Closed Bug 264917 Opened 20 years ago Closed 20 years ago

Crash trying to view source @ nsAString::GetReadableBuffer

Categories

(Core Graveyard :: View Source, defect)

Product:
Core Graveyard
Component:
View Source
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: neil, Assigned: mrbkap)

References

Details

(Keywords: crash, regression)

Attachments

(1 file)

patch v1
1.59 KB, patch
doronr
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review 
bz thinks this is a regression from bug 70918. Extract of stack:
#1 __pure_virtual () at ../../gcc/libgcc2.c:-1
#2 0x080703f5 in nsAString::GetReadableBuffer (this=0xbfffc60c, data=0xbfffc40c)
at nsTAString.cpp:472
#3 0x411233ac in nsAString::BeginReading (this=0xbfffc60c, iter=@0xbfffc40c) at
../../../../dist/include/string/nsTAString.h:141
#4 0x411da8d8 in nsContentUtils::CopyNewlineNormalizedUnicodeTo
(aSource=@0xbfffc60c, aSrcOffset=0, aDest=0x838cbe4, aLength=4094,
aLastCharCR=@0xbfffc484) at nsContentUtils.cpp:380
#5 0x4130cc96 in SinkContext::AddText (this=0x8ba9fb8, aText=@0xbfffc60c) at
nsHTMLContentSink.cpp:1717
#6 0x4130c40b in SinkContext::AddLeaf (this=0x8ba9fb8, aNode=@0xbfffc60c) at
nsHTMLContentSink.cpp:1517
#7 0x4131086c in HTMLContentSink::AddLeaf (this=0x8e310d8, aNode=@0xbfffc60c) at
nsHTMLContentSink.cpp:3124
#8 0x419af00d in CViewSourceHTML::WriteTag (this=0x8cf9fe8, aTagType=0,
aText=@0x9b69840, attrCount=2, aTagInError=0) at nsViewSourceHTML.cpp:1003
#9 0x419af524 in CViewSourceHTML::HandleToken (this=0x8cf9fe8, aToken=0x9b69828,
aParser=0x84478f0) at nsViewSourceHTML.cpp:1100
#10 0x419ae407 in CViewSourceHTML::BuildModel (this=0x8cf9fe8,
aParser=0x84478f0, aTokenizer=0x8cfa098, anObserver=0x0, aSink=0x8e31128) at
nsViewSourceHTML.cpp:635
#11 0x419a0d4b in nsParser::BuildModel (this=0x84478f0) at nsParser.cpp:1917
#12 0x419a0963 in nsParser::ResumeParse (this=0x84478f0, allowIteration=1,
aIsFinalChunk=1, aCanInterrupt=1) at nsParser.cpp:1784
#13 0x4199fb33 in nsParser::ContinueParsing (this=0x84478f0) at nsParser.cpp:1362
#14 0x41346bda in CSSLoaderImpl::SheetComplete (this=0x8cd8a38,
aLoadData=0x8d6c8e8, aSucceeded=1) at nsCSSLoader.cpp:1519
#15 0x413467a0 in CSSLoaderImpl::ParseSheet (this=0x8cd8a38, aStream=0x87e5f28,
aLoadData=0x8d6c8e8, aCompleted=@0xbfffccdc) at nsCSSLoader.cpp:1451
#16 0x41344110 in SheetLoadData::OnStreamComplete (this=0x8d6c8e8,
aLoader=0x8d6cb68, aContext=0x0, aStatus=0, aDataStream=0x87e5f28) at
nsCSSLoader.cpp:801
Blocks: 70918
The problem is that SetIndirectString() holds a _pointer_ to the string.  I
didn't realize that when I reviewed bug 70918.  So the patch as checked in, with

  theContext.mITextToken.
     SetIndirectString(NS_ConvertASCIItoUTF16(kAfterText[aTagType]));

ends up with a dangling string pointer in the token.

Just rewriting that as:

  NS_ConvertASCIItoUTF16 afterText(kAfterText[aTagType]);
  theContext.mITextToken.SetIndirectString(afterText);

should fix the crash.  Same for beforeText.
Severity: normal → critical
OS: Windows 2000 → All
Hardware: PC → All
I won't be able to make a patch for this until about 4-5pm CST, fyi.
*** Bug 264911 has been marked as a duplicate of this bug. ***
Attached patch patch v1Splinter Review 
This is the patch that's suggested. Note that I cannot reproduce the crash, so
I'll have to trust that this fixes it (this looks more right, in any case).
Comment on attachment 162511 [details] [diff] [review]
patch v1

neil, want to verify this helps?
Attachment #162511 - Flags: review+
Comment on attachment 162511 [details] [diff] [review]
patch v1

sr=bzbarsky
Attachment #162511 - Flags: superreview+
Checked in.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
*** Bug 265304 has been marked as a duplicate of this bug. ***
*** Bug 265305 has been marked as a duplicate of this bug. ***
Product: Browser → Seamonkey
Product: SeaMonkey → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: