Leak with expando on ValidityState

RESOLVED FIXED in Firefox 21

Status

()

Core
DOM
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: Jesse Ruderman, Assigned: mccr8)

Tracking

(Blocks: 1 bug, {mlk, testcase})

Trunk
mozilla21
x86_64
Mac OS X
mlk, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox21+ fixed)

Details

(Whiteboard: [MemShrink])

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
Created attachment 708931 [details]
testcase

trace-refcnt reports a large leak, including nsGlobalWindow and nsDocument.

Comment 1

4 years ago
Is this a regression? And if so, from Bug 827158?
(Assignee)

Updated

4 years ago
Whiteboard: [MemShrink]
(Assignee)

Comment 2

4 years ago
I don't know how this could be related, but HTMLObjectElement inherits from nsIConstraintValidation without traversing/unlinking mValidity.  Button element itself looks okay.
> Is this a regression? And if so, from Bug 827158?

Quite likely, since we didn't use to do wrapper preservation for ValidityState before that.

So the likely cycle here is preserved wrapper for validity state to JS object's parent (which is the JS object for the mConstraintValidation) to C++ HTMLButtonElement object to mValidity.

But it looks to me like we should traverse that cycle, and unlink it both by unpreserving the wrapper and by dropping mValidity.

So what gives?

This is eerily similar to the issue Ms2ger was running into with StyleSheetList...
Blocks: 827158
tracking-firefox21: --- → ?
(In reply to Andrew McCreight [:mccr8] from comment #2)
> I don't know how this could be related, but HTMLObjectElement inherits from
> nsIConstraintValidation without traversing/unlinking mValidity.  Button
> element itself looks okay.

You're right, I actually handled that in my patches there, but then left those hunks in the unlanded WIP patch over in that bug...  But that is not related to this bug.
(Assignee)

Comment 5

4 years ago
> So what gives?
I can look at the CC graph to see what is missing later today.
(Assignee)

Comment 6

4 years ago
> This is eerily similar to the issue Ms2ger was running into with StyleSheetList
What's the bug number for that?
Assignee: nobody → continuation
It was just an IRC discussion.
(Assignee)

Comment 8

4 years ago
As expected, the leak is rooted on a ValidityState object with two references, one unknown.  The known reference is from the Validity state's reflector.

0x123b064c0 [ValidityState]
    --[Preserved wrapper]-> 0x1199cc1c0 [JS Object (ValidityState)]
    --[parent]-> 0x1199c83d0 [JS Object (HTMLButtonElement)]
    --[parent]-> 0x1199c81f0 [JS Object (HTMLDocument)]
    ...

    Root 0x123b064c0 is a ref counted object with 1 unknown edge(s).
    known edges:
       0x1199cc1c0 [JS Object (ValidityState)] --[UnwrapDOMObject(obj)]-> 0x123b064c0
Per irc debugging just now, definitely fallout from the ValidityState change in bug 827158.  We're not actually traversing/unlinking anything in button because its QI impl doesn't mention CC stuff.
(Assignee)

Comment 10

4 years ago
Created attachment 709126 [details] [diff] [review]
QI to participant

https://tbpl.mozilla.org/?tree=Try&rev=9f20b5e6446b
Attachment #709126 - Flags: review?(bzbarsky)
Comment on attachment 709126 [details] [diff] [review]
QI to participant

r=me
Attachment #709126 - Flags: review?(bzbarsky) → review+
(Assignee)

Comment 12

4 years ago
I looked at all of the other classes modified in that patch, and they all look like they QI to ValidityState (they were CCed beforehand).

It would be nice if we could dynamically check that classes with participants QI to their participant, but I'm not sure how to do that.  Filed bug 837182 for that.
(Assignee)

Comment 13

4 years ago
Rather, "they all look like they QI to their participant".
Too bad jst never reviewed bug 614238!
(Assignee)

Comment 15

4 years ago
Ah right, that.  Want me to review that patch or unbitrot it, Kyle?  Just assign/flag me as appropriate and I'll deal with it eventually.
(Assignee)

Comment 16

4 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/3b52eded5b89
status-firefox21: --- → affected
tracking-firefox21: ? → +
https://hg.mozilla.org/mozilla-central/rev/3b52eded5b89
Status: NEW → RESOLVED
Last Resolved: 4 years ago
status-firefox21: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
You need to log in before you can comment on or make changes to this bug.