composer crashes when doing table insert->column after

VERIFIED FIXED in mozilla1.0.1

Status

()

Core
Editor
--
critical
VERIFIED FIXED
16 years ago
16 years ago

People

(Reporter: Eugene von Niederhausern, Assigned: Charles Manske)

Tracking

({crash, testcase})

Trunk
mozilla1.0.1
x86
Windows NT
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [adt1 RTM][fixed in trunk])

Attachments

(2 attachments, 1 obsolete attachment)

1.84 KB, text/html
Details
1.20 KB, patch
Kathleen Brade
: review+
kinmoz
: superreview+
jesup
: approval+
Details | Diff | Splinter Review
(Reporter)

Description

16 years ago
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.0.0) Gecko/20020530
BuildID:    2002053012

when editing a table (includes a nested table) mozilla composer
crashes when using the pop-up menu (right-click) table insert->column after on
the outer table. Using the "show all tags" I selected the outter tables first
column header and used the menu. The page is a zope page template using the
tal,metal namespaces

Reproducible: Always
Steps to Reproduce:
1.edit the page
2.click "show all tags" tab
3.right click onthe outter tables first row column header (TH )
4.select from the menu table insert->column after

Actual Results:  hard crash

Expected Results:  add a column after in the outter table
---------------start page -------------------------
<html xmlns:tal="http://xml.zope.org/namespaces/tal"
 xmlns:metal="http://xml.zope.org/namespaces/metal"
 metal:use-macro="here/main_template/macros/master">
<head>
  <title>deposit requests daily summary report</title>
</head>
  <body>
                       
<div metal:fill-slot="heading">            
<h1>Deposit Requests Daily Summary </h1>
             </div>
                              
<div metal:fill-slot="main" tal:define="bank_hist da_folder/bank_hist">  
PREV   NEXT<br>
       
<hr>    
<table cellpadding="2" cellspacing="2" border="1"
 style="text-align: left;" width="100%">
              <thead>      <tr>
        <th valign="top" rowspan="1" colspan="2" align="center">Daily Request
  Summary<br>
        </th>
      </tr>
      <tr>
               <th>1/1/1970</th>
                          </tr>
              </thead>   <tbody>
                <tr>
                  <td>                                                  
                                     
      <table>
                         <tbody>
         <tr>
                   <td valign="top" rowspan="2" colspan="2">Totals      
                 </td>
                   <th valign="top" colspan="4">New             </th>
                                            </tr>
                 <tr>
                                 <th valign="top" rowspan="1"
 colspan="2">VarTec                           </th>
                    <th valign="top" rowspan="1" colspan="2">Excel      
                  </th>
                  </tr>
                  <tr>
                 <td colspan="2">12321</td>
                    <th valign="top" rowspan="1" colspan="1">Remit      
                  </th>
                    <th valign="top" rowspan="1" colspan="1">Other      
                  </th>
                    <th valign="top" rowspan="1" colspan="1">Remit      
                  </th>
                    <th valign="top" rowspan="1" colspan="1">Other      
                  </th>
                  </tr>
                  <tr>
                   <th valign="top">TX<br>
                    </th>
                    <td valign="top">33433<br>
                   </td>
                   <td valign="top">43<br>
                   </td>
                   <td valign="top">2<br>
                    </td>
                    <td valign="top">30<br>
                    </td>
                    <td valign="top">0<br>
                   </td>
                 </tr>
                  <tr>
                    <th valign="top">MO<br>
                    </th>
                    <td valign="top">223<br>
                    </td>
                    <td valign="top">11<br>
                    </td>
                    <td valign="top">0<br>
                    </td>
                    <td valign="top">55<br>
                    </td>
                    <td valign="top">2<br>
                    </td>
                  </tr>
                                                                        
         
        </tbody>                                                         
                   
      </table>
              </td>
                       </tr>
                                           
  </tbody>           
</table>
             </div>
               <br>
                   <br>
</body>
</html>
----------------------end page ------------------

Comment 1

16 years ago
Giving to cmanske since crash is in editor table code.

We're crashing in nsHTMLEditor::GetNextRow() because parentSibling is null:


    // We arrive here only if a table section has no children 
    //  or first child of section is not a row (bad HTML!)
    res = parentSibling->GetNextSibling(getter_AddRefs(parentSibling));


Here's the stack to the nsCOMPtr assertion before the crash:


NTDLL! 77fa018c()
nsDebug::Assertion(const char * 0x046820fc `string', const char * 0x04682138
`string', const char * 0x04682148 `string', int 650) line 280 + 13 bytes
nsDebug::PreCondition(const char * 0x046820fc `string', const char * 0x04682138
`string', const char * 0x04682148 `string', int 650) line 439 + 21 bytes
nsCOMPtr<nsIDOMNode>::operator->() line 650 + 34 bytes
nsHTMLEditor::GetNextRow(nsHTMLEditor * const 0x03877fd8, nsIDOMNode *
0x05a12d40, nsIDOMNode * * 0x0012bb28) line 399 + 32 bytes
nsHTMLEditor::InsertTableColumn(nsHTMLEditor * const 0x03877fd8, int 1, int 1)
line 605 + 48 bytes
nsHTMLEditorLog::InsertTableColumn(nsHTMLEditorLog * const 0x03877fd8, int 1,
int 1) line 510 + 17 bytes
nsEditorShell::InsertTableColumn(nsEditorShell * const 0x059b4700, int 1, int 1)
line 3150 + 31 bytes
XPTC_InvokeByIndex(nsISupports * 0x059b4700, unsigned int 79, unsigned int 2,
nsXPTCVariant * 0x0012bd70) line 106
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_METHOD) line 1994 + 42 bytes
XPC_WN_CallMethod(JSContext * 0x03b51dd8, JSObject * 0x03c54448, unsigned int 2,
long * 0x05bf3b50, long * 0x0012c04c) line 1266 + 14 bytes
js_Invoke(JSContext * 0x03b51dd8, unsigned int 2, unsigned int 0) line 788 + 23
bytes
js_Interpret(JSContext * 0x03b51dd8, long * 0x0012ce8c) line 2743 + 15 bytes
js_Invoke(JSContext * 0x03b51dd8, unsigned int 2, unsigned int 2) line 805 + 13
bytes
nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x059c6400,
nsXPCWrappedJS * 0x059cc250, unsigned short 5, const nsXPTMethodInfo *
0x059c7438, nsXPTCMiniVariant * 0x0012d380) line 1193 + 21 bytes
nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x059cc250, unsigned short 5,
const nsXPTMethodInfo * 0x059c7438, nsXPTCMiniVariant * 0x0012d380) line 430
PrepareAndDispatch(nsXPTCStubBase * 0x059cc250, unsigned int 5, unsigned int *
0x0012d430, unsigned int * 0x0012d420) line 115 + 31 bytes
SharedStub() line 139
nsControllerCommandManager::DoCommand(nsControllerCommandManager * const
0x059c2d70, const nsAString & {...}, nsISupports * 0x059b4700) line 189 + 31 bytes
nsComposerController::DoCommand(nsComposerController * const 0x059b8370, const
nsAString & {...}) line 240
XPTC_InvokeByIndex(nsISupports * 0x059b8370, unsigned int 5, unsigned int 1,
nsXPTCVariant * 0x0012d5e4) line 106
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_METHOD) line 1994 + 42 bytes
XPC_WN_CallMethod(JSContext * 0x03b51dd8, JSObject * 0x03afe448, unsigned int 1,
long * 0x05bf3b14, long * 0x0012d8c0) line 1266 + 14 bytes
js_Invoke(JSContext * 0x03b51dd8, unsigned int 1, unsigned int 0) line 788 + 23
bytes
js_Interpret(JSContext * 0x03b51dd8, long * 0x0012e700) line 2743 + 15 bytes
js_Invoke(JSContext * 0x03b51dd8, unsigned int 1, unsigned int 2) line 805 + 13
bytes
js_InternalInvoke(JSContext * 0x03b51dd8, JSObject * 0x05bba3e0, long 96183440,
unsigned int 0, unsigned int 1, long * 0x0012e958, long * 0x0012e828) line 880 +
20 bytes
JS_CallFunctionValue(JSContext * 0x03b51dd8, JSObject * 0x05bba3e0, long
96183440, unsigned int 1, long * 0x0012e958, long * 0x0012e828) line 3428 + 31 bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x03ce7500, void * 0x05bba3e0,
void * 0x05bba490, unsigned int 1, void * 0x0012e958, int * 0x0012e95c, int 0)
line 1042 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x03e11038, nsIDOMEvent
* 0x059579e8) line 182 + 77 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03e11118,
nsIDOMEvent * 0x059579e8, nsIDOMEventTarget * 0x03fd4418, unsigned int 8,
unsigned int 7) line 1221 + 20 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x03e10fc0,
nsIPresContext * 0x03ce50a0, nsEvent * 0x0012f478, nsIDOMEvent * * 0x0012f328,
nsIDOMEventTarget * 0x03fd4418, unsigned int 7, nsEventStatus * 0x0012f4c4) line
2218 + 36 bytes
nsXULElement::HandleDOMEvent(nsXULElement * const 0x03fd4410, nsIPresContext *
0x03ce50a0, nsEvent * 0x0012f478, nsIDOMEvent * * 0x0012f328, unsigned int 1,
nsEventStatus * 0x0012f4c4) line 3447
PresShell::HandleDOMEventWithTarget(PresShell * const 0x03cb0558, nsIContent *
0x03fd4410, nsEvent * 0x0012f478, nsEventStatus * 0x0012f4c4) line 6213 + 36 bytes
nsMenuFrame::Execute() line 1684
nsMenuFrame::HandleEvent(nsMenuFrame * const 0x05beb638, nsIPresContext *
0x03ce50a0, nsGUIEvent * 0x0012f8c8, nsEventStatus * 0x0012f6c0) line 486
PresShell::HandleEventInternal(nsEvent * 0x0012f8c8, nsIView * 0x05bf2500,
unsigned int 1, nsEventStatus * 0x0012f6c0) line 6181 + 38 bytes
PresShell::HandleEvent(PresShell * const 0x03cb055c, nsIView * 0x05bf2500,
nsGUIEvent * 0x0012f8c8, nsEventStatus * 0x0012f6c0, int 0, int & 1) line 6089 +
25 bytes
nsViewManager::HandleEvent(nsView * 0x05be61a8, nsGUIEvent * 0x0012f8c8, int 0)
line 2085
nsView::HandleEvent(nsViewManager * 0x03c6eb38, nsGUIEvent * 0x0012f8c8, int 0)
line 306
nsViewManager::DispatchEvent(nsViewManager * const 0x03c6eb38, nsGUIEvent *
0x0012f8c8, nsEventStatus * 0x0012f7c4) line 1890 + 23 bytes
HandleEvent(nsGUIEvent * 0x0012f8c8) line 83
nsWindow::DispatchEvent(nsWindow * const 0x05be6274, nsGUIEvent * 0x0012f8c8,
nsEventStatus & nsEventStatus_eIgnore) line 1025 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f8c8) line 1046
nsWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint *
0x00000000) line 4909 + 21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint *
0x00000000) line 5166
nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 6094921, long *
0x0012fcec) line 3777 + 28 bytes
nsWindow::WindowProc(HWND__ * 0x00040650, unsigned int 514, unsigned int 0, long
6094921) line 1290 + 27 bytes
USER32! 77e11b60()
USER32! 77e11cca()
USER32! 77e183f1()
nsAppShellService::Run(nsAppShellService * const 0x01673a30) line 451
main1(int 2, char * * 0x003074c8, nsISupports * 0x00000000) line 1456 + 32 bytes
main(int 2, char * * 0x003074c8) line 1805 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e8d326()
Assignee: kin → cmanske

Comment 2

16 years ago
Created attachment 87945 [details]
Test case from bug description.

Updated

16 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true

Updated

16 years ago
Keywords: crash, testcase
(Assignee)

Comment 3

16 years ago
Created attachment 87959 [details] [diff] [review]
patch v1

Cause of problem is a "_moz_text" node used in table layout that's not in
actual
source between the <th> elements in the table. I had code to detect this case,
but it was never tested properly and thus revealed a bad XPCOM code pattern.
Fix is very obvious and safe: Whenever you get a sibling from a node, you must
get it into a different temp node -- you can't get it into the same XPCOM
object
because it is nulled first, causing a crash.
(Assignee)

Comment 4

16 years ago
I also checked for other occurences of this same bad pattern and found none.
Status: NEW → ASSIGNED
Keywords: nsbeta1+, patch, review
Whiteboard: [adt1 RTM][FIX IN HAND][need r=,sr=]
Target Milestone: --- → mozilla1.0.1

Comment 5

16 years ago
Comment on attachment 87959 [details] [diff] [review]
patch v1

r=brade
Attachment #87959 - Flags: review+
(Assignee)

Comment 6

16 years ago
Created attachment 87961 [details] [diff] [review]
patch v2

Simpler fix. We are in "while (parentSibling)" loop, so we don't need
"if (parentSibling)"
Attachment #87959 - Attachment is obsolete: true

Comment 7

16 years ago
Comment on attachment 87961 [details] [diff] [review]
patch v2

r=brade
Attachment #87961 - Flags: review+

Comment 8

16 years ago
Comment on attachment 87961 [details] [diff] [review]
patch v2

sr=kin@netscape.com
Attachment #87961 - Flags: superreview+
(Assignee)

Comment 9

16 years ago
checked into trunk
Status: ASSIGNED → RESOLVED
Last Resolved: 16 years ago
Keywords: patch, review → adt1.0.1, mozilla1.0.1
Resolution: --- → FIXED
Whiteboard: [adt1 RTM][FIX IN HAND][need r=,sr=] → [adt1 RTM][fixed in trunk]

Comment 10

16 years ago
Verified on Win 2k using the 06-18 trunk build.
Status: RESOLVED → VERIFIED

Comment 11

16 years ago
adding adt1.0.1+.  Please get drivers approval before checking in.
Keywords: adt1.0.1 → adt1.0.1+
Comment on attachment 87961 [details] [diff] [review]
patch v2

Approval granted for 1.0 branch checkin; please remove the mozilla1.0.1+
keyword when this is fixed and add the fixed 1.0.1 keyword.
Attachment #87961 - Flags: approval+

Comment 13

16 years ago
please checkin to the 1.0.1 branch. once there, remove the "mozilla1.0.1+"
keyword and add the "fixed1.0.1" keyword.
Keywords: mozilla1.0.1 → mozilla1.0.1+
(Assignee)

Comment 14

16 years ago
checked into mozilla1.0.1 branch
Keywords: mozilla1.0.1+ → fixed1.0.1

Comment 15

16 years ago
*** Bug 154648 has been marked as a duplicate of this bug. ***

Comment 16

16 years ago
verified in 7/18 branch

removing fixed 1.0.1 keyword
Keywords: fixed1.0.1 → verified1.0.1
You need to log in before you can comment on or make changes to this bug.