Closed Bug 277306 Opened 20 years ago Closed 20 years ago

Crash when hitting Ctrl-End in a table

Categories

(Core :: DOM: Editor, defect)

x86
All
defect
Not set
critical

Tracking

()

VERIFIED DUPLICATE of bug 278197

People

(Reporter: bzbarsky, Assigned: eyalroz1)

References

Details

(Keywords: crash)

Attachments

(1 file)

BUILD: 2005-01-06 trunk nightly

STEPS TO REPRODUCE (copied from bug 273458 comment 18):

1- Open a blank document in composer
2- Created a default 2x2 table in Composer 
3- clicked in the bottom-right cell (so that blinking caret and cell resizing
grippies get visible, rendered) 
4- Typed in Ctrl+End 
5- crashed

Stack is:

#0  0x426b8689 in nsHTMLEditor::GetCSSBackgroundColorState(int*, nsAString&, int) (
    this=0x8a4b0c0, aMixed=0xbfffc668, aOutColor=@0xbfffc5c0, aBlockLevel=1)
    at
/home/bzbarsky/mozilla/xlib/mozilla/editor/libeditor/html/nsHTMLEditor.cpp:2498
#1  0x426b8101 in nsHTMLEditor::GetBackgroundColorState(int*, nsAString&) (
    this=0x8a4b0c0, aMixed=0xbfffc668, aOutColor=@0xbfffc5c0)
    at
/home/bzbarsky/mozilla/xlib/mozilla/editor/libeditor/html/nsHTMLEditor.cpp:2399
#2  0x427daf92 in nsBackgroundColorStateCommand::GetCurrentState(nsIEditor*,
nsICommandParams*) (this=0x8a59c38, aEditor=0x8a4b0c0, aParams=0x8b15428)
    at
/home/bzbarsky/mozilla/xlib/mozilla/editor/composer/src/nsComposerCommands.cpp:1004
#3  0x427d96fc in nsMultiStateCommand::GetCommandStateParams(char const*,
nsICommandParams*, nsISupports*) (this=0x8a59c38, aCommandName=0x8b153e0
"cmd_backgroundColor", 
    aParams=0x8b15428, refCon=0x8a4b0c0)
    at
/home/bzbarsky/mozilla/xlib/mozilla/editor/composer/src/nsComposerCommands.cpp:681
#4  0x40c19f1b in nsControllerCommandTable::GetCommandState(char const*,
nsICommandParams*, nsISupports*) (this=0x8a4e898, aCommandName=0x8b153e0
"cmd_backgroundColor", 
    aParams=0x8b15428, aCommandRefCon=0x8a4b0c0)
    at
/home/bzbarsky/mozilla/xlib/mozilla/embedding/components/commandhandler/src/nsControllerCommandTable.cpp:226
#5  0x40c13294 in nsBaseCommandController::GetCommandStateWithParams(char
const*, nsICommandParams*) (this=0x8a599f0, aCommand=0x8b153e0
"cmd_backgroundColor", aParams=0x8b15428)
    at
/home/bzbarsky/mozilla/xlib/mozilla/embedding/components/commandhandler/src/nsBaseCommandController.cpp:147
#6  0x40137571 in XPTC_InvokeByIndex () at nsTSubstring.h:155
#7  0x40b36816 in XPCWrappedNative::CallMethod(XPCCallContext&,
XPCWrappedNative::CallMode) (ccx=@0xbfffca0c, mode=CALL_METHOD)

The crash happens because |tmp| and |blockParent| are both null.  blockParent is
null because nodeToExamine is an nsHTMLAnchorElement with a null parent.  Note
that having a null parent is the ONLY way nsHTMLEditor::GetBlockNodeParent can
return null (otherwise it will return the rootmost ancestor, which may, of
course also not be a block).

I'm not sure what this code is trying to achieve, why it's being called, or
where the anchor comes from.  Daniel, this is all code you wrote, any idea
what's going on here?

On a separate note, the loop termination condition is wrong in any case (the
boolean check is backwards).  I'll attach a patch fixing that; it does not fix
this bug.  I could also "fix" this bug by just bailing out of the loop on null,
but that would end up using the default background color here (since the anchor
is not in the DOM tree), and I'm not sure what that would break.
Keywords: crash
On a separate note, it may be better to not make this HTML-specific and just go
up till we get a null parent?
Depends on: 273458
Summary: Crash when hitting Ctrl-End in a tabl → Crash when hitting Ctrl-End in a table
OS -> All
OS: Linux → All
This broke between 2004-11-29-07 and 2004-11-30-08.
Looks like this was broken by bug 263309.  The caret is being positioned in
lala-land, most likely.

Also marking dependent on bug 278197, since that patch may fix this crash.
Depends on: 263309, 278197
Assignee: mozeditor → eyalroz
bz--bug 278197 is a duplicate of this but I am going to resolve this as a
duplicate of it since the newer bug has a patch.  I determined it was a
duplicate by opening microsoft.com's web page in Composer and clicking in the
bottom/right corner which caused table cell selection to occur.

*** This bug has been marked as a duplicate of 278197 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
I've filed bug 279332 on the code-level issues in comment 0.  That code is still
wrong, even if we'll stop hitting it in this instance once bug 278197 is fixed.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: