Closed Bug 717549 Opened 14 years ago Closed 14 years ago

Right-click menu at editable area cause zombie compartment

Categories

(Toolkit :: General, defect)

Product:
Toolkit
Component:
General
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla12
Tracking Flags:
Tracking Status
firefox11 --- verified

People

(Reporter: dindog, Assigned: khuey)

References

Details

(Whiteboard: [MemShrink][qa+][qa!:11])

Attachments

(1 file)

Patch
654 bytes, patch
dao
: review+
akeybl
: approval-mozilla-aurora+
Details | Diff | Splinter Review
STR: 1. open google.com 2. right click at the input area, the context menu show 3. close the google.com tab. 4. observe about:memory, the google.com compartment never gone, until... 5. replace by another zombie compartment trigger by the above procedure. As a fast test, the follow tag context menu will make a zombie: <textarea> <div contenteditable= "true" > <body dessignMode = "on" > <input> From Fx9.0-Nightly all affected
Whiteboard: [MemShrink]
│ ├───3,122,058 B (07.22%) -- compartment(http://www.google.com/) │ │ ├──1,601,536 B (03.70%) -- gc-heap │ │ │ ├────559,600 B (01.29%) -- objects │ │ │ ├────329,568 B (00.76%) -- arena-unused │ │ │ ├────305,160 B (00.71%) -- shapes │ │ │ ├────293,160 B (00.68%) -- scripts │ │ │ ├─────93,440 B (00.22%) -- type-objects │ │ │ ├──────9,904 B (00.02%) -- strings │ │ │ ├──────6,256 B (00.01%) -- arena-headers │ │ │ └──────4,448 B (00.01%) -- arena-padding │ │ ├────564,312 B (01.31%) -- script-data │ │ ├────524,288 B (01.21%) -- mjit-code │ │ │ ├──431,460 B (01.00%) -- method │ │ │ ├───89,680 B (00.21%) -- regexp │ │ │ └────3,148 B (00.01%) -- unused │ │ ├────167,968 B (00.39%) -- type-inference │ │ │ ├──148,608 B (00.34%) -- object-main │ │ │ └───19,360 B (00.04%) -- tables │ │ ├────131,072 B (00.30%) -- property-tables │ │ ├─────80,144 B (00.19%) -- object-slots │ │ ├─────34,112 B (00.08%) -- shape-kids │ │ ├─────10,000 B (00.02%) -- analysis-temporary │ │ ├──────6,946 B (00.02%) -- string-chars │ │ └──────1,680 B (00.00%) -- object-empty-shapes it's easy to reproduce, paste the about:memory anyway
Confirmed, I was able to reproduce this by right-clicking on the text box at www.bing.com. Nice catch, thanks for reporting! I also tried to reproduce by right-clicking on (a) an image, (b) a link, and (c) a page background. It didn't happen for those cases, so it appears to be specific to text boxes.
Blocks: ZombieCompartments
Status: UNCONFIRMED → NEW
Ever confirmed: true
Component: General → Menus
QA Contact: general → menus
What version has this been reproduced with?
Reproduced: Mozilla/5.0 (X11; Linux x86_64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0 Mozilla/5.0 (X11; Linux x86_64; rv:11.0a2) Gecko/20120111 Firefox/11.0a2 Mozilla/5.0 (X11; Linux x86_64; rv:12.0a1) Gecko/20120111 Firefox/12.0a1
OS: Windows 7 → All
Version: unspecified → Trunk
I see an actual shutdown leak when doing this with bing.
Ignore comment 5, that was caused by a patch on my queue :-/
Bug 708071 supposedly fixed a similar issue. If Firefox 9, 10, 11 and 12 are affected and this can be reproduced by just right-clicking in a textarea, it's strange that we could reproduce the other bug and test the patch back then.
This looks very similar to bug 708071. I see a chain that looks like 07404DE0 [JS Object (XPCWrappedNative_NoHelper)] --[xpc_GetJSPrivate(obj)]-> 06C882B0 [XPCWrappedNative] --[mIdentity]-> 0AAC7AE0 [nsEditor] --[mRules]-> 06C96C08 [nsTextEditRules] --[mBogusNode]-> 06C96A88 [nsGenericElement (xhtml) br] --[mNodeInfo]-> 06B088C8 [nsNodeInfo (xhtml) br] --[mOwnerManager]-> 11B5DE60 [nsNodeInfoManager] --[mDocument]-> 06819FE8 [nsDocument normal (xhtml) http://www.bing.com/] Root 07404DE0 is a marked GC object. Where 07404DE0 is an InlineSpellCheckerUI's mEditor, and the InlineSpellCheckerUI is attached to a ChromeWindow.
Attached patch PatchSplinter Review
This fixes the zombie compartment.
Assignee: nobody → khuey
Status: NEW → ASSIGNED
Attachment #588012 - Flags: review?(dao)
Comment on attachment 588012 [details] [diff] [review] Patch I'm still confused for said reasons, but this looks correct.
Attachment #588012 - Flags: review?(dao) → review+
Component: Menus → General
Product: Firefox → Toolkit
QA Contact: menus → general
I don't pretend to understand it either. http://hg.mozilla.org/mozilla-central/rev/cab1a867f0bd
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
Comment on attachment 588012 [details] [diff] [review] Patch [Approval Request Comment] This seems like a nice easy win we could take on Aurora. Regression caused by (bug #): Not a regression User impact if declined: Possible memory leaks of unlimited duration but limited size. Testing completed (on m-c, etc.): It's on m-c, the patch is trivial. Risk to taking this patch (and alternatives if risky): Close to none.
Attachment #588012 - Flags: approval-mozilla-aurora?
Does the patch change omni.ja\modules\InlineSpellChecker.jsm adding "this.mEditor = null;" in uninit()? I try, but don't fix the issue. BTW, does it make any sense Fx8.0 release is clean, while 8.0nightly is affected?
For nightly, 20110727 and after have this issue. 20110727 was fine, and by that time, it is 8.0 nightly, and Fx 8.0 release seem clean, ...strange.
correction, 20110727 was first problem nightly and *2110726* nightly was fine
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0a1) Gecko/20120112 Firefox/12.0a1 This bug only affects one-line editable area (I don't know how it's called). You can test it with a simple multi-line textarea: https://bug708071.bugzilla.mozilla.org/attachment.cgi?id=579429 Therefore when I was reporting bug 708071 I did not encounter this bug.
Comment on attachment 588012 [details] [diff] [review] Patch [Triage Comment] Low risk fix with memory savings in the megabytes. Approved for Aurora 11.
Attachment #588012 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Three hours and thirty-five minutes from bug report to a patch landing on mozilla-central, woo! Nice work, everyone. mozilla-inbound is clearly for chumps :P
Yes, great, download an inbound build, and the issue fixed. Bug 669845 is more or less similar to this bug, it would be nice to have it fixed too.
> Bug 669845 is more or less similar to this bug, it would be nice to have it > fixed too. Yes. Searching for text is undoubtedly a much more common operation than right-clicking on single-line textboxes :(
Whiteboard: [MemShrink] → [MemShrink][qa+]
Verified as fixed using the steps in comment 0 on: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0 Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0
status-firefox11: fixedverified
Whiteboard: [MemShrink][qa+] → [MemShrink][qa+][qa!:11]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: