Ctrl-Shift-Home + typing with mozInlineSpellChecker causes NULL nsCOMPtr assertion in [@ nsTextServicesDocument::DeleteNode]




14 years ago
12 years ago


(Reporter: matthew, Assigned: mozeditor)


({crash, fixed1.8.0.2, fixed1.8.1})

crash, fixed1.8.0.2, fixed1.8.1
Bug Flags:
blocking1.8.0.2 +

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [nvn-dl][qa:verified-tb-1802], crash signature)


(1 attachment, 1 obsolete attachment)



14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050505 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050505 Firefox/1.0+

Hitting Ctrl-Shift-Home in an editor window (in Thunderbird) to select the first
half of the document and then typing causes the following segfault on the second
iteration of doing so:

/usr/local/src/mozilla/editor/txtsvc/src/nsFilteredContentIterato r.cpp, line 110
/usr/local/src/mozilla/extensions/spellcheck/src/mozInlineSpellC hecker.cpp,
line 905
###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().:
'mRawPtr != 0', file ../../dist/include/xpco m/nsCOMPtr.h, line 849
Break: at file ../../dist/include/xpcom/nsCOMPtr.h, line 849

#5  0x087a5c87 in nsTextServicesDocument::DeleteNode (this=0xa27bf50,
    at /usr/local/src/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp:2532
#6  0x087aa397 in nsTSDNotifier::DidDeleteNode (this=0xb75247ec, aChild=0x0,
    at /usr/local/src/mozilla/editor/txtsvc/src/nsTSDNotifier.cpp:118
#7  0x087c054c in nsEditor::DeleteNode (this=0xa21cc58, aElement=0xa51e0b4)
    at /usr/local/src/mozilla/editor/libeditor/base/nsEditor.cpp:1538
#8  0x0874fbe6 in nsHTMLEditor::DeleteNode (this=0xa21cc58, aNode=0xa51e0b4)
    at /usr/local/src/mozilla/editor/libeditor/html/nsHTMLEditor.cpp:3888
#9  0x087b5e5a in nsTextEditRules::DidDeleteSelection (this=0xa29c214,
    aSelection=0x9f90c78, aCollapsedAction=0, aResult=0)
    at /usr/local/src/mozilla/editor/libeditor/text/nsTextEditRules.cpp:998
#10 0x0876a09f in nsHTMLEditRules::DidDeleteSelection (this=0xa29c210,
    aSelection=0x9f90c78, aDir=0, aResult=0)
    at /usr/local/src/mozilla/editor/libeditor/html/nsHTMLEditRules.cpp:2858
#11 0x08761ecd in nsHTMLEditRules::DidDoAction (this=0xa29c210,
    aSelection=0x9f90c78, aInfo=0xb75247ec, aResult=0)
    at /usr/local/src/mozilla/editor/libeditor/html/nsHTMLEditRules.cpp:641
#12 0x087afbf6 in nsPlaintextEditor::DeleteSelection (this=0xa21cc58,
    at /usr/local/src/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp:754
#13 0x08764062 in nsHTMLEditRules::WillInsertText (this=0xa29c210,
    aAction=2000, aSelection=0x9f90c78, aCancel=0xbfffdd68,
    aHandled=0xbfffdcd0, inString=0xbfffdf60, outString=0xbfffddb0,
    at /usr/local/src/mozilla/editor/libeditor/html/nsHTMLEditRules.cpp:1311
#14 0x08761c55 in nsHTMLEditRules::WillDoAction (this=0xa29c210,
    aSelection=0x9f90c78, aInfo=0xbfffdd70, aCancel=0x0, aHandled=0xb75247ec)
    at /usr/local/src/mozilla/editor/libeditor/html/nsHTMLEditRules.cpp:589
#15 0x087afdd2 in nsPlaintextEditor::InsertText (this=0xa21cc58,
    at /usr/local/src/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp:789
#16 0x087ae797 in nsPlaintextEditor::TypedText (this=0xa21cc58, aString=@0x0,
