch (654 bytes, patch)
2012-01-12 06:21 PST, Kyle Huey [:khuey] (khuey@mozilla.com) (Away until 6/13)
dao+bmo: review+
akeybl: approval‑mozilla‑aurora+
Details | Diff | Review

Description dindog 2012-01-12 03:03:46 PST
STR:
1. open google.com
2. right click at the input area, the context menu show
3. close the google.com tab.
4. observe about:memory, the google.com compartment never gone, until...
5. replace by another zombie compartment trigger by the above procedure.

As a fast test, the follow tag context menu will make a zombie:
<textarea>
<div contenteditable= "true" >
<body dessignMode = "on" >
<input>

From Fx9.0-Nightly all affected
Comment 1 dindog 2012-01-12 03:10:27 PST
│  ├───3,122,058 B (07.22%) -- compartment(http://www.google.com/)
│  │   ├──1,601,536 B (03.70%) -- gc-heap
│  │   │  ├────559,600 B (01.29%) -- objects
│  │   │  ├────329,568 B (00.76%) -- arena-unused
│  │   │  ├────305,160 B (00.71%) -- shapes
│  │   │  ├────293,160 B (00.68%) -- scripts
│  │   │  ├─────93,440 B (00.22%) -- type-objects
│  │   │  ├──────9,904 B (00.02%) -- strings
│  │   │  ├──────6,256 B (00.01%) -- arena-headers
│  │   │  └──────4,448 B (00.01%) -- arena-padding
│  │   ├────564,312 B (01.31%) -- script-data
│  │   ├────524,288 B (01.21%) -- mjit-code
│  │   │    ├──431,460 B (01.00%) -- method
│  │   │    ├───89,680 B (00.21%) -- regexp
│  │   │    └────3,148 B (00.01%) -- unused
│  │   ├────167,968 B (00.39%) -- type-inference
│  │   │    ├──148,608 B (00.34%) -- object-main
│  │   │    └───19,360 B (00.04%) -- tables
│  │   ├────131,072 B (00.30%) -- property-tables
│  │   ├─────80,144 B (00.19%) -- object-slots
│  │   ├─────34,112 B (00.08%) -- shape-kids
│  │   ├─────10,000 B (00.02%) -- analysis-temporary
│  │   ├──────6,946 B (00.02%) -- string-chars
│  │   └──────1,680 B (00.00%) -- object-empty-shapes

it's easy to reproduce, paste the about:memory anyway
Comment 2 Nicholas Nethercote [:njn] 2012-01-12 03:21:14 PST
Confirmed, I was able to reproduce this by right-clicking on the text box at www.bing.com.  Nice catch, thanks for reporting!

I also tried to reproduce by right-clicking on (a) an image, (b) a link, and (c) a page background.  It didn't happen for those cases, so it appears to be specific to text boxes.
Comment 3 Dão Gottwald [:dao] 2012-01-12 03:28:15 PST
What version has this been reproduced with?
Comment 4 Thomas Ahlblom 2012-01-12 03:29:20 PST
Reproduced:
Mozilla/5.0 (X11; Linux x86_64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0
Mozilla/5.0 (X11; Linux x86_64; rv:11.0a2) Gecko/20120111 Firefox/11.0a2
Mozilla/5.0 (X11; Linux x86_64; rv:12.0a1) Gecko/20120111 Firefox/12.0a1
Comment 5 Kyle Huey [:khuey] (khuey@mozilla.com) (Away until 6/13) 2012-01-12 03:34:41 PST
I see an actual shutdown leak when doing this with bing.
Comment 6 Kyle Huey [:khuey] (khuey@mozilla.com) (Away until 6/13) 2012-01-12 03:54:10 PST
Ignore comment 5, that was caused by a patch on my queue :-/
Comment 7 Dão Gottwald [:dao] 2012-01-12 05:59:51 PST
Bug 708071 supposedly fixed a similar issue. If Firefox 9, 10, 11 and 12 are affected and this can be reproduced by just right-clicking in a textarea, it's strange that we could reproduce the other bug and test the patch back then.
Comment 8 Kyle Huey [:khuey] (khuey@mozilla.com) (Away until 6/13) 2012-01-12 06:17:36 PST
This looks very similar to bug 708071.

