Closed
Bug 729519
Opened 13 years ago
Closed 12 years ago
Allocate heap nsFrameLists from the pres shell arena
Categories
(Core :: Layout: Block and Inline, enhancement, P5)
Core
Layout: Block and Inline
Tracking
()
RESOLVED
FIXED
mozilla22
People
(Reporter: MatsPalmgren_bugz, Assigned: MatsPalmgren_bugz)
Details
(Keywords: sec-want)
Attachments
(5 files, 1 obsolete file)
1.84 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
6.18 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
4.50 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
8.33 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
40.11 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
I'm not sure if this is worth doing for the relatively few heap
nsFrameLists that we have.
pros:
1. pres arena LRU cache (is it really better than jemalloc though?)
2. avoids freeing memory for each one separately when destroying the shell
(many of these lists are transient and don't live that long though)
3. leak detection by default (when the pres shell is destroyed)
cons:
1. slightly more heavy handed to allocate/destroy since you have to
provide the pres shell
PresArena also gives us poisoning but since the two frame members of
nsFrameList are already poisoned I don't think it adds much value.
Also, the FramePropertyTable changes in the patch to support a destructor
is probably overkill, we could just free these properties manually in the
respective frame that owns them.
What do you think, is it worth doing this?
I don't know.
OK.
Assignee | ||
Comment 4•12 years ago
|
||
Don't use DestroyOverflowList() to destroy the overflow list in
nsContainerFrame::DestroyFrom -- use SafelyDestroyFrameListProp instead,
because it's more robust (bug 606642) and it makes the next patch possible.
Attachment #730922 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 5•12 years ago
|
||
Attachment #730923 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 6•12 years ago
|
||
Attachment #730925 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 7•12 years ago
|
||
Specifically, this wasn't done for the OutsideBullet list which was
destroyed by the property destructor, potentially after the entire
frame tree was gone. Now we'll assert that the property destructor
isn't called.
Use SafelyDestroyFrameListProp when destroying PushedFloat and
OverflowOutOfFlows frame lists since it's more robust.
Destroy [Excess]OverflowContainers frame lists if they exist, regardless
of the IsFrameOfType(nsIFrame::eCanContainOverflowContainers) bit
(since the oveflow continuation tracker doesn't check that before
creating these lists -- this was the source of crash bugs before
that bit was added to ColumnSetFrame).
Assert in SetPropTableFrames that the property doesn't exist, because
if it does the property destructor will run.
Attachment #730927 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 8•12 years ago
|
||
The main patch, which is fairly straight-forward now:
"new nsFrameList()" becomes "new (shell) nsFrameList()".
"delete list" becomes "if (list) list->Delete(shell)" - note also that
an additional assertion was added that list is empty when deleted.
"nsAutoPtr<nsFrameList> list(StealSomeFrames())" becomes
"AutoFrameListPtr list(aPresContext, StealSomeFrames())"
Attachment #599601 -
Attachment is obsolete: true
Attachment #730930 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 9•12 years ago
|
||
In summary, the main changes are:
1. allocate (heap) nsFrameLists from the shell arena
2. frame property values that are nsFrameLists are destroyed by the
frame that owns them, in DestroyFrom, thus the property destructor
function is never called (this was actually already the case except
for the OutsideBullet list)
https://tbpl.mozilla.org/?usebuildbot=1&tree=Try&rev=313fcb091ba9
Comment 11•12 years ago
|
||
Comment on attachment 730922 [details] [diff] [review]
Use SafelyDestroyFrameListProp also for the OverflowList
r=me
Attachment #730922 -
Flags: review?(bzbarsky) → review+
Comment 12•12 years ago
|
||
Comment on attachment 730923 [details] [diff] [review]
Simplify DestroyOverflowList() by requiring that the list is empty
r=me
Attachment #730923 -
Flags: review?(bzbarsky) → review+
Comment 13•12 years ago
|
||
Comment on attachment 730925 [details] [diff] [review]
Allocate nsFrameList::sEmptyList from the .rodata segment, not the heap
The assertion messages still mention sEmptyList. Fix that?
>+ return *(nsFrameList*)&mozilla::layout::detail::gEmptyFrameListBytes;
reinterpret_cast.
r=me
Attachment #730925 -
Flags: review?(bzbarsky) → review+
Comment 14•12 years ago
|
||
Comment on attachment 730927 [details] [diff] [review]
Make frames destroy all child frames and remove their nsFrameList properties when destroyed
Hmm. A bit worried about the perf impact of regetting the prop repeatedly for overflow out-of-flows, but r=me....
Attachment #730927 -
Flags: review?(bzbarsky) → review+
Comment 15•12 years ago
|
||
Comment on attachment 730930 [details] [diff] [review]
Allocate heap nsFrameLists from the shell arena
>+ void operator delete(void*) MOZ_DELETE;
Shouldn't this have a size_t argument too?
r=me either way, as long as deleting a framelist via delete doesn't compile.
Attachment #730930 -
Flags: review?(bzbarsky) → review+
Assignee | ||
Comment 16•12 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #13)
> The assertion messages still mention sEmptyList. Fix that?
fixed
> reinterpret_cast.
fixed
(In reply to Boris Zbarsky (:bz) from comment #14)
> Hmm. A bit worried about the perf impact of regetting the prop repeatedly
> for overflow out-of-flows, but r=me....
Yeah, it's a temporary compromise. I want to create a frame bit for the
remaining few lists that don't have it, and then gate all lookups on it.
I figured it would help to make frame list handling more uniform.
Filed bug 856630 about it.
(In reply to Boris Zbarsky (:bz) from comment #15)
> >+ void operator delete(void*) MOZ_DELETE;
>
> Shouldn't this have a size_t argument too?
Either way is fine. The C++11 Standard says that 'operator delete(void*)'
is the (non-placement) deallocator if it exists, otherwise it's
'operator delete(void*, size_t)' if it exists.
I checked that it fails to compile if used.
Assignee | ||
Comment 17•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/37bebc3a719e
https://hg.mozilla.org/integration/mozilla-inbound/rev/ba8a10a35c18
https://hg.mozilla.org/integration/mozilla-inbound/rev/c320c5821f98
https://hg.mozilla.org/integration/mozilla-inbound/rev/489955a7d759
https://hg.mozilla.org/integration/mozilla-inbound/rev/d1f113402481
Comment 18•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/37bebc3a719e
https://hg.mozilla.org/mozilla-central/rev/ba8a10a35c18
https://hg.mozilla.org/mozilla-central/rev/c320c5821f98
https://hg.mozilla.org/mozilla-central/rev/489955a7d759
https://hg.mozilla.org/mozilla-central/rev/d1f113402481
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
You need to log in
before you can comment on or make changes to this bug.
Description
•