Closed Bug 101710 Opened 23 years ago Closed 23 years ago

Find crashes in frames [@ nsContentIterator::NextNode]

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.5

People

(Reporter: ccarlen, Assigned: jesup)

References

(
URL
)

Details

(Keywords: crash, regression, topcrash)

Crash Data

Attachments

(2 files)

Fixes crash due to underflow of index stack
2.81 KB, patch
Details | Diff | Splinter Review
Updated patch
3.37 KB, patch
sfraser_bugs
: review+
kinmoz
: superreview+
Details | Diff | Splinter Review 
Go to the given URL.
Search for the word "Carbon"
Crash.

It crashes here:
http://lxr.mozilla.org/mozilla/source/content/base/src/nsContentIterator.cpp#711

This broke recently.
Just noticed this was on the console after crash if that helps.

!!! ASSERTION: ContentIterator stack underflow: 'aIndexes->Count() > 0', file
d:\moz\mozilla\content\base\src\nsContentIterator.cpp, line 705
!!! ASSERTION: ContentIterator stack underflow: 'aIndexes->Count() > 0', file
d:\moz\mozilla\content\base\src\nsContentIterator.cpp, line 705
!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().:
'mRawPtr != 0', file ..\..\..\dist\include\nsCOMPtr.h, line 649
WFM If I use 2001092308, [before the find patch landed]. So its a regression one.

I don't know if it is related but when searching with my version, the search
code never stops. I.e. when doing 'Search', I end up doing a loop over the text
(going on the left frame and coming back to the main one), never reaching a End
of text reached.
I don't know if this is related to the frames.
Is this normal behavior?
Severity: major → critical
Keywords: crash
> I.e. when doing 'Search', I end up doing a loop over the text (going on the
> left frame and coming back to the main one), never reaching a End of text
> reached.

That's an unrelated problem but, since you mention it, it bug 92102.



This is definitely caused by 31770.  I'm going to try my older patch and see if
the same thing happens.  In any case, I believe there is an easy solution if
this is a index stack underflow.
Verified that this bug does not occur with the last patch I posted to bug 31770,
so it must be part of jfrancis' rewrite (I must have missed it in review).  I'll
look at it more closely after lunch.
I have a patch that appears to fix the bug, though it's probably not minimal. 
I'll attach it shortly.
Tested with Linux and FreeBSD on the site given.  Still may do more than
absolutely required, but I think all the changes are good.

Looking for r/sr, also suggesting for nsbranch because 31770 was suggested for
nsbranch.  Adding dependency
Blocks: 31770
Keywords: approval, nsbranch, patch
Target Milestone: --- → mozilla0.9.5
*** Bug 101737 has been marked as a duplicate of this bug. ***
Keywords: topcrash
Summary: Find crashes in frames → Find crashes in frames [@ nsContentIterator::NextNode]
Marking nsbranch-. 31770 was marked nsbranch-.
Keywords: nsbranchnsbranch-
- Appending dummy zeros to mIndexes should not be necessary since we should
never go above mCommonParent.

- PositionAt() is not implemented for the subtree iterator, so First()/Last()
will be broken for the subtree iterator.
After discussion with Kin, new patch coming.  Overrides First & Last in the
subtree iterator so we can use PositionAt in the content iterator's First/Last. 
Also removed some unneeded parts of the earlier patch.  Tested on BSD/Linux.
Comment on attachment 50953 [details] [diff] [review]
Updated patch

sr=kin@netscape.com

For the places where you added:

  +      if (aIndexes->Count() > 1)


do we want to add asserts to indicate when that isn't true?
Attachment #50953 - Flags: superreview+
Taking the bug; will commit if I get an r=.

I prefer not to assert on those cases.  I don't consider that a real bug, and
non-bug assertions are very annoying in the source tree.  However, I agree that
I don't _think_ they'll ever be hit.  I'd rather just be safe, since we don't
want to take array[-1].
Assignee: jfrancis → rjesup
Comment on attachment 50953 [details] [diff] [review]
Updated patch

r=sfraser
Attachment #50953 - Flags: review+
Fix checked in
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
*** Bug 101889 has been marked as a duplicate of this bug. ***
Verified Fixed on 10-03 Trunk Build
Status: RESOLVED → VERIFIED
I might be seing a version of this bug with BuildId 2002030616 on RedHat Linux. 

Reproducible: always.
To reproduce:
0) Get Mozilla with spellchecker (see http://spellchecker.mozdev.org/ or bug 56301)
1) Compose a message with a word "misteke" on a line by itself.
2) Spellcheck it.
3) When spellchecker highlights "misteke" and proposes "mistake", click on "Change".

"misteke misteke" does not cause the crash.

Stack trace:

#0  0x40e1fa99 in nsContentIterator::NextNode () from
/usr/lib/mozilla/components/libgkcontent.so
#1  0x40e20161 in nsContentIterator::Next () from
/usr/lib/mozilla/components/libgkcontent.so
#2  0x4274fea8 in nsTextServicesDocument::FirstTextNodeInNextBlock ()
   from /usr/lib/mozilla/components/libtxtsvc.so
#3  0x42750084 in nsTextServicesDocument::GetFirstTextNodeInNextBlock ()
   from /usr/lib/mozilla/components/libtxtsvc.so
#4  0x42748b9c in nsTextServicesDocument::FirstBlock () from
/usr/lib/mozilla/components/libtxtsvc.so
#5  0x427597b8 in mozSpellChecker::SetupDoc () from
/usr/lib/mozilla/components/libspellchecker.so
#6  0x427586bb in mozSpellChecker::NextMisspelledWord () from
/usr/lib/mozilla/components/libspellchecker.so
#7  0x4272bf6c in nsEditorShell::GetNextMisspelledWord () from
/usr/lib/mozilla/components/libcomposer.so
#8  0x40185fa2 in XPTC_InvokeByIndex () from /usr/lib/libxpcom.so
 ...

Does this look like the same bug, or a different one?

P.S. This bug was initially discovered by kaskalis@uom.gr
Crash Signature: [@ nsContentIterator::NextNode]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: