Closed Bug 636281 Opened 13 years ago Closed 13 years ago

crash [@ -[ChildView setMarkedText:selectedRange:]]

Categories

(Core :: Widget: Cocoa, defect)

Product:
Core
Component:
Widget: Cocoa
Version:
1.9.2 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- .17-fixed
status1.9.1 --- .19-fixed

People

(Reporter: alqahira, Assigned: masayuki)

Details

(Keywords: crash, Whiteboard: [qa-examined-192] [qa-examined-191])

Crash Data

Attachments

(1 file)

Patch v1.0 for 1.9.2
880 bytes, patch
smichaud
: review+
dveditz
: approval1.9.2.17+
dveditz
: approval1.9.1.19+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-d7fe25bb-2e2e-416d-8ef7-65c492110216 and 
report bp-27247c52-d1ae-4830-a7da-99a5c2110221.
============================================================= 

There's a low-grade crash on 1.9.0, 1.9.1, and 1.9.2 in -[ChildView setMarkedText:selectedRange:] related to IME.

The reports finger http://hg.mozilla.org/releases/mozilla-1.9.2/annotate/0c159bd1d600/widget/src/cocoa/nsChildView.mm#l4808, which looks suspicious because there's no null-check of mGeckoChild there (or anywhere in |setMarkedText:selectedRange:| at all).

mGeckoChild *is* null-checked there on the trunk; Steven added it in bug 538251 because of crashes that appeared to have this very signature. 

It's not clear what the source of the bug is ultimately, but null-checking should help; can we take the patch from bug 538251 on the branches?
The IME code is quite different on the 1.9.2 branch from what it is on
the trunk, so I (or someone) would need to rewrite my patch.  But
adding null-checks of mGeckoChild to IME code on the branch (as
needed) does seem like a good idea.

I won't be able to get to this for a while -- I'm totally swamped by
other bugs.
Okay, I'll take this. Is this needed for 1.9.0? I don't remember the status of 1.9.0.
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
I checked all IME related methods. The other methods check mGeckoChild first if they use mGeckoChild. Therefore, the query selection event dispatching is the crash point. So, this patch should be okay for 1.9.2.
Attachment #514709 - Flags: review?(smichaud)
Comment on attachment 514709 [details] [diff] [review]
Patch v1.0 for 1.9.2

Looks good to me.
Attachment #514709 - Flags: review?(smichaud) → review+
Comment on attachment 514709 [details] [diff] [review]
Patch v1.0 for 1.9.2

Fixes a low frequency crash bug and the risk is low because similar check is in trunk.
Attachment #514709 - Flags: approval1.9.2.15?
Attachment #514709 - Flags: approval1.9.2.14?
Comment on attachment 514709 [details] [diff] [review]
Patch v1.0 for 1.9.2

I confirmed that this patch can be landed on 1.9.1 branch too.

The related methods wasn't changed during 1.9.1 and 1.9.2. And IME works fine with this patch on 1.9.1 too.
Attachment #514709 - Flags: approval1.9.1.18?
Attachment #514709 - Flags: approval1.9.1.17?
Comment on attachment 514709 [details] [diff] [review]
Patch v1.0 for 1.9.2

1.9.0 branch is same as 1.9.1 and 1.9.2. I confirmed that this patch doesn't break IME handling on 1.9.0 and checked the related method's code.

So, we can land this patch to all branches.
Attachment #514709 - Flags: approval1.9.0.next?
(In reply to comment #7)
> Comment on attachment 514709 [details] [diff] [review]
> Patch v1.0 for 1.9.2
> 
> 1.9.0 branch is same as 1.9.1 and 1.9.2. I confirmed that this patch doesn't
> break IME handling on 1.9.0 and checked the related method's code.

Thanks Masayuki!  If you'd like me to handle the 1.9.0 branch landing once this has approval, just let me know.
Comment on attachment 514709 [details] [diff] [review]
Patch v1.0 for 1.9.2

Approved for 1.9.2.15 and 1.9.1.18, a=dveditz for release-drivers
Attachment #514709 - Flags: approval1.9.2.15?
Attachment #514709 - Flags: approval1.9.2.15+
Attachment #514709 - Flags: approval1.9.2.14?
Attachment #514709 - Flags: approval1.9.1.18?
Attachment #514709 - Flags: approval1.9.1.18+
Attachment #514709 - Flags: approval1.9.1.17?
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/bd8d194972df
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/ad4a06aec979

(In reply to comment #8)
> If you'd like me to handle the 1.9.0 branch landing once this
> has approval, just let me know.

Yes, please.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
status1.9.1: --- → .18-fixed
status1.9.2: --- → .15-fixed
Resolution: --- → FIXED
The "3.6.15" we're releasing today does not fix this bug, the release containing this bug fix has been renamed to "3.6.16" and the bugzilla flags will be updated to reflect that soon. Today's release is a re-release of 3.6.14 plus a fix for a bug that prevented many Java applets from starting up.
I see, thank you for your information.
Are there any steps to reproduce for this bug?
Whiteboard: [qa-examined-192] [qa-examined-191]
I never could deduce any STR from the crash reports I looked at (besides "doing something with IME"), so unless Masayuki discovered some, no :(
I *guess* that some web pages might close its window by composition events or text event. And also the using IME calls [NSTextInput setMarkedText:selectedRange] after our nsChildView is destroyed.

However, closing window at such input events doesn't make sense. So, I'm not sure the STR.
Crash Signature: [@ -[ChildView setMarkedText:selectedRange:]]
Comment on attachment 514709 [details] [diff] [review]
Patch v1.0 for 1.9.2

This fix must not be necessary for 1.9.0.x anymore.
Attachment #514709 - Flags: approval1.9.0.next?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: