Closed Bug 217717 Opened 21 years ago Closed 21 years ago

crash [@ nsHTMLEditor::GetCSSBackgroundColorState] deleting table in compose window

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.5beta

People

(Reporter: vincent.deconinck, Assigned: glazou)

Details

(Keywords: crash, regression, Whiteboard: TB23161948X)

Crash Data

Attachments

(3 files, 1 obsolete file)

stacktrace
7.25 KB, text/plain
Details
wallpaper that prevents the crash (until we get someone like glazman to comment)
809 bytes, patch
Details | Diff | Splinter Review
fix #2
1.51 KB, patch
mozeditor
: review+
dbaron
: superreview+
asa
: approval1.6a+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030827 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030827 If you delete a html table from a compose window, for example copy/pasted from a web page, Mozilla crashes immediately. Reproducible: Always Steps to Reproduce: 1. Open a page with a small table in the browser, for example http://groups.google.com/groups?as_umsgid=3F454ECF.6000403%40mozilla.org 2. Copy the text message to the clipboard, starting for example at "From: Gervase Markham..." and ending at "...meeting at Burning Man? :-)" 3. Paste this in a new Compose Window 4. Click in the table at the top right which reads "View: Complete Thread (2 articles) - Original Format" 5. Choose "Format / Table / Delete / Table" from the menu Actual Results: Crash Expected Results: The table should have been deleted, but no crash Note that this causes dataloss, as you potentially have written a long mail and just wanted to add the cut and paste article at the end ("I'll just remove this annoying table and send it"). That was my case the first time it happened :-( Full Circle Talkback ID TB23161948X
A few more precisions (just reproduced the crash to see) : The table actually gets deleted, and the crash occurs after one or two seconds. Here's also some more information from the XP "fatal error" message box details : AppName: mozilla.exe AppVer: 1.5.20030.17168 ModName: editor.dll ModVer: 1.5.20030.17168 Offset: 00005f7b
Keywords: crash, stackwanted
Whiteboard: TB23161948X
I see the same thing. TB23172642K Would confirm if I could ;-)
Confirming with trunk Seamonkey build 2003-08-29-04 on Windows 2000.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.5?
Why isn't it CC'ing me by default when I comment.
See it on linux trunk cvs built 030901
OS: Windows XP → All
Attached file stacktrace
0x420751c1 in nsHTMLEditor::GetCSSBackgroundColorState(int*, nsAString&, int) ( this=0x89ec6d8, aMixed=0xbfffcf4c, aOutColor=@0xbfffceb0, aBlockLevel=1) at nsHTMLEditor.cpp:2467 2467 res = tmp->GetParentNode(getter_AddRefs(blockParent)); |tmp| is holding the old value of |blockParent|, which is set at line 2460 (since |isBlock| is 0): 2460 blockParent = GetBlockNodeParent(nodeToExamine); |nodeToExamine| looks like a valid pointer.
Keywords: stackwanted
Summary: crash if I delete a table in a compose window → crash [@ nsHTMLEditor::GetCSSBackgroundColorState] deleting table in compose window
Flags: blocking1.5? → blocking1.5+
here's a stack, from by debug build NTDLL! 77fa144b() nsDebugImpl::Assertion(nsDebugImpl * const 0x00267008, const char * 0x03c51764 `string', const char * 0x03c517a8 `string', const char * 0x03c517b8 `string', int 668) line 276 nsDebug::Assertion(const char * 0x03c51764 `string', const char * 0x03c517a8 `string', const char * 0x03c517b8 `string', int 668) line 109 nsCOMPtr<nsIDOMNode>::operator->() line 668 + 34 bytes nsHTMLEditor::GetCSSBackgroundColorState(int * 0x0012c2e4, nsAString & {...}, int 1) line 2467 + 32 bytes nsHTMLEditor::GetBackgroundColorState(nsHTMLEditor * const 0x04a74bf0, int * 0x0012c2e4, nsAString & {...}) line 2368 + 24 bytes nsBackgroundColorStateCommand::GetCurrentState(nsIEditor * 0x04a74b08, nsICommandParams * 0x0512e018) line 1005 + 46 bytes nsMultiStateCommand::GetCommandStateParams(nsMultiStateCommand * const 0x0472bd68, const char * 0x0512df88, nsICommandParams * 0x0512e018, nsISupports * 0x04a74b08) line 682 + 24 bytes nsControllerCommandTable::GetCommandState(nsControllerCommandTable * const 0x047084c0, const char * 0x0512df88, nsICommandParams * 0x0512e018, nsISupports * 0x04a74b08) line 226 + 35 bytes nsBaseCommandController::GetCommandStateWithParams(nsBaseCommandController * const 0x04a893d4, const char * 0x0512df88, nsICommandParams * 0x0512e018) line 149 XPTC_InvokeByIndex(nsISupports * 0x04a893d4, unsigned int 3, unsigned int 2, nsXPTCVariant * 0x0012c4e8) line 102 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 2017 + 42 bytes XPC_WN_CallMethod(JSContext * 0x047822a0, JSObject * 0x038e4ff8, unsigned int 2, long * 0x051161f8, long * 0x0012c7c4) line 1269 + 14 bytes js_Invoke(JSContext * 0x047822a0, unsigned int 2, unsigned int 0) line 843 + 23 bytes js_Interpret(JSContext * 0x047822a0, long * 0x0012d5ac) line 2859 + 15 bytes js_Invoke(JSContext * 0x047822a0, unsigned int 1, unsigned int 2) line 860 + 13 bytes js_InternalInvoke(JSContext * 0x047822a0, JSObject * 0x015f1228, long 23007880, unsigned int 0, unsigned int 1, long * 0x0012d808, long * 0x0012d6d8) line 935 + 20 bytes JS_CallFunctionValue(JSContext * 0x047822a0, JSObject * 0x015f1228, long 23007880, unsigned int 1, long * 0x0012d808, long * 0x0012d6d8) line 3538 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x048b4060, void * 0x015f1228, void * 0x015f1288, unsigned int 1, void * 0x0012d808, int * 0x0012d80c, int 0) line 1217 + 33 bytes nsJSEventListener::HandleEvent(nsJSEventListener * const 0x046c60c0, nsIDOMEvent * 0x05114ff0) line 181 + 77 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x0457a250, nsIDOMEvent * 0x05114ff0, nsIDOMEventTarget * 0x051150c8, unsigned int 32, unsigned int 7) line 1194 + 20 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x046c6068, nsIPresContext * 0x03a50420, nsEvent * 0x0012e328, nsIDOMEvent * * 0x0012e254, nsIDOMEventTarget * 0x051150c8, unsigned int 7, nsEventStatus * 0x0012e350) line 2193 + 36 bytes nsXULElement::HandleDOMEvent(nsXULElement * const 0x046a5938, nsIPresContext * 0x03a50420, nsEvent * 0x0012e328, nsIDOMEvent * * 0x0012e254, unsigned int 7, nsEventStatus * 0x0012e350) line 3245 nsXULCommandDispatcher::UpdateCommands(nsXULCommandDispatcher * const 0x03a01af8, const nsAString & {...}) line 387 GlobalWindowImpl::UpdateCommands(GlobalWindowImpl * const 0x047efffc, const nsAString & {...}) line 3541 XPTC_InvokeByIndex(nsISupports * 0x047efffc, unsigned int 82, unsigned int 1, nsXPTCVariant * 0x0012e624) line 102 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 2017 + 42 bytes XPC_WN_CallMethod(JSContext * 0x0152f070, JSObject * 0x01657178, unsigned int 1, long * 0x05106920, long * 0x0012e900) line 1269 + 14 bytes js_Invoke(JSContext * 0x0152f070, unsigned int 1, unsigned int 0) line 843 + 23 bytes js_Interpret(JSContext * 0x0152f070, long * 0x0012f6e8) line 2859 + 15 bytes js_Invoke(JSContext * 0x0152f070, unsigned int 3, unsigned int 2) line 860 + 13 bytes nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x036733a8, nsXPCWrappedJS * 0x035fbd18, unsigned short 3, const nsXPTMethodInfo * 0x0311e728, nsXPTCMiniVariant * 0x0012fa2c) line 1331 + 22 bytes nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x035fbd18, unsigned short 3, const nsXPTMethodInfo * 0x0311e728, nsXPTCMiniVariant * 0x0012fa2c) line 429 PrepareAndDispatch(nsXPTCStubBase * 0x035fbd18, unsigned int 3, unsigned int * 0x0012fadc, unsigned int * 0x0012facc) line 117 + 31 bytes SharedStub() line 147 nsCommandManager::CommandStatusChanged(nsCommandManager * const 0x035fb724, const char * 0x05579058) line 116 + 65 bytes nsComposerCommandsUpdater::UpdateCommandGroup(const nsAString & {...}) line 309 nsComposerCommandsUpdater::TimerCallback() line 272 + 25 bytes nsComposerCommandsUpdater::Notify(nsComposerCommandsUpdater * const 0x04a31144, nsITimer * 0x04aa02e8) line 386 nsTimerImpl::Fire() line 386 nsTimerManager::FireNextIdleTimer(nsTimerManager * const 0x00f83570) line 616 nsAppShell::Run(nsAppShell * const 0x0153a790) line 142 nsAppShellService::Run(nsAppShellService * const 0x0153a718) line 484 main1(int 4, char * * 0x00262638, nsISupports * 0x00ebbe28) line 1290 + 32 bytes main(int 4, char * * 0x00262638) line 1669 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32!
I got a patch to bullet proof and prevent the crash, but this bug belongs with an editor guru (like glazman or akkana) I'll attach what I got, as we might take it until we have the right fix.
for context: the code I'm wall papering is from this checkin by glazman: "CSS in Composer, step 1 ; b=77705, r=jfrancis, r=cmanske, sr=kin"
daniel, can you review my wall paper, which turns the crash into an assert? or better yet, feel free to take the bug and fix this the right way.
Whiteboard: TB23161948X → TB23161948X [bulletproof crash in hand, but real fix still needed]
Taking bug. This is not specific to mailnews so I change product/component. Urgent fix needed. Should have one in a few hours (daddy duty in the meantime)
Assignee: sspitzer → daniel
Component: Composition → Editor: Core
Product: MailNews → Browser
bummer Netscape 7.1 / mozilla 1.4 shipped with this bug. We should try to get this fix in for 1.4.2 too.
Flags: blocking1.4.x?
Keywords: regression
Target Milestone: --- → mozilla1.5beta
Status: NEW → ASSIGNED
Attached patch fix #1 (obsolete) — Splinter Review
