Closed
Bug 136165
Opened 23 years ago
Closed 22 years ago
Composer crashes after deleting styled text
Categories
(Core :: DOM: Editor, defect)
Core
DOM: Editor
Tracking
()
VERIFIED
FIXED
People
(Reporter: nemeth.istvan, Assigned: mozeditor)
References
Details
(Keywords: crash, topcrash, Whiteboard: [EDITORBASE+] [adt2])
Attachments
(1 file, 1 obsolete file)
3.02 KB,
patch
|
cmanske
:
review+
dveditz
:
superreview+
endico
:
approval+
|
Details | Diff | Splinter Review |
Start Composer Switch to Show-all-tags Enter some text like "123 456 789" Selected some words between, like "456" Changed its color to red Try to delete it. A font symbol will remain there. Deleting the font symbol the mozilla crashes. Tried twice, crashed twice.
Comment 1•23 years ago
|
||
build ID ? Wo you have a tlkabck ID for that crash ?
Reporter | ||
Comment 2•23 years ago
|
||
Just the plain 0.9.9 (Gecko/20020311) If you mean this.
Comment 3•23 years ago
|
||
wfm with win2k build 20020407. Is it possible that you try it again with a nightly build (install it in a different directory) ? or a talkback ID from a build with talkback
Updated•23 years ago
|
Severity: normal → critical
Keywords: crash,
stackwanted
Reporter | ||
Comment 5•23 years ago
|
||
I have no firewall, so I can't download the nightly. The exact steps are: start Composer, switch to Show All Tags [1],[2],[3],[left],[shift+left],[ctrl+i],[left],[shift+right],[delete] the [i] symbol remained there, I can't go right pressing the [right] after [end],[left],[backspace] the Mozilla crashes. I am using W2KSP2
Comment 6•23 years ago
|
||
Nemeth, night builda are available via HTTP and FTP: http://ftp.mozilla.org/pub/mozilla/nightly/latest/ ftp://ftp.mozilla.org/pub/mozilla/nightly/latest/
Reporter | ||
Comment 7•23 years ago
|
||
I downloaded it and tried it. The Mozilla crashes. My version was:
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.9+) Gecko/20020408
>>or a talkback ID from a build with talkback
Where can I get this ID from?
István (Németh is my family name, in Hungary we are using it backwards)
Comment 8•23 years ago
|
||
Joe--does your patch fix this bug?
Component: Browser-General → Editor: Composer
Comment 9•23 years ago
|
||
While using build 2002041617 on a Win98 machine, I could not confirm this bug. However the font tag was left over after deleting the text in Show all tags mode. I'm unsure if this is not a feature, since the remnant font tag could be used to be applied to arbitrary text instead of the intended text.
Comment 10•23 years ago
|
||
--> jfrancis
Assignee: Matti → jfrancis
Component: Editor: Composer → Editor: Core
Assignee | ||
Comment 11•22 years ago
|
||
show all tags mode is not needed to reproduce this. confirming bug.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Comment 12•22 years ago
|
||
*** Bug 143331 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 13•22 years ago
|
||
*** Bug 145608 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 14•22 years ago
|
||
This prevents the crash. It does not address the underlying problem, but rather just prevents it from causing a crash. I'm posting this patch because I think we should use it for the moz1.0 branch. It is a very safe patch. Fixing the "real" bug will be more risky.
Assignee | ||
Comment 15•22 years ago
|
||
nominating with keyword soup. at least three different people have hit this crash, so we need to fix it.
Status: NEW → ASSIGNED
Keywords: stackwanted → nsbeta1
Whiteboard: [EDITORBASE] fixinhand; need r=;sr=
Assignee | ||
Comment 16•22 years ago
|
||
Comment on attachment 84532 [details] [diff] [review] patch to editor/libeditor/html/nsWSRunObject.cpp r=glazman
Attachment #84532 -
Flags: review+
Assignee | ||
Updated•22 years ago
|
Summary: Composer crashes deleting a colored text in show-all-tags mode → Composer crashes after deleting styled text
Updated•22 years ago
|
Whiteboard: [EDITORBASE] fixinhand; need r=;sr= → [EDITORBASE] [adt2]fixinhand; need r=;sr=
Comment 18•22 years ago
|
||
per jfrancis: This is the 23rd most common crash in the talkback for rc2
Assignee | ||
Comment 19•22 years ago
|
||
still need sr.
