Closed Bug 304720 Opened 19 years ago Closed 19 years ago

Ctrl-Shift-Home + typing with mozInlineSpellChecker causes NULL nsCOMPtr assertion in [@ nsTextServicesDocument::DeleteNode]

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: matthew, Assigned: mozeditor)

References

Details

(Keywords: crash, fixed1.8.0.2, fixed1.8.1, Whiteboard: [nvn-dl][qa:verified-tb-1802])

Crash Data

Attachments

(1 file, 1 obsolete file)

better fix
617 bytes, patch
neil
: superreview+
dveditz
: approval1.8.0.1-
dveditz
: approval1.8.0.2+
mscott
: approval1.8.1+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050505 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050505 Firefox/1.0+

Hitting Ctrl-Shift-Home in an editor window (in Thunderbird) to select the first
half of the document and then typing causes the following segfault on the second
iteration of doing so:

WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file
/usr/local/src/mozilla/editor/txtsvc/src/nsFilteredContentIterato r.cpp, line 110
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(res)) failed, file
/usr/local/src/mozilla/extensions/spellcheck/src/mozInlineSpellC hecker.cpp,
line 905
###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().:
'mRawPtr != 0', file ../../dist/include/xpco m/nsCOMPtr.h, line 849
Break: at file ../../dist/include/xpcom/nsCOMPtr.h, line 849


#5  0x087a5c87 in nsTextServicesDocument::DeleteNode (this=0xa27bf50,
    aChild=0xa51e0b4)
    at /usr/local/src/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp:2532
#6  0x087aa397 in nsTSDNotifier::DidDeleteNode (this=0xb75247ec, aChild=0x0,
    aResult=0)
    at /usr/local/src/mozilla/editor/txtsvc/src/nsTSDNotifier.cpp:118
#7  0x087c054c in nsEditor::DeleteNode (this=0xa21cc58, aElement=0xa51e0b4)
    at /usr/local/src/mozilla/editor/libeditor/base/nsEditor.cpp:1538
#8  0x0874fbe6 in nsHTMLEditor::DeleteNode (this=0xa21cc58, aNode=0xa51e0b4)
    at /usr/local/src/mozilla/editor/libeditor/html/nsHTMLEditor.cpp:3888
#9  0x087b5e5a in nsTextEditRules::DidDeleteSelection (this=0xa29c214,
    aSelection=0x9f90c78, aCollapsedAction=0, aResult=0)
    at /usr/local/src/mozilla/editor/libeditor/text/nsTextEditRules.cpp:998
#10 0x0876a09f in nsHTMLEditRules::DidDeleteSelection (this=0xa29c210,
    aSelection=0x9f90c78, aDir=0, aResult=0)
    at /usr/local/src/mozilla/editor/libeditor/html/nsHTMLEditRules.cpp:2858
#11 0x08761ecd in nsHTMLEditRules::DidDoAction (this=0xa29c210,
    aSelection=0x9f90c78, aInfo=0xb75247ec, aResult=0)
    at /usr/local/src/mozilla/editor/libeditor/html/nsHTMLEditRules.cpp:641
#12 0x087afbf6 in nsPlaintextEditor::DeleteSelection (this=0xa21cc58,
    aAction=0)
    at /usr/local/src/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp:754
#13 0x08764062 in nsHTMLEditRules::WillInsertText (this=0xa29c210,
    aAction=2000, aSelection=0x9f90c78, aCancel=0xbfffdd68,
    aHandled=0xbfffdcd0, inString=0xbfffdf60, outString=0xbfffddb0,
    aMaxLength=-1)
    at /usr/local/src/mozilla/editor/libeditor/html/nsHTMLEditRules.cpp:1311
#14 0x08761c55 in nsHTMLEditRules::WillDoAction (this=0xa29c210,
    aSelection=0x9f90c78, aInfo=0xbfffdd70, aCancel=0x0, aHandled=0xb75247ec)
    at /usr/local/src/mozilla/editor/libeditor/html/nsHTMLEditRules.cpp:589
#15 0x087afdd2 in nsPlaintextEditor::InsertText (this=0xa21cc58,
    aStringToInsert=@0x0)
    at /usr/local/src/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp:789
#16 0x087ae797 in nsPlaintextEditor::TypedText (this=0xa21cc58, aString=@0x0,
    aAction=0)
    at /usr/local/src/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp:426
#17 0x087455f4 in nsHTMLEditor::TypedText (this=0xa21cc58, aString=@0x0,
    aAction=0)
    at /usr/local/src/mozilla/editor/libeditor/html/nsHTMLEditor.cpp:1356
#18 0x08745589 in nsHTMLEditor::HandleKeyPress (this=0xa21cc58,
    aKeyEvent=0xa4f9298)
    at /usr/local/src/mozilla/editor/libeditor/html/nsHTMLEditor.cpp:1334
#19 0x087b78fc in nsTextEditorKeyListener::KeyPress (this=0xbfffe0b0,
    aKeyEvent=0xa4f9298)
    at /usr/local/src/mozilla/editor/libeditor/text/nsEditorEventListeners.cpp:249
#20 0x08502a44 in DispatchToInterface (aEvent=0x0, aListener=0xb75247ec,
    aMethod={__pfn = 0x19, __delta = 0}, aIID=@0x0, aHasInterface=0x0)
    at /usr/local/src/mozilla/content/events/src/nsEventListenerManager.cpp:136
#21 0x08505c71 in nsEventListenerManager::HandleEvent (this=0x9f911b8,
    aPresContext=0xa21dee0, aEvent=0xbfffe860, aDOMEvent=0xbfffe26c,
    aCurrentTarget=0xa0adde0, aFlags=514, aEventStatus=0xbfffe5e8)
    at /usr/local/src/mozilla/content/events/src/nsEventListenerManager.cpp:1689
#22 0x084c0579 in nsDocument::HandleDOMEvent (this=0xa0add30,
    aPresContext=0xa21dee0, aEvent=0xbfffe860, aDOMEvent=0xbfffe26c,
    aFlags=514, aEventStatus=0xbfffe5e8)
    at /usr/local/src/mozilla/content/base/src/nsDocument.cpp:4131
#23 0x084da059 in nsGenericElement::HandleDOMEvent (this=0x9f7b310,
    aPresContext=0xa21dee0, aEvent=0xbfffe860, aDOMEvent=0xbfffe26c,
    aFlags=519, aEventStatus=0xbfffe5e8)
    at /usr/local/src/mozilla/content/base/src/nsGenericElement.cpp:2165
#24 0x083198d6 in PresShell::HandleEventInternal (this=0xa18e450,
    aEvent=0xbfffe860, aView=0xa21e3e0, aFlags=1, aStatus=0xbfffe5e8)
    at /usr/local/src/mozilla/layout/base/nsPresShell.cpp:6386
#25 0x08319334 in PresShell::HandleEvent (this=0xa18e450, aView=0xa21e3e0,
    aEvent=0xbfffe860, aEventStatus=0xbfffe5e8, aForceHandle=1,
    aHandled=@0xbfffe5ec)
    at /usr/local/src/mozilla/layout/base/nsPresShell.cpp:6198
#26 0x085a5630 in nsViewManager::HandleEvent (this=0xa21e360, aView=0xa21e3e0,
    aEvent=0xbfffe860, aCaptured=0)
    at /usr/local/src/mozilla/view/src/nsViewManager.cpp:2512
#27 0x085a4f25 in nsViewManager::DispatchEvent (this=0xa21e360,
    aEvent=0xbfffe860, aStatus=0xbfffe7b0)
    at /usr/local/src/mozilla/view/src/nsViewManager.cpp:2246
#28 0x0859dc09 in HandleEvent (aEvent=0xbfffe860)
    at /usr/local/src/mozilla/view/src/nsView.cpp:171
#29 0x082bbb55 in nsCommonWidget::DispatchEvent (this=0xa21e450,
    aEvent=0xbfffe860, aStatus=@0xbfffe80c)
    at /usr/local/src/mozilla/widget/src/gtk2/nsCommonWidget.cpp:219
#30 0x082b4034 in nsWindow::OnKeyPressEvent (this=0xa21e450,
    aWidget=0x9ed5428, aEvent=0xbfffe860)
    at /usr/local/src/mozilla/widget/src/gtk2/nsWindow.cpp:1768
#31 0x082b808d in key_press_event_cb (widget=0x9ed5428, event=0x0)
    at /usr/local/src/mozilla/widget/src/gtk2/nsWindow.cpp:3850
...

The same behaviour is observed under Win32.


Reproducible: Always

Steps to Reproduce:
1. Start a new mail in Thunderbird Trunk.
2. Type a few