Seth: the bug showed by the stack trace should really never happen. It's a bad side effect of something else, we probably have something weird in the commands updater. Your patch is really a workaround. Now, I have a fix for this bug which in my opinion makes sense but I need the opinion of Kathy Brade and Joe Francis. Why is the current code so complex in comparison of what I am proposing here ??? Why does it try to update the commands using an orphan node ? Why (many others).
yes, worth taking for 1.4.1 if we have a fix
Flags: blocking1.4.x? → blocking1.4.x+
I've experienced this several times I think. I was just never able to pinpoint what the problem was, as the reporter could. I've had a few crashes since 1.4~ thanks to tables in email (in retrospect, I realize they all had tables). So I've lost data in the past. And 100.1% agree it should be in 1.4.x. Isn't that due out soon? Or is GDI still holding it up?
Comment on attachment 130924 [details] [diff] [review] fix #1 This patch looks ok to me; I can't really comment on why it was done that way (I'd consult with cmanske if he's around). I'll let Joe check the review+ box. r=brade Do we have a similar problem if we delete a row for a one row table (or similarly for one-column or one-cell)?
cc cmanske for his input/comments on patch
Hardware: PC → All
Daniel, am I to understand your comments to mean that you don't know why your fix works? If you do know why it works, can you explain it to me?
> Daniel, am I to understand your comments to mean that you don't know why your > fix works? Joe: absolutely :-/ I really did not understand why the code crashes with an orphan node so I wanted to look at the ::DeleteTable code and found it well hard to follow... I also saw that selecting the Composer and deleting it using the normal "Delete" menu item in the Edit menu does NOT hit the bug. My conclusion is that, in the existing code, we try to update the UI at a wrong moment.
I haven't conclusively tested this but it seems like it is when you paste a table into the editor and then delete it that you see this crash. I don't crash if I create a table, add text to it and then delete it. Perhaps the problem lies somewhere in copy/paste (which did undergo some changes before 1.4 shipped). Joe--if you have time, you could look at the code you wrote for the paste hooks; maybe we botch something in there (despite having no hook callbacks)?
Talkback IDs TB23410495Y, TB23410414Z, reproducible by editing a local file. For making a testcase, I downloaded a website, and cut it down. I stripped a lot of stuff, from the start, and from the end, and the file I´m editing is about the fifth version. I edited offline (to prevent the flash ad loading), to delete some from the end, in tagged mode, and crashed. Then went online to submit the talkback, started mozilla, loaded same file, made same 3 or 4 deletes in normal mode, and crashed, as seen above. File and steps to crash available on demand. (I deleted from the end of the file an immage and a textbox to isolate a flash ad in an iframe.)
Not very high in the topcrash list. Most comments in talkback talk about editing or deleting a table in Mail's message compose or Composer. Not going to block 1.5 for this.
Flags: blocking1.5+ → blocking1.5-
I'd really like to see this fix get in soon (at least the wallpaper). Daniel, have you had a chance to test the "delete row when only 1 row" and similarly delete column and delete cell?
Attached patch fix #2Splinter Review
The cause of the bug is reseting the selection after the table node is deleted. My code tried to save the table parent and its offset and reset selection, but that isn't the right way -- Daniel had the right idea in calling "SelectTable()" in his "fix #1". This patch is more correct by moving the fix into "DeleteTable2()" so all cases of deleting tables, such as when deleting a single col or row, are also fixed. Resulting code simplification removes the necessity of "aSelection" param in DeleteTable2(). This will be cleaned up in another bug.
Attachment #130924 - Attachment is obsolete: true
r=brade for fix #2 I'll let Joe and/or Daniel set the checkbox.
Comment on attachment 132542 [details] [diff] [review] fix #2 looks good, thanks charlie
Attachment #132542 - Flags: review+
Attachment #132542 - Flags: superreview?(kinmoz)
Whiteboard: TB23161948X [bulletproof crash in hand, but real fix still needed] → TB23161948X
Flags: blocking1.6a?
This looks like a good fix to get for 1.6a. Who can help with a super-review?
Attachment #132542 - Flags: superreview?(kinmoz) → superreview+
Comment on attachment 132542 [details] [diff] [review] fix #2 a=asa (on behalf of drivers) for checkin to 1.6alpha
Attachment #132542 - Flags: approval1.6a+
checked into 1.6a 10-24-03
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Flags: blocking1.6a?
Crash Signature: [@ nsHTMLEditor::GetCSSBackgroundColorState]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: