Created attachment 708931 [details] testcase trace-refcnt reports a large leak, including nsGlobalWindow and nsDocument.
Is this a regression? And if so, from Bug 827158?
I don't know how this could be related, but HTMLObjectElement inherits from nsIConstraintValidation without traversing/unlinking mValidity. Button element itself looks okay.
> Is this a regression? And if so, from Bug 827158? Quite likely, since we didn't use to do wrapper preservation for ValidityState before that. So the likely cycle here is preserved wrapper for validity state to JS object's parent (which is the JS object for the mConstraintValidation) to C++ HTMLButtonElement object to mValidity. But it looks to me like we should traverse that cycle, and unlink it both by unpreserving the wrapper and by dropping mValidity. So what gives? This is eerily similar to the issue Ms2ger was running into with StyleSheetList...
(In reply to Andrew McCreight [:mccr8] from comment #2) > I don't know how this could be related, but HTMLObjectElement inherits from > nsIConstraintValidation without traversing/unlinking mValidity. Button > element itself looks okay. You're right, I actually handled that in my patches there, but then left those hunks in the unlanded WIP patch over in that bug... But that is not related to this bug.
> So what gives? I can look at the CC graph to see what is missing later today.
> This is eerily similar to the issue Ms2ger was running into with StyleSheetList What's the bug number for that?
It was just an IRC discussion.
As expected, the leak is rooted on a ValidityState object with two references, one unknown. The known reference is from the Validity state's reflector. 0x123b064c0 [ValidityState] --[Preserved wrapper]-> 0x1199cc1c0 [JS Object (ValidityState)] --[parent]-> 0x1199c83d0 [JS Object (HTMLButtonElement)] --[parent]-> 0x1199c81f0 [JS Object (HTMLDocument)] ... Root 0x123b064c0 is a ref counted object with 1 unknown edge(s). known edges: 0x1199cc1c0 [JS Object (ValidityState)] --[UnwrapDOMObject(obj)]-> 0x123b064c0
Per irc debugging just now, definitely fallout from the ValidityState change in bug 827158. We're not actually traversing/unlinking anything in button because its QI impl doesn't mention CC stuff.
Created attachment 709126 [details] [diff] [review] QI to participant https://tbpl.mozilla.org/?tree=Try&rev=9f20b5e6446b
Comment on attachment 709126 [details] [diff] [review] QI to participant r=me
I looked at all of the other classes modified in that patch, and they all look like they QI to ValidityState (they were CCed beforehand). It would be nice if we could dynamically check that classes with participants QI to their participant, but I'm not sure how to do that. Filed bug 837182 for that.
Rather, "they all look like they QI to their participant".
Too bad jst never reviewed bug 614238!
Ah right, that. Want me to review that patch or unbitrot it, Kyle? Just assign/flag me as appropriate and I'll deal with it eventually.