161444 - crash doing 'select all' [@ nsTypedSelection::selectFrames]

Status: VERIFIED FIXED

(Core :: DOM: Selection, defect)

Description

[John Morrison]

crash doing 'select all' [@ nsTypedSelection::selectFrames]

Steps to repro:
1) start browser, load http://www.mozilla.org/start.html
2) set focus in content area
3) Ctrl-A
4) crash

On second pass in to selectFrames, |frame| is null...

  result = mFrameSelection->GetTracker()->GetPrimaryFrameFor(innercontent,
                                                             &frame);
  if (NS_SUCCEEDED(result) && frame)
    //NOTE: eSpreadDown is now IGNORED. Selected state is set only for given
    // frame
    frame->SetSelected(aPresContext, nsnull,aFlags,eSpreadDown); //spread from 
                                              // here to hit all frames in flow
    frame->GetRect(frameRect); //<-- added this line, 
                               //<-- but it's not part of the
                               //<-- |if (... && frame)| check above

nsTypedSelection::selectFrames(nsTypedSelection * const 0x035e4548, 
nsIPresContext * 0x036304a8, nsIContentIterator * 0x036c9848, nsIContent * 
0x02a379b8, nsIDOMRange * 0x036ee7a0, nsIPresShell * 0x0362b008, int 
0x00000001) line 4988 + 9 bytes
nsTypedSelection::selectFrames(nsTypedSelection * const 0x035e4548, 
nsIPresContext * 0x036304a8, nsIDOMRange * 0x036ee7a0, int 0x00000001) line 
5091
nsTypedSelection::Extend(nsTypedSelection * const 0x02d437e0, nsIDOMNode * 
0x036ee7a0, int 0x036ee7a0) line 6565
nsTypedSelection::SelectAllChildren(nsTypedSelection * const 0x00000002, 
nsIDOMNode * 0x04eff8f0) line 6846 + 12 bytes
DocumentViewerImpl::SelectAll(DocumentViewerImpl * const 0x02cbba2c) line 5452
nsDOMWindowController::DoCommandWithEditInterface(nsDOMWindowController * const 
0x02502890, const char * 0x0012e198) line 6159
nsDOMWindowController::DoCommand(nsDOMWindowController * const 0x0246b198, 
const char * 0x0012e198) line 6104 + 9 bytes
nsXBLPrototypeHandler::ExecuteHandler(nsXBLPrototypeHandler * const 0x024a5f60, 
nsIDOMEventReceiver * 0x1004bf24 const  nsDefaultStringComparator::`vftable', 
nsIDOMEvent * 0x02fad558) line 328
nsXBLWindowHandler::WalkHandlersInternal(nsXBLWindowHandler * const 0x02502890, 
nsIDOMEvent * 0x02fad558, nsIAtom * 0x019ccfc8, nsIXBLPrototypeHandler * 
0x0199ebc8) line 312
nsXBLWindowKeyHandler::WalkHandlers(nsXBLWindowKeyHandler * const 0x021abf48, 
nsIDOMEvent * 0x02fad558, nsIAtom * 0x019ccfc8) line 183
nsXBLWindowKeyHandler::KeyPress(nsXBLWindowKeyHandler * const 0x021abf48, 
nsIDOMEvent * 0x02fad558) line 199
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x01a79808, 
nsIPresContext * 0x00000000, nsEvent * 0x0012fb20, nsIDOMEvent * * 0x021abf48, 
nsIDOMEventTarget * 0x0199ebc8, unsigned int 0x00000002, nsEventStatus * 
0x0012fa84) line 1707
nsWindowRoot::HandleChromeEvent(nsWindowRoot * const 0x00000000, nsIPresContext 
* 0x036304a8, nsEvent * 0x0012fb20, nsIDOMEvent * * 0x0012f918, unsigned int 
0x00000002, nsEventStatus * 0x0012fa84) line 182
GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x019fee60, 
nsIPresContext * 0x036304a8, nsEvent * 0x0012fb20, nsIDOMEvent * * 0x0012f918, 
unsigned int 0x00000002, nsEventStatus * 0x0012fa84) line 784
nsXULDocument::HandleDOMEvent(nsXULDocument * const 0x00eed720, nsIPresContext 
* 0x036304a8, nsEvent * 0x0012fb20, nsIDOMEvent * * 0x0012f918, unsigned int 
0x00000002, nsEventStatus * 0x0012fa84) line 2625
nsXULElement::HandleDOMEvent(nsXULElement * const 0x021aa360, nsIPresContext * 
0x036304a8, nsEvent * 0x00000000, nsIDOMEvent * * 0x0012f918, unsigned int 
0x00000002, nsEventStatus * 0x0012fa84) line 3476 + 21 bytes
nsXULElement::HandleDOMEvent(nsXULElement * const 0x021e5770, nsIPresContext * 
0x036304a8, nsEvent * 0x021aa360, nsIDOMEvent * * 0x0012f918, unsigned int 
0x00000002, nsEventStatus * 0x0012fa84) line 3472
nsXULElement::HandleDOMEvent(nsXULElement * const 0x021e5898, nsIPresContext * 
0x036304a8, nsEvent * 0x021e5770, nsIDOMEvent * * 0x0012f918, unsigned int 
0x00000002, nsEventStatus * 0x0012fa84) line 3472
nsXULElement::HandleDOMEvent(nsXULElement * const 0x021e59a0, nsIPresContext * 
0x036304a8, nsEvent * 0x021e5898, nsIDOMEvent * * 0x0012f918, unsigned int 
0x00000002, nsEventStatus * 0x0012fa84) line 3472
nsXULElement::HandleDOMEvent(nsXULElement * const 0x021e59e0, nsIPresContext * 
0x036304a8, nsEvent * 0x021e59a0, nsIDOMEvent * * 0x0012f918, unsigned int 
0x00000002, nsEventStatus * 0x0012fa84) line 3472
nsXULElement::HandleDOMEvent(nsXULElement * const 0x023ed0e8, nsIPresContext * 
0x036304a8, nsEvent * 0x021e59e0, nsIDOMEvent * * 0x0012f918, unsigned int 
0x00000002, nsEventStatus * 0x0012fa84) line 3472
nsXULElement::HandleDOMEvent(nsXULElement * const 0x023f5ba0, nsIPresContext * 
0x036304a8, nsEvent * 0x023ed0e8, nsIDOMEvent * * 0x0012f918, unsigned int 
0x00000002, nsEventStatus * 0x0012fa84) line 3472
nsXULElement::HandleDOMEvent(nsXULElement * const 0x023f5c48, nsIPresContext * 
0x036304a8, nsEvent * 0x023f5ba0, nsIDOMEvent * * 0x0012f918, unsigned int 
0x00000002, nsEventStatus * 0x0012fa84) line 3472
nsXULElement::HandleChromeEvent(nsXULElement * const 0x00eed720, nsIPresContext 
* 0x036304a8, nsEvent * 0x0012fb20, nsIDOMEvent * * 0x0012f918, unsigned int 
0x00000002, nsEventStatus * 0x0012fa84) line 4681 + 24 bytes
GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x024176f0, 
nsIPresContext * 0x036304a8, nsEvent * 0x0012fb20, nsIDOMEvent * * 0x0012f918, 
unsigned int 0x00000002, nsEventStatus * 0x0012fa84) line 784
nsDocument::HandleDOMEvent(nsDocument * const 0x03a85b98, nsIPresContext * 
0x036304a8, nsEvent * 0x0012fb20, nsIDOMEvent * * 0x0012f918, unsigned int 
0x00000002, nsEventStatus * 0x0012fa84) line 3531
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x039cb538, 
nsIPresContext * 0x036304a8, nsEvent * 0x00000000, nsIDOMEvent * * 0x0012f918, 
unsigned int 0x00000001, nsEventStatus * 0x0012fa84) line 1852 + 16 bytes
PresShell::HandleEventInternal(PresShell * const 0x02502890, nsEvent * 
0x037b0da0, nsIView * 0x0246b870, unsigned int 0x00000001, nsEventStatus * 
0x0012fa84) line 6105 + 18 bytes
PresShell::HandleEvent(PresShell * const 0x037b0da0, nsIView * 0x0246b870, 
nsGUIEvent * 0x0012fb20, nsEventStatus * 0x0012fa84, int 0x00000001, int & 
0x00000001) line 6028 + 18 bytes
nsViewManager::HandleEvent(nsViewManager * const 0x02502890, nsView * 
0x00000001, nsGUIEvent * 0x00000000, int 0x00000000) line 2052
nsView::HandleEvent(nsView * const 0x02502890, nsViewManager * 0x02b9cd70, 
nsGUIEvent * 0x0012fb20, int 0x00000000) line 306
nsViewManager::DispatchEvent(nsViewManager * const 0x02b9cd70, nsGUIEvent * 
0x0246b870, nsEventStatus * 0x0012fae8) line 1903 + 30 bytes
HandleEvent(nsGUIEvent * 0x0012fb20) line 83
nsWindow::DispatchEvent(nsWindow * const 0x02e5622c, nsGUIEvent * 0x0012fb20, 
nsEventStatus & nsEventStatus_eIgnore) line 1038
nsWindow::DispatchWindowEvent(nsWindow * const 0x02502890, nsGUIEvent * 
0x00000000) line 1055
nsWindow::DispatchKeyEvent(nsWindow * const 0x02502890, unsigned int 
0x00000083, unsigned short 0x0061, unsigned int 0x00000000, long 0x00000000) 
line 2885 + 14 bytes
nsWindow::OnChar(nsWindow * const 0x02502890, unsigned int 0x00000001, unsigned 
int 0x00000001, unsigned char 0x00) line 3063 + 17 bytes
nsWindow::ProcessMessage(nsWindow * const 0x02502890, unsigned int 0x00000102, 
unsigned int 0x00000001, long 0x001e0001, long * 0x0012fda0) line 3712
nsWindow::WindowProc(HWND__ * 0x02a20088, unsigned int 0x00000000, unsigned int 
0x00000001, long 0x02e5622c) line 1303 + 16 bytes
USER32! 77e13eb0()
USER32! 77e1401a()
USER32! 77e192da()
nsAppShellService::Run(nsAppShellService * const 0x00ef2d30) line 452
main1(int 0x00000001, char * * 0x00253af8, nsISupports * 0x00253b30) line 1516 
+ 9 bytes
main(int 0x00000001, char * * 0x00253af8) line 1876 + 26 bytes
WinMain(HINSTANCE__ * 0x00400000, HINSTANCE__ * 0x00400000, char * 0x00133352, 
HINSTANCE__ * 0x00400000) line 1896 + 23 bytes
MOZILLA! WinMainCRTStartup + 308 bytes
KERNEL32! 77e87903()

Comment 1

[John Morrison]

er, that url is http://www.mozilla.org/start/ (not .../start.html), but 
I don't think the content really matters. (I first crashed doing select
all on the 'about:cache?device=disk' page).

Comment 2

[R.K.Aa.]

On Linux, I merely have to start a selection of text in a page, it seems (trunk)
Crashed 4 times so far today, allthough i realized what was going on after the
second crash. It's veeery easy to start a selection by accident. 

Blocker? Changing OS.

Comment 3

[Jay Knight]

I'm seeing this on 2002080704.  Here are some TBs:

TB9063846G
TB9063949K

Comment #2 may be bug 153457, I'm seeing that today as well.

Comment 4

[R.K.Aa.]

Attachment: gdb backtrace

Comment 5

[Kathleen :Brade]

I assume this is a regression?
adding some keywords/status

Comment 6

[Chu Alan #2]

seeing this *frequently* in 2002080705/Linux, since like to select-and-drag
rather than dragging on the scrollbar, this bug is really annoying :(

Comment 7

[R.K.Aa.]

perhaps needless to say, but backing out the checkins for bug 159207 cure the
crashes..
cvs update -j1.51 -j1.50 mozilla/layout/html/base/src/nsHRFrame.cpp
cvs update -j3.384 -j3.383 mozilla/layout/html/base/src/nsFrame.cpp
cvs update -j3.125 -j3.124 mozilla/content/base/src/nsSelection.cpp

Comment 8

[mjudge]

hmm missed a {} around the indented code.  I added it to the code above but not 
the crashing block.  I have fix looking for when I can check it in.

Comment 9

[mjudge]

Attachment: patch for {} in nsSelection.cpp

code was indented allready as though it was in a block.  I forgot to add the {}
to make it a block sorry. 2 line fix

Comment 10

[Kathleen :Brade]

Comment on attachment 94347 [details] [diff] [review]
patch for {} in nsSelection.cpp

r=brade

Comment 11

[R.K.Aa.]

likely duplicates: bug 161500, bug 161484, bug 161500

Comment 12

[R.K.Aa.]

bug 161499

Comment 13

[Simon Fraser [no longer active]]

Comment on attachment 94347 [details] [diff] [review]
patch for {} in nsSelection.cpp

sr=sfraser

Comment 14

[Kathleen :Brade]

*** Bug 161484 has been marked as a duplicate of this bug. ***

Comment 15

[Kathleen :Brade]

*** Bug 161500 has been marked as a duplicate of this bug. ***

Comment 16

[mjudge]

fixed.

Comment 17

[mjudge]

fixed.

Comment 18

[Christopher Aillon (sabbatical, not receiving bugmail)]

This would definitely be a good bug for those in the "always use braces even for
one line blocks" camp for the next style wars showdown... That most likely would
have prevented this crasher from happening...

Comment 19

[kurros (Wade Majors)]

Verified in trunk 2002080711/Win32 build

Comment 20

[R.K.Aa.]

*** Bug 161541 has been marked as a duplicate of this bug. ***

Comment 21

[R.K.Aa.]

*** Bug 161543 has been marked as a duplicate of this bug. ***

Comment 22

[Kai Lahmann (is there, where MNG is)]

*** Bug 161536 has been marked as a duplicate of this bug. ***

Comment 23

[Matthias Versen [:Matti]]

*** Bug 161517 has been marked as a duplicate of this bug. ***

Comment 24

[greer]

*** Bug 161538 has been marked as a duplicate of this bug. ***

Comment 25

[Matthias Versen [:Matti]]

*** Bug 161643 has been marked as a duplicate of this bug. ***

Comment 26

[Mike Kaply [:mkaply]]

*** Bug 161614 has been marked as a duplicate of this bug. ***

Comment 27

[R.K.Aa.]

*** Bug 161669 has been marked as a duplicate of this bug. ***

Comment 28

[greer]

adding topcrash keyword so that talkback automation does not show this crash as
open.

Comment 29

[Ian Neal]

*** Bug 161714 has been marked as a duplicate of this bug. ***

Comment 30

[John Unruh]

*** Bug 161513 has been marked as a duplicate of this bug. ***

Comment 31

[R.K.Aa.]

*** Bug 161698 has been marked as a duplicate of this bug. ***

Comment 32

[Matthias Versen [:Matti]]

*** Bug 161833 has been marked as a duplicate of this bug. ***

Comment 33

[Patty Mac]

Is this bug fixed? See bugzilla bug:
http://bugzilla.mozilla.org/show_bug.cgi?id=161538