Closed Bug 837033 Opened 8 years ago Closed 8 years ago

Leak with expando on ValidityState

Categories

(Core :: DOM: Core & HTML, defect)

x86_64
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla21
Tracking Status
firefox21 + fixed

People

(Reporter: jruderman, Assigned: mccr8)

References

Details

(Keywords: memory-leak, testcase, Whiteboard: [MemShrink])

Attachments

(2 files)

Attached file testcase
trace-refcnt reports a large leak, including nsGlobalWindow and nsDocument.
Is this a regression? And if so, from Bug 827158?
Whiteboard: [MemShrink]
I don't know how this could be related, but HTMLObjectElement inherits from nsIConstraintValidation without traversing/unlinking mValidity.  Button element itself looks okay.
> Is this a regression? And if so, from Bug 827158?

Quite likely, since we didn't use to do wrapper preservation for ValidityState before that.

So the likely cycle here is preserved wrapper for validity state to JS object's parent (which is the JS object for the mConstraintValidation) to C++ HTMLButtonElement object to mValidity.

But it looks to me like we should traverse that cycle, and unlink it both by unpreserving the wrapper and by dropping mValidity.

So what gives?

This is eerily similar to the issue Ms2ger was running into with StyleSheetList...
Blocks: 827158
(In reply to Andrew McCreight [:mccr8] from comment #2)
> I don't know how this could be related, but HTMLObjectElement inherits from
> nsIConstraintValidation without traversing/unlinking mValidity.  Button
> element itself looks okay.

You're right, I actually handled that in my patches there, but then left those hunks in the unlanded WIP patch over in that bug...  But that is not related to this bug.
> So what gives?
I can look at the CC graph to see what is missing later today.
> This is eerily similar to the issue Ms2ger was running into with StyleSheetList
What's the bug number for that?
Assignee: nobody → continuation
It was just an IRC discussion.
As expected, the leak is rooted on a ValidityState object with two references, one unknown.  The known reference is from the Validity state's reflector.

0x123b064c0 [ValidityState]
    --[Preserved wrapper]-> 0x1199cc1c0 [JS Object (ValidityState)]
    --[parent]-> 0x1199c83d0 [JS Object (HTMLButtonElement)]
    --[parent]-> 0x1199c81f0 [JS Object (HTMLDocument)]
    ...

    Root 0x123b064c0 is a ref counted object with 1 unknown edge(s).
    known edges:
       0x1199cc1c0 [JS Object (ValidityState)] --[UnwrapDOMObject(obj)]-> 0x123b064c0
Per irc debugging just now, definitely fallout from the ValidityState change in bug 827158.  We're not actually traversing/unlinking anything in button because its QI impl doesn't mention CC stuff.
Comment on attachment 709126 [details] [diff] [review]
QI to participant

r=me
Attachment #709126 - Flags: review?(bzbarsky) → review+
I looked at all of the other classes modified in that patch, and they all look like they QI to ValidityState (they were CCed beforehand).

It would be nice if we could dynamically check that classes with participants QI to their participant, but I'm not sure how to do that.  Filed bug 837182 for that.
Rather, "they all look like they QI to their participant".
Ah right, that.  Want me to review that patch or unbitrot it, Kyle?  Just assign/flag me as appropriate and I'll deal with it eventually.
https://hg.mozilla.org/mozilla-central/rev/3b52eded5b89
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.