The default bug view has changed. See this FAQ.

Right-click menu at editable area cause zombie compartment

RESOLVED FIXED in Firefox 11

Status

()

Toolkit
General
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: dindog, Assigned: khuey)

Tracking

Trunk
mozilla12
x86_64
All
Points:
---

Firefox Tracking Flags

(firefox11 verified)

Details

(Whiteboard: [MemShrink][qa+][qa!:11])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
STR:
1. open google.com
2. right click at the input area, the context menu show
3. close the google.com tab.
4. observe about:memory, the google.com compartment never gone, until...
5. replace by another zombie compartment trigger by the above procedure.

As a fast test, the follow tag context menu will make a zombie:
<textarea>
<div contenteditable= "true" >
<body dessignMode = "on" >
<input>

From Fx9.0-Nightly all affected
(Reporter)

Updated

5 years ago
Whiteboard: [MemShrink]
(Reporter)

Comment 1

5 years ago
│  ├───3,122,058 B (07.22%) -- compartment(http://www.google.com/)
│  │   ├──1,601,536 B (03.70%) -- gc-heap
│  │   │  ├────559,600 B (01.29%) -- objects
│  │   │  ├────329,568 B (00.76%) -- arena-unused
│  │   │  ├────305,160 B (00.71%) -- shapes
│  │   │  ├────293,160 B (00.68%) -- scripts
│  │   │  ├─────93,440 B (00.22%) -- type-objects
│  │   │  ├──────9,904 B (00.02%) -- strings
│  │   │  ├──────6,256 B (00.01%) -- arena-headers
│  │   │  └──────4,448 B (00.01%) -- arena-padding
│  │   ├────564,312 B (01.31%) -- script-data
│  │   ├────524,288 B (01.21%) -- mjit-code
│  │   │    ├──431,460 B (01.00%) -- method
│  │   │    ├───89,680 B (00.21%) -- regexp
│  │   │    └────3,148 B (00.01%) -- unused
│  │   ├────167,968 B (00.39%) -- type-inference
│  │   │    ├──148,608 B (00.34%) -- object-main
│  │   │    └───19,360 B (00.04%) -- tables
│  │   ├────131,072 B (00.30%) -- property-tables
│  │   ├─────80,144 B (00.19%) -- object-slots
│  │   ├─────34,112 B (00.08%) -- shape-kids
│  │   ├─────10,000 B (00.02%) -- analysis-temporary
│  │   ├──────6,946 B (00.02%) -- string-chars
│  │   └──────1,680 B (00.00%) -- object-empty-shapes

it's easy to reproduce, paste the about:memory anyway
Confirmed, I was able to reproduce this by right-clicking on the text box at www.bing.com.  Nice catch, thanks for reporting!

I also tried to reproduce by right-clicking on (a) an image, (b) a link, and (c) a page background.  It didn't happen for those cases, so it appears to be specific to text boxes.
Blocks: 668871
Status: UNCONFIRMED → NEW
Ever confirmed: true

Updated

5 years ago
Component: General → Menus
QA Contact: general → menus
What version has this been reproduced with?

Comment 4

5 years ago
Reproduced:
Mozilla/5.0 (X11; Linux x86_64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0
Mozilla/5.0 (X11; Linux x86_64; rv:11.0a2) Gecko/20120111 Firefox/11.0a2
Mozilla/5.0 (X11; Linux x86_64; rv:12.0a1) Gecko/20120111 Firefox/12.0a1

Updated

5 years ago
OS: Windows 7 → All
Version: unspecified → Trunk
I see an actual shutdown leak when doing this with bing.
Ignore comment 5, that was caused by a patch on my queue :-/
Bug 708071 supposedly fixed a similar issue. If Firefox 9, 10, 11 and 12 are affected and this can be reproduced by just right-clicking in a textarea, it's strange that we could reproduce the other bug and test the patch back then.
This looks very similar to bug 708071.

