Ubuntu
firefox package

  1. Bug #53372
  2. Comment #3

Comment 3 for bug 53372

Revision history for this message
In , c7d2f5c8667d26fffd5e7772d632c76d (c7d2f5c8667d26fffd5e7772d632c76d-deactivatedaccount) wrote :

I think I've figured this one out.

It appears that for EACH accessible wrapper object, mozilla registers a unique GType deriving from MAI_TYPE_ATK_OBJECT, see http://lxr.mozilla.org/seamonkey/source/accessible/src/atk/nsAccessibleWrap.cpp#421 and http://lxr.mozilla.org/seamonkey/source/accessible/src/atk/nsAccessibleWrap.cpp#436 . This is obviously bad for memory consumption (since registered types occupy memory that'll never be freed again while the program runs), but even worse, gobject limits the number of types that can directly derive from any given object type to 4095. So when we come to register MaiAtkTypefff (fff is the uniquified part), we hit the assertion in http://cvs.gnome.org/viewcvs/*checkout*/glib/gobject/gtype.c?rev=1.85 : type_node_new_W : g_assert (pnode->n_children < MAX_N_CHILDREN); and crash.

If the program runs long enough, this will ALWAYS happen. (Sooner if you make heavy use of a11y.)