I see a chain that looks like

07404DE0 [JS Object (XPCWrappedNative_NoHelper)]
    --[xpc_GetJSPrivate(obj)]-> 06C882B0 [XPCWrappedNative]
    --[mIdentity]-> 0AAC7AE0 [nsEditor]
    --[mRules]-> 06C96C08 [nsTextEditRules]
    --[mBogusNode]-> 06C96A88 [nsGenericElement (xhtml) br]
    --[mNodeInfo]-> 06B088C8 [nsNodeInfo (xhtml) br]
    --[mOwnerManager]-> 11B5DE60 [nsNodeInfoManager]
    --[mDocument]-> 06819FE8 [nsDocument normal (xhtml) http://www.bing.com/]

    Root 07404DE0 is a marked GC object.

Where 07404DE0 is an InlineSpellCheckerUI's mEditor, and the InlineSpellCheckerUI is attached to a ChromeWindow.
Comment 9 Kyle Huey [:khuey] (khuey@mozilla.com) (Away until 6/13) 2012-01-12 06:21:32 PST
Created attachment 588012 [details] [diff] [review]
Patch

This fixes the zombie compartment.
Comment 10 Dão Gottwald [:dao] 2012-01-12 06:24:29 PST
Comment on attachment 588012 [details] [diff] [review]
Patch

I'm still confused for said reasons, but this looks correct.
Comment 11 Kyle Huey [:khuey] (khuey@mozilla.com) (Away until 6/13) 2012-01-12 06:38:00 PST
I don't pretend to understand it either.

http://hg.mozilla.org/mozilla-central/rev/cab1a867f0bd
Comment 12 Kyle Huey [:khuey] (khuey@mozilla.com) (Away until 6/13) 2012-01-12 06:40:02 PST
Comment on attachment 588012 [details] [diff] [review]
Patch

[Approval Request Comment]

This seems like a nice easy win we could take on Aurora.

Regression caused by (bug #): Not a regression
User impact if declined: Possible memory leaks of unlimited duration but limited size.
Testing completed (on m-c, etc.): It's on m-c, the patch is trivial.
Risk to taking this patch (and alternatives if risky): Close to none.
Comment 13 dindog 2012-01-12 07:30:43 PST
Does the patch change omni.ja\modules\InlineSpellChecker.jsm

adding "this.mEditor = null;" in uninit()?

I try, but don't fix the issue. 

BTW, does it make any sense Fx8.0 release is clean, while 8.0nightly is affected?
Comment 14 dindog 2012-01-12 07:48:08 PST
For nightly, 20110727 and after have this issue. 20110727 was fine, and by that time, it is 8.0 nightly, and Fx 8.0 release seem clean, ...strange.
Comment 15 dindog 2012-01-12 07:49:20 PST
correction, 20110727 was first problem nightly and *2110726* nightly was fine
Comment 16 Fanolian 2012-01-12 12:32:56 PST
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0a1) Gecko/20120112 Firefox/12.0a1

This bug only affects one-line editable area (I don't know how it's called). You can test it with a simple multi-line textarea: https://bug708071.bugzilla.mozilla.org/attachment.cgi?id=579429

Therefore when I was reporting bug 708071 I did not encounter this bug.
Comment 17 Alex Keybl [:akeybl] 2012-01-12 14:52:01 PST
Comment on attachment 588012 [details] [diff] [review]
Patch

[Triage Comment]
Low risk fix with memory savings in the megabytes. Approved for Aurora 11.
Comment 18 Nicholas Nethercote [:njn] 2012-01-12 15:08:02 PST
Three hours and thirty-five minutes from bug report to a patch landing on mozilla-central, woo!  Nice work, everyone.  mozilla-inbound is clearly for chumps :P
Comment 19 dindog 2012-01-12 19:54:42 PST
Yes, great, download an inbound build, and the issue fixed.

Bug 669845 is more or less similar to this bug, it would be nice to have it fixed too.
Comment 20 Nicholas Nethercote [:njn] 2012-01-12 20:59:30 PST
> Bug 669845 is more or less similar to this bug, it would be nice to have it
> fixed too.

Yes.  Searching for text is undoubtedly a much more common operation than right-clicking on single-line textboxes :(
Comment 21 Kyle Huey [:khuey] (khuey@mozilla.com) (Away until 6/13) 2012-01-24 01:02:29 PST
https://hg.mozilla.org/releases/mozilla-aurora/rev/e2808c505398
Comment 22 Ioana (away) 2012-02-24 09:12:06 PST
Verified as fixed using the steps in comment 0 on:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0

Note You need to log in before you can comment on or make changes to this bug.