Closed Bug 264917 Opened 20 years ago Closed 20 years ago

Crash trying to view source @ nsAString::GetReadableBuffer

Categories

(Core Graveyard :: View Source, defect)

Product:
Core Graveyard
Component:
View Source
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: neil, Assigned: mrbkap)

References

Details

(Keywords: crash, regression)

Attachments

(1 file)

patch v1
1.59 KB, patch
doronr
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
bz thinks this is a regression from bug 70918. Extract of stack: #1 __pure_virtual () at ../../gcc/libgcc2.c:-1 #2 0x080703f5 in nsAString::GetReadableBuffer (this=0xbfffc60c, data=0xbfffc40c) at nsTAString.cpp:472 #3 0x411233ac in nsAString::BeginReading (this=0xbfffc60c, iter=@0xbfffc40c) at ../../../../dist/include/string/nsTAString.h:141 #4 0x411da8d8 in nsContentUtils::CopyNewlineNormalizedUnicodeTo (aSource=@0xbfffc60c, aSrcOffset=0, aDest=0x838cbe4, aLength=4094, aLastCharCR=@0xbfffc484) at nsContentUtils.cpp:380 #5 0x4130cc96 in SinkContext::AddText (this=0x8ba9fb8, aText=@0xbfffc60c) at nsHTMLContentSink.cpp:1717 #6 0x4130c40b in SinkContext::AddLeaf (this=0x8ba9fb8, aNode=@0xbfffc60c) at nsHTMLContentSink.cpp:1517 #7 0x4131086c in HTMLContentSink::AddLeaf (this=0x8e310d8, aNode=@0xbfffc60c) at nsHTMLContentSink.cpp:3124 #8 0x419af00d in CViewSourceHTML::WriteTag (this=0x8cf9fe8, aTagType=0, aText=@0x9b69840, attrCount=2, aTagInError=0) at nsViewSourceHTML.cpp:1003 #9 0x419af524 in CViewSourceHTML::HandleToken (this=0x8cf9fe8, aToken=0x9b69828, aParser=0x84478f0) at nsViewSourceHTML.cpp:1100 #10 0x419ae407 in CViewSourceHTML::BuildModel (this=0x8cf9fe8, aParser=0x84478f0, aTokenizer=0x8cfa098, anObserver=0x0, aSink=0x8e31128) at nsViewSourceHTML.cpp:635 #11 0x419a0d4b in nsParser::BuildModel (this=0x84478f0) at nsParser.cpp:1917 #12 0x419a0963 in nsParser::ResumeParse (this=0x84478f0, allowIteration=1, aIsFinalChunk=1, aCanInterrupt=1) at nsParser.cpp:1784 #13 0x4199fb33 in nsParser::ContinueParsing (this=0x84478f0) at nsParser.cpp:1362 #14 0x41346bda in CSSLoaderImpl::SheetComplete (this=0x8cd8a38, aLoadData=0x8d6c8e8, aSucceeded=1) at nsCSSLoader.cpp:1519 #15 0x413467a0 in CSSLoaderImpl::ParseSheet (this=0x8cd8a38, aStream=0x87e5f28, aLoadData=0x8d6c8e8, aCompleted=@0xbfffccdc) at nsCSSLoader.cpp:1451 #16 0x41344110 in SheetLoadData::OnStreamComplete (this=0x8d6c8e8, aLoader=0x8d6cb68, aContext=0x0, aStatus=0, aDataStream=0x87e5f28) at nsCSSLoader.cpp:801
Blocks: 70918
The problem is that SetIndirectString() holds a _pointer_ to the string. I didn't realize that when I reviewed bug 70918. So the patch as checked in, with theContext.mITextToken. SetIndirectString(NS_ConvertASCIItoUTF16(kAfterText[aTagType])); ends up with a dangling string pointer in the token. Just rewriting that as: NS_ConvertASCIItoUTF16 afterText(kAfterText[aTagType]); theContext.mITextToken.SetIndirectString(afterText); should fix the crash. Same for beforeText.
Severity: normal → critical
OS: Windows 2000 → All
Hardware: PC → All
I won't be able to make a patch for this until about 4-5pm CST, fyi.
*** Bug 264911 has been marked as a duplicate of this bug. ***
Attached patch patch v1Splinter Review
This is the patch that's suggested. Note that I cannot reproduce the crash, so I'll have to trust that this fixes it (this looks more right, in any case).
Comment on attachment 162511 [details] [diff] [review] patch v1 neil, want to verify this helps?
Attachment #162511 - Flags: review+
Comment on attachment 162511 [details] [diff] [review] patch v1 sr=bzbarsky
Attachment #162511 - Flags: superreview+
Checked in.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
*** Bug 265304 has been marked as a duplicate of this bug. ***
*** Bug 265305 has been marked as a duplicate of this bug. ***
Product: Browser → Seamonkey
Product: SeaMonkey → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: