164928 - Crash in RangeStartsInsideLink with TypeAhead Find

Status: RESOLVED FIXED

(SeaMonkey :: Find In Page, defect)

Description

[Daniel Bratell]

Trunk build from CVS a couple of hours ago.

I just crashed when playing with typeahead find. I was at an "Bug was processed" 
page and fooled around with letters and backspaces.

The crash was because startContent was NULL which was because startNode was 
NULL. aRange's mStartParent and mEndParent are also NULL. 

     startContent = do_QueryInterface(startNode);  <-- startNode == NULL
     origContent = startContent;
-->  if (NS_SUCCEEDED(startContent->CanContainChildren(canContainChildren)) &&
           canContainChildren) {
            startContent->ChildAt(startOffset, *getter_AddRefs(childContent));

 
The stack trace:

nsTypeAheadFind::RangeStartsInsideLink(nsTypeAheadFind * const 0x0012f00c, 
nsIDOMRange * 0x02fcf0e0, nsIPresShell * 0x027c4a88, int * 0x0012f0ec, int * 
0x0012f118) line 1242 + 8 bytes
nsTypeAheadFind::FindItNow(nsTypeAheadFind * const 0x0012f00c, int 0, int 1, int 
1, int 0) line 1006
nsTypeAheadFind::KeyPress(nsTypeAheadFind * const 0x80004005, nsIDOMEvent * 
0x0301a110) line 796 + 20 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x03165bc0, 
nsIPresContext * 0x00000000, nsEvent * 0x0012fb20, nsIDOMEvent * * 0x00ec6b78, 
nsIDOMEventTarget * 0x027f3088, unsigned int 2, nsEventStatus * 0x0012fa84) line 
1615
GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x027f3078, 
nsIPresContext * 0x0266e8c8, nsEvent * 0x0012fb20, nsIDOMEvent * * 0x0012f784, 
unsigned int 2, nsEventStatus * 0x0012fa84) line 764
nsDocument::HandleDOMEvent(nsDocument * const 0x02806d98, nsIPresContext * 
0x0266e8c8, nsEvent * 0x0012fb20, nsIDOMEvent * * 0x0012f784, unsigned int 2, 
nsEventStatus * 0x0012fa84) line 3544 + 18 bytes
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0314c618, 
nsIPresContext * 0x0266e8c8, nsEvent * 0x00000000, nsIDOMEvent * * 0x0012f784, 
unsigned int 2, nsEventStatus * 0x0012fa84) line 2073 + 21 bytes
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0314c618, 
nsIPresContext * 0x0266e8c8, nsEvent * 0x031481e0, nsIDOMEvent * * 0x0012f784, 
unsigned int 2, nsEventStatus * 0x0012fa84) line 2068
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0314c618, 
nsIPresContext * 0x0266e8c8, nsEvent * 0x03165c68, nsIDOMEvent * * 0x0012f784, 
unsigned int 2, nsEventStatus * 0x0012fa84) line 2068
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0314c618, 
nsIPresContext * 0x0266e8c8, nsEvent * 0x03170d28, nsIDOMEvent * * 0x0012f784, 
unsigned int 1, nsEventStatus * 0x0012fa84) line 2068
nsGenericHTMLElement::HandleDOMEventForAnchors(nsGenericHTMLElement * const 
0x0012f00c, nsIContent * 0x03170fd0, nsIPresContext * 0x0266e8c8, nsEvent * 
0x0012fb20, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 
0x0012fa84) line 1376
nsHTMLLinkElement::HandleDOMEvent(nsHTMLLinkElement * const 0x03170fd0, 
nsIPresContext * 0x0266e8c8, nsEvent * 0x0012fb20, nsIDOMEvent * * 0x00000000, 
unsigned int 1, nsEventStatus * 0x0012fa84) line 364
PresShell::HandleEventInternal(PresShell * const 0x0012f00c, nsEvent * 
0x027e6240, nsIView * 0x02fc0a20, unsigned int 1, nsEventStatus * 0x0012fa84) 
line 6105 + 18 bytes
PresShell::HandleEvent(PresShell * const 0x027e6240, nsIView * 0x02fc0a20, 
nsGUIEvent * 0x0012fb20, nsEventStatus * 0x0012fa84, int 1, int & 1) line 6028 + 
18 bytes
nsViewManager::HandleEvent(nsViewManager * const 0x0012f00c, nsView * 
0x00000001, nsGUIEvent * 0x00000000, int 0) line 2060
nsView::HandleEvent(nsView * const 0x0012f00c, nsViewManager * 0x02fee338, 
nsGUIEvent * 0x0012fb20, int 0) line 301
nsViewManager::DispatchEvent(nsViewManager * const 0x02fee338, nsGUIEvent * 
0x02fc0a20, nsEventStatus * 0x0012fae8) line 1911 + 30 bytes
HandleEvent(nsGUIEvent * 0x0012fb20) line 83
nsWindow::DispatchEvent(nsWindow * const 0x0277d0a4, nsGUIEvent * 0x0012fb20, 
nsEventStatus & nsEventStatus_eIgnore) line 1034 + 6 bytes
nsWindow::DispatchWindowEvent(nsWindow * const 0x0012f00c, nsGUIEvent * 
0x00000000) line 1055
nsWindow::DispatchKeyEvent(nsWindow * const 0x0012f00c, unsigned int 131, 
unsigned short 66, unsigned int 0, long 0) line 2885 + 14 bytes
nsWindow::OnChar(nsWindow * const 0x0012f00c, unsigned int 66, unsigned int 66, 
unsigned char 0) line 3063 + 17 bytes
nsWindow::ProcessMessage(nsWindow * const 0x0012f00c, unsigned int 258, unsigned 
int 66, long 3145729, long * 0x0012fd94) line 3712
nsWindow::WindowProc(HWND__ * 0x00020524, unsigned int 258, unsigned int 66, 
long 41406628) line 1303 + 16 bytes
USER32! 77e3a290()
USER32! 77e145b1()
USER32! 77e15b1d()
nsAppShellService::Run(nsAppShellService * const 0x00f42ee8) line 452
main1(int 1, char * * 0x002a3fc0, nsISupports * 0x002a2cb8) line 1509 + 9 bytes
main(int 1, char * * 0x002a3fc0) line 1873 + 26 bytes
WinMain(HINSTANCE__ * 0x00400000, HINSTANCE__ * 0x00400000, char * 0x00133353, 
HINSTANCE__ * 0x00400000) line 1891 + 21 bytes
MOZILLA! WinMainCRTStartup + 308 bytes

Comment 1

[Akkana Peck]

Sounds like we need to guard against that case.

Comment 2

[Akkana Peck]

Attachment: Return if startContent is null

Suggested fix.	Aaron, does this look okay?

Comment 3

[Aaron Leventhal]

Comment on attachment 96897 [details] [diff] [review]
Return if startContent is null

r=aaronl, but please also add an assertion so that I can find out why this is
happening at some point.

Comment 4

[Akkana Peck]

Thanks for the review -- I've added an assertion that startContent != 0.

Comment 5

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 96897 [details] [diff] [review]
Return if startContent is null

sr=bzbarsky

Comment 6

[Akkana Peck]

Whoops, forgot to close this out; it's in the tree now.

Comment 7

[Akkana Peck]

Trying again to close this bug.