I see a chain that looks like

07404DE0 [JS Object (XPCWrappedNative_NoHelper)]
    --[xpc_GetJSPrivate(obj)]-> 06C882B0 [XPCWrappedNative]
    --[mIdentity]-> 0AAC7AE0 [nsEditor]
    --[mRules]-> 06C96C08 [nsTextEditRules]
    --[mBogusNode]-> 06C96A88 [nsGenericElement (xhtml) br]
    --[mNodeInfo]-> 06B088C8 [nsNodeInfo (xhtml) br]
    --[mOwnerManager]-> 11B5DE60 [nsNodeInfoManager]
    --[mDocument]-> 06819FE8 [nsDocument normal (xhtml) http://www.bing.com/]

    Root 07404DE0 is a marked GC object.

Where 07404DE0 is an InlineSpellCheckerUI's mEditor, and the InlineSpellCheckerUI is attached to a ChromeWindow.
Created attachment 588012 [details] [diff] [review]
Patch

This fixes the zombie compartment.
Assignee: nobody → khuey
Status: NEW → ASSIGNED
Attachment #588012 - Flags: review?(dao)
Comment on attachment 588012 [details] [diff] [review]
Patch

I'm still confused for said reasons, but this looks correct.
Attachment #588012 - Flags: review?(dao) → review+

Updated

5 years ago
Component: Menus → General
Product: Firefox → Toolkit
QA Contact: menus → general
I don't pretend to understand it either.

http://hg.mozilla.org/mozilla-central/rev/cab1a867f0bd
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
Comment on attachment 588012 [details] [diff] [review]
Patch

[Approval Request Comment]

This seems like a nice easy win we could take on Aurora.

Regression caused by (bug #): Not a regression
User impact if declined: Possible memory leaks of unlimited duration but limited size.
Testing completed (on m-c, etc.): It's on m-c, the patch is trivial.
Risk to taking this patch (and alternatives if risky): Close to none.
Attachment #588012 - Flags: approval-mozilla-aurora?
(Reporter)

Comment 13

5 years ago
Does the patch change omni.ja\modules\InlineSpellChecker.jsm

adding "this.mEditor = null;" in uninit()?

I try, but don't fix the issue. 

BTW, does it make any sense Fx8.0 release is clean, while 8.0nightly is affected?
(Reporter)

Comment 14

5 years ago
For nightly, 20110727 and after have this issue. 20110727 was fine, and by that time, it is 8.0 nightly, and Fx 8.0 release seem clean, ...strange.
(Reporter)

Comment 15

5 years ago
correction, 20110727 was first problem nightly and *2110726* nightly was fine

Comment 16

5 years ago
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0a1) Gecko/20120112 Firefox/12.0a1

This bug only affects one-line editable area (I don't know how it's called). You can test it with a simple multi-line textarea: https://bug708071.bugzilla.mozilla.org/attachment.cgi?id=579429

Therefore when I was reporting bug 708071 I did not encounter this bug.
Comment on attachment 588012 [details] [diff] [review]
Patch

[Triage Comment]
Low risk fix with memory savings in the megabytes. Approved for Aurora 11.
Attachment #588012 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Three hours and thirty-five minutes from bug report to a patch landing on mozilla-central, woo!  Nice work, everyone.  mozilla-inbound is clearly for chumps :P
(Reporter)

Comment 19

5 years ago
Yes, great, download an inbound build, and the issue fixed.

Bug 669845 is more or less similar to this bug, it would be nice to have it fixed too.
> Bug 669845 is more or less similar to this bug, it would be nice to have it
> fixed too.

Yes.  Searching for text is undoubtedly a much more common operation than right-clicking on single-line textboxes :(
https://hg.mozilla.org/releases/mozilla-aurora/rev/e2808c505398
status-firefox11: --- → fixed
Whiteboard: [MemShrink] → [MemShrink][qa+]

Comment 22

5 years ago
Verified as fixed using the steps in comment 0 on:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0
status-firefox11: fixed → verified
Whiteboard: [MemShrink][qa+] → [MemShrink][qa+][qa!:11]
You need to log in before you can comment on or make changes to this bug.