    at /usr/local/src/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp:426
#17 0x087455f4 in nsHTMLEditor::TypedText (this=0xa21cc58, aString=@0x0,
    at /usr/local/src/mozilla/editor/libeditor/html/nsHTMLEditor.cpp:1356
#18 0x08745589 in nsHTMLEditor::HandleKeyPress (this=0xa21cc58,
    at /usr/local/src/mozilla/editor/libeditor/html/nsHTMLEditor.cpp:1334
#19 0x087b78fc in nsTextEditorKeyListener::KeyPress (this=0xbfffe0b0,
    at /usr/local/src/mozilla/editor/libeditor/text/nsEditorEventListeners.cpp:249
#20 0x08502a44 in DispatchToInterface (aEvent=0x0, aListener=0xb75247ec,
    aMethod={__pfn = 0x19, __delta = 0}, aIID=@0x0, aHasInterface=0x0)
    at /usr/local/src/mozilla/content/events/src/nsEventListenerManager.cpp:136
#21 0x08505c71 in nsEventListenerManager::HandleEvent (this=0x9f911b8,
    aPresContext=0xa21dee0, aEvent=0xbfffe860, aDOMEvent=0xbfffe26c,
    aCurrentTarget=0xa0adde0, aFlags=514, aEventStatus=0xbfffe5e8)
    at /usr/local/src/mozilla/content/events/src/nsEventListenerManager.cpp:1689
#22 0x084c0579 in nsDocument::HandleDOMEvent (this=0xa0add30,
    aPresContext=0xa21dee0, aEvent=0xbfffe860, aDOMEvent=0xbfffe26c,
    aFlags=514, aEventStatus=0xbfffe5e8)
    at /usr/local/src/mozilla/content/base/src/nsDocument.cpp:4131
#23 0x084da059 in nsGenericElement::HandleDOMEvent (this=0x9f7b310,
    aPresContext=0xa21dee0, aEvent=0xbfffe860, aDOMEvent=0xbfffe26c,
    aFlags=519, aEventStatus=0xbfffe5e8)
    at /usr/local/src/mozilla/content/base/src/nsGenericElement.cpp:2165
#24 0x083198d6 in PresShell::HandleEventInternal (this=0xa18e450,
    aEvent=0xbfffe860, aView=0xa21e3e0, aFlags=1, aStatus=0xbfffe5e8)
    at /usr/local/src/mozilla/layout/base/nsPresShell.cpp:6386
#25 0x08319334 in PresShell::HandleEvent (this=0xa18e450, aView=0xa21e3e0,
    aEvent=0xbfffe860, aEventStatus=0xbfffe5e8, aForceHandle=1,
    at /usr/local/src/mozilla/layout/base/nsPresShell.cpp:6198
#26 0x085a5630 in nsViewManager::HandleEvent (this=0xa21e360, aView=0xa21e3e0,
    aEvent=0xbfffe860, aCaptured=0)
    at /usr/local/src/mozilla/view/src/nsViewManager.cpp:2512
#27 0x085a4f25 in nsViewManager::DispatchEvent (this=0xa21e360,
    aEvent=0xbfffe860, aStatus=0xbfffe7b0)
    at /usr/local/src/mozilla/view/src/nsViewManager.cpp:2246
#28 0x0859dc09 in HandleEvent (aEvent=0xbfffe860)
    at /usr/local/src/mozilla/view/src/nsView.cpp:171
#29 0x082bbb55 in nsCommonWidget::DispatchEvent (this=0xa21e450,
    aEvent=0xbfffe860, aStatus=@0xbfffe80c)
    at /usr/local/src/mozilla/widget/src/gtk2/nsCommonWidget.cpp:219
#30 0x082b4034 in nsWindow::OnKeyPressEvent (this=0xa21e450,
    aWidget=0x9ed5428, aEvent=0xbfffe860)
    at /usr/local/src/mozilla/widget/src/gtk2/nsWindow.cpp:1768
#31 0x082b808d in key_press_event_cb (widget=0x9ed5428, event=0x0)
    at /usr/local/src/mozilla/widget/src/gtk2/nsWindow.cpp:3850

The same behaviour is observed under Win32.

Reproducible: Always

Steps to Reproduce:
1. Start a new mail in Thunderbird Trunk.
2. Type a few lines of text.
3. Press Ctrl-Shift-Home, and start typing a few more lines of text to replace
the selection.
4. Repeat 3 once.

Actual Results:  
The app segfaults.

Comment 1

14 years ago
Created attachment 192741 [details] [diff] [review]
Workaround for trapping null iterator in nsTextServiceDocument

This prevents the segfault by trapping on mIterator being null.  However, it
doesn't fix the underlying problem of the spellchecking code introducing
invalid nodes/iterators in the first place.  Debugging output is now:

WARNING: NS_ENSURE_TRUE(currentAnchorNode) failed, file
line 1134
/usr/local/src/mozilla/editor/txtsvc/src/nsFilteredContentIterator.cpp, line
line 905
###!!! ASSERTION: Invalid Iterator in Delete Node!: 'mIterator', file
/usr/local/src/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp, line 2537
Break: at file
/usr/local/src/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp, line 2537

but at least it doesn't segfault.

Comment 2

14 years ago
(bumping the severity of this up to major as it's a fairly painful crash).
Severity: normal → major

Comment 3

14 years ago
For what it's worth, this behaviour doesn't present on a snapshot from 12th July
2005), but does exist on a snapshot from 11th August 2005.

Comment 4

13 years ago
it's a crash, all crashes are critical unless they're not in normally reachable 
code :)
Severity: major → critical
Keywords: crash


13 years ago
Attachment #192741 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #192741 - Flags: review?(akkzilla)

Comment 5

13 years ago
Comment on attachment 192741 [details] [diff] [review]
Workaround for trapping null iterator in nsTextServiceDocument

Most of the other functions seem to begin with NS_ENSURE_TRUE(mIterator,

Comment 6

13 years ago
Comment on attachment 192741 [details] [diff] [review]
Workaround for trapping null iterator in nsTextServiceDocument

I don't suppose anyone has any idea why mozInlineSpellChecker is calling
DeleteNote when the iterator is null?

Anyway, other functions in this file do the check (either with ! or with
NS_ENSURE_TRUE -- it's not that consistent, and ! as in the patch is fine as
far as I'm concerned) and fixing the crash is most important.

r=akkana, but please leave this bug open, or open a new one, to whoever owns
the spellchecker, since this sounds like it's probably a bug in the way
mozInlineSpellChecker works.
Attachment #192741 - Flags: review?(akkzilla) → review+

Comment 7

13 years ago
Confirming this crasher.
Ever confirmed: true


13 years ago
Blocks: 316690

Comment 8

13 years ago
regression?  asking b/c I just recently upgraded to this build and I thought something like this was fixed at one time.

patch is on the way?

Incident ID: 11843706
Stack Signature	nsTextServicesDocument::DeleteNode e00281ec
Product ID	ThunderbirdTrunk
Build ID	2005111308
Trigger Time	2005-11-14 13:52:56.0
Platform	Win32
Operating System	Windows NT 5.0 build 2195
Module	thunderbird.exe + (0031bd5c)
URL visited	
User Comments	
Since Last Crash	17969 sec
Total Uptime	17969 sec
Trigger Reason	Access violation
Source File, Line No.	e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp, line 2525
Stack Trace 	
nsTextServicesDocument::DeleteNode  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp, line 2525]
nsTSDNotifier::DidDeleteNode  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/editor/txtsvc/src/nsTSDNotifier.cpp, line 119]
nsHTMLEditor::DeleteNode  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/editor/libeditor/html/nsHTMLEditor.cpp, line 3882]
nsTextEditRules::DidDeleteSelection  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/editor/libeditor/text/nsTextEditRules.cpp, line 1005]
nsHTMLEditRules::DidDeleteSelection  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/editor/libeditor/html/nsHTMLEditRules.cpp, line 2858]
nsHTMLEditRules::DidDoAction  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/editor/libeditor/html/nsHTMLEditRules.cpp, line 641]
nsPlaintextEditor::DeleteSelection  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp, line 721]
nsTextEditorKeyListener::KeyPress  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/editor/libeditor/text/nsEditorEventListeners.cpp, line 203]
DispatchToInterface  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 140]
nsEventListenerManager::HandleEvent  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1776]
nsDocument::HandleDOMEvent  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/content/base/src/nsDocument.cpp, line 4232]
nsGenericElement::HandleDOMEvent  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2202]
PresShell::HandleEventInternal  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp, line 6056]
PresShell::HandleEvent  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp, line 5857]
nsViewManager::HandleEvent  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp, line 2504]
nsViewManager::DispatchEvent  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp, line 2237]
HandleEvent  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/view/src/nsView.cpp, line 176]
nsWindow::DispatchEvent  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1140]
nsWindow::DispatchKeyEvent  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 3344]
nsWindow::OnKeyDown  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 3482]
nsWindow::ProcessMessage  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4427]
nsWindow::WindowProc  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1329]
USER32.dll + 0x3158f (0x77e4158f)
USER32.dll + 0x31dc9 (0x77e41dc9)
USER32.dll + 0x31e7e (0x77e41e7e)
nsAppStartup::Run  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 162]
main  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/mail/app/nsMailApp.cpp, line 62]
KERNEL32.dll + 0x28989 (0x7c598989)

Comment 9

13 years ago
I just moved to a trunk build recently and I'm hitting this quite frequently. I've never run into it on the branch though. I wonder what has aggravated it so much lately. 

Comment 10

13 years ago
Created attachment 203858 [details] [diff] [review]
better fix

Using the NS_ENSURE_TRUE macro is a better way to catch this case.
Attachment #192741 - Attachment is obsolete: true
Attachment #203858 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #192741 - Flags: superreview?(neil.parkwaycc.co.uk)

Comment 11

13 years ago
Incident ID: 12136182
Stack Signature	nsTextServicesDocument::DeleteNode
Product ID	MozillaTrunk
Build ID	2005112110
Platform	Win32 (win98)

I was composing a mail in seamonkey mail composer, hard selected a part, copied soemthing from a gmail and pasted it over the selection in composer, crash.

Comment 12

13 years ago
Comment on attachment 203858 [details] [diff] [review]
better fix

Now that my build machine is back online I can't seem to reproduce this crash :-(
Note that the file is inconsistent and sometimes uses if (!mIterator) return
Attachment #203858 - Flags: superreview?(neil.parkwaycc.co.uk) → superreview+

Comment 13

13 years ago
I checked in this crash fix on the trunk.
Last Resolved: 13 years ago
Resolution: --- → FIXED
Tested with SeaMonkey 1.5a trunk;Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051202 Mozilla/1.0

and Thunderbird trunk version 1.6a1 (20051202) on Windows XP

Ctrl-Shift-Home followed by typing (as a replacement of the selected text) no longer crashes...

Verified FIXED

Comment 15

13 years ago
*** Bug 316690 has been marked as a duplicate of this bug. ***
No longer blocks: 316690

Comment 16

13 years ago
*** Bug 319536 has been marked as a duplicate of this bug. ***
Comment on attachment 203858 [details] [diff] [review]
better fix

This is becoming a topcrash for FC5 test2's Thunderbird 1.5 RCs.
Attachment #203858 - Flags: approval1.8.0.1?

Comment 18

13 years ago
Weird. I've never seen this stack trace in talkback on the 1.5 branch, only on the trunk. 
From the reports, I've managed to find a failsafe means of reproducing on 1.5 after playing with it today:

Using plaintext editor and spellcheck:
- Compose new mail
- Type a single character, hit return.
- Select all
- Type another character
Comment on attachment 203858 [details] [diff] [review]
better fix

too late for, moving milestones
Attachment #203858 - Flags: approval1.8.1?
Attachment #203858 - Flags: approval1.8.0.2?
Attachment #203858 - Flags: approval1.8.0.1?
Attachment #203858 - Flags: approval1.8.0.1-

Comment 21

13 years ago
Comment on attachment 203858 [details] [diff] [review]
better fix

approving for thunderbird 2.0
Attachment #203858 - Flags: approval1.8.1? → approval1.8.1+


13 years ago
Keywords: fixed1.8.1
Flags: blocking1.8.0.2+
Comment on attachment 203858 [details] [diff] [review]
better fix

approved for 1.8.0 branch, a=dveditz
Attachment #203858 - Flags: approval1.8.0.2? → approval1.8.0.2+
Keywords: fixed1.8.0.2


13 years ago
Whiteboard: [nvn-dl]
Verified fixed on the 1.8.0 branch using version (20060308) following the reporter's STR. Adding SW term.
Whiteboard: [nvn-dl] → [nvn-dl][qa:verified-tb-1802]

Comment 24

13 years ago
*** Bug 326995 has been marked as a duplicate of this bug. ***

Comment 25

13 years ago
*** Bug 326521 has been marked as a duplicate of this bug. ***

Comment 26

13 years ago
*** Bug 335788 has been marked as a duplicate of this bug. ***


12 years ago
Duplicate of this bug: 333220
Crash Signature: [@ nsTextServicesDocument::DeleteNode]
You need to log in before you can comment on or make changes to this bug.