Whiteboard: [EDITORBASE] [adt2]fixinhand; need r=;sr= → [EDITORBASE] [adt2]fixinhand; need sr=
Comment 20•22 years ago
|
||
Comment on attachment 84532 [details] [diff] [review] patch to editor/libeditor/html/nsWSRunObject.cpp > for (pos=mOffset-1; pos>=0; pos--) > { >+ PRInt32 fragLen = textFrag->GetLength(); >+ if ((pos<0) || (pos>=fragLen)) Could pos really be < 0? I don't see how, if you're worried about it anyway but don't think it should be right that's a perfect place for NS_ASSERTION(pos >= 0, "Illegal value for pos!"); I also don't see the reason for the temp variable, it's not adding a whole lot of clarity. if ( pos >= textFrag->GetLength() ) ought to do fine. >+ { >+ NS_NOTREACHED("looking beyond end of text fragment"); >+ continue; Is NS_NOTREACHED appropriate (as opposed to NS_ERROR)? The fact that we're crashing seems to indicate something happens regularly that the code wasn't expecting. Is this a real fix or just preventing the crash? What's the real problem? If we're putting off the real fix (because we don't know why it happens) this bug should stay open and get changed to something like "Composer asserts after deleting <etc>" Now that I see what the continue is doing (decrementing pos) I'm even less happy you can get into this block if pos < 0, although at the moment the top for loop should catch it (until someone changes it). > textNode->GetTextLength(&len); > if (mOffset<len) > { > PRInt32 pos; > for (pos=mOffset; pos<len; pos++) > { >+ PRInt32 fragLen = textFrag->GetLength(); >+ if ((pos<0) || (pos>=fragLen)) >+ { >+ NS_NOTREACHED("looking beyond end of text fragment"); >+ continue; >+ } What's the point of the continue, anyway? You're already past the length of your fragment so you'll just spew out warnings for each charater until the for loop stops -- why not just break; instead? It's not just these two loops, the same comments apply to all the loops. >@@ -1888,15 +1912,13 @@ > >- PRInt32 len; >- res = aTextNode->GetTextLength(&len); >- NS_ENSURE_SUCCESS(res, 0); >+ PRInt32 len = textFrag->GetLength(); What's the difference between GetTextLength and GetLength? > if (!len) > return 0; len is a physical length, right? (len != 0) would seem clearer for this case
Comment 21•22 years ago
|
||
Comment on attachment 84532 [details] [diff] [review] patch to editor/libeditor/html/nsWSRunObject.cpp sr=jst
Attachment #84532 -
Flags: superreview+
Assignee | ||
Comment 22•22 years ago
|
||
to respond to deveditz: 0) you are right about pos being non-negative. i was being anal. 1) you are right about the temp being unneeded - i'll get rid of it 2) you are right that this will not close the real bug. my earlier comment #14 already indicated that. I want the safest possible fix to maximize branch landing odds. This crash is being hit a lot and I don't want moz1.0 or future ns's to ship with it. 3) the point of the continue is that it is probably correct to do the processing in this loop for the characters that are not beyond the end of the range. break would skip that. 4) I used GetLength to make sure I was talking to the actual fragment. It was just cleanup+paranoia. why get the length from a different interface than I was getting the data from?
Assignee | ||
Comment 23•22 years ago
|
||
This addresses dveditz's comments. I have confirmed this still fixes bug.
Assignee | ||
Updated•22 years ago
|
Attachment #84532 -
Attachment is obsolete: true
Assignee | ||
Comment 24•22 years ago
|
||
seeking driver approval
Keywords: approval
Whiteboard: [EDITORBASE] [adt2]fixinhand; need sr= → [EDITORBASE] [adt2]fixinhand; need a=
Assignee | ||
Comment 25•22 years ago
|
||
adding adt1.0.0, topcrash
Assignee | ||
Comment 26•22 years ago
|
||
*** Bug 126026 has been marked as a duplicate of this bug. ***
Comment 27•22 years ago
|
||
adding adt1.0.0+ for checkin to 1.0 branch, pending reviews of the new patch and drivers approval.
Comment 28•22 years ago
|
||
Comment on attachment 84689 [details] [diff] [review] patch to nsWSRunObject.cpp thanks, sr=dveditz The continue question was more about the two loops which increment -- you will never come back into range. No big deal, maybe the assertion spew will motivate someone to fix the real problem later
Updated•22 years ago
|
Attachment #84689 -
Flags: superreview+
Comment 29•22 years ago
|
||
changing qa_contact.
OS: Windows 2000 → All
QA Contact: imajes-qa → sujay
Hardware: PC → All
Whiteboard: [EDITORBASE] [adt2]fixinhand; need a= → [EDITORBASE+] [adt2]fixinhand; need a=
Comment 30•22 years ago
|
||
Comment on attachment 84689 [details] [diff] [review] patch to nsWSRunObject.cpp r=cmanske
Attachment #84689 -
Flags: review+
Assignee | ||
Comment 31•22 years ago
|
||
fix landed on trunk. still awaiting drivers for branch landing.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Comment 33•22 years ago
|
||
Comment on attachment 84689 [details] [diff] [review] patch to nsWSRunObject.cpp a=shaver,scc,tor please check this in today
Attachment #84689 -
Flags: approval+
Assignee | ||
Comment 34•22 years ago
|
||
Sujay: fix landed on branch - please verify branch
Keywords: adt1.0.0+ → fixed1.0.0
Whiteboard: [EDITORBASE+] [adt2]fixinhand; need a= → [EDITORBASE+] [adt2]
You need to log in
before you can comment on or make changes to this bug.
Description
•