Closed Bug 757749 Opened 12 years ago Closed 11 years ago

Leak with canvas, addEventListener, matchMedia

Categories

(Core :: Graphics: Canvas2D, defect)

Product:
Core
Component:
Graphics: Canvas2D
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: memory-leak, testcase, Whiteboard: [MemShrink:P2])

Attachments

(3 files)

testcase
386 bytes, text/html
Details
ref count tree, with balanced subtrees ignored
48.34 KB, text/plain
Details
refcount tree
108.96 KB, text/plain
Details
Attached file testcase 
According to trace-refcnt, this testcase makes Firefox leak nsGlobalWindow objects.
I just tried this with a slightly old build (from rev fb6109c9dae5) and that doesn't leak...

I'll try updating.
I can't reproduce this on linux.
OK, rev a4240610972e does show the leak.
And now I see it with rev fb6109c9dae5 too.

My first guess would be that we end up with a cycle through the prescontext somehow, but I dunno exactly how...
Assignee: nobody → continuation
A canvas element is being kept alive here somehow.  My money is on bungled refcounting in nsCanvasRenderingContext2DAzure. ;)

0x12626ded0 [nsGenericElement (xhtml) canvas https://bug757749.bugzilla.mozilla.org/attachment.cgi?id=626343]
    --[[via hash] mListenerManager]-> 0x12674f310 [nsEventListenerManager]
    --[mListeners[i] mListener]-> 0x12549b410 [nsXPCWrappedJS (nsIDOMEventListener)]
    --[mJSObj]-> 0x1184e58c0 [JS Object (Function)]
    --[script]-> 0x1184740e8 [JS Script]
    --[object]-> 0x118470060 [JS Object (Window)]
    --[xpc_GetJSPrivate(obj)]-> 0x126f42ba0 [XPCWrappedNative (Window)]
    --[mIdentity]-> 0x1264d5080 [nsGlobalWindow]

    Root 0x12626ded0 is a ref counted object with 1 unknown edge(s).
    known edges:
       0x126697bc0 [nsGenericElement (xhtml) body https://bug757749.bugzilla.mozilla.org/attachment.cgi?id=626343] --[mAttrsAndChildren[i]]-> 0x12626ded0
       0x1264d3000 [nsCanvasRenderingContext2DAzure] --[mCanvasElement]-> 0x12626ded0
Whiteboard: [MemShrink]
Attached file refcount tree 

    
    

    
  
The first refcount log shows outstanding refs from the canvas context (expected: they form a cycle), the parent element in the DOM, and what looks like GetCanvasLayer (via CanvasRenderingContext2DUserData)

Is it possible that the canvas layer is leaking for some reason?

    
    

    
  
(In reply to Boris Zbarsky (:bz) from comment #8)
> Is it possible that the canvas layer is leaking for some reason?
It could be, but it must not be in the CC graph.  That means either that it isn't a CCed class, or it was erroneously dropped.

    
    

    
  
I really hope layers aren't CCd objects!

    
    

    
  
The layers aren't CCed.

    
    

    
  
So isn't this then a dup of ... the one bug where prescontext ends up keeping layers alive
too long.

    
    

    
  
(or was that fixed?)

    
    

    
  
(In reply to Olli Pettay [:smaug] from comment #12)
> So isn't this then a dup of ... the one bug where prescontext ends up
> keeping layers alive too long.
Do you have a bug number for that?

    
    

    
  
That does sound very similar.
Component: DOM → Canvas: 2D
QA Contact: general → canvas.2d

    
    

    
  
There are (In reply to Boris Zbarsky (:bz) from comment #8)
> Is it possible that the canvas layer is leaking for some reason?
There are 8 Layers leaking.  I'm not sure which is which, though.

    
    

    
  
I can't reproduce this. Anyone got exact steps to reproduce?

    
    

    
  
I'm able to reproduce it by just opening the browser with the test case loading as the initial tab, then exiting the browser.  Maybe it is OSX only or something?

    
    

    
  
Windows and GTK2 nsWindow::Destroy are doing stuff like this:
  if (mLayerManager) {
    mLayerManager->Destroy();
  }
  mLayerManager = nsnull;

I'm guessing nsChildView::Destroy needs that somewhere too. I don't think that's happening right now.

    
    

    
  
I tried blindly putting that chunk of code into nsChildView::Destroy in a few places but it didn't fix the leak.  Somebody who actually knows some of this code should probably take over from here.
Assignee: continuation → nobody

    
    

    
  
Ignore the first sentence of the previous comment.  I was managing to edit a different directory from the one I was running.  When I tried it for real, I ended up crashing in the cycle collector on shutdown while tearing down this view stuff:

mozilla::gl::TextureImageCGL::~TextureImageCGL() + 71 (GLContext.h:583)
nsChildView::~nsChildView() + 357 (nsChildView.mm:246)
nsBaseWidget::Release() + 282 (nsBaseWidget.cpp:56)
nsChildView::Release() + 24 (nsChildView.mm:251)
nsPresContext::cycleCollection::Unlink(void*) + 1102 (mozalloc.h:224)

~nsChildView() has some comment about doing some cleanup in case Destroy() hasn't been called, so presumably my random nulling out has upset something there.
Whiteboard: [MemShrink] → [MemShrink:P2]

    
    

    
  
Fixed in bug 731868. CanvasRenderingContext2DUserData(Azure) no longer has an owning reference to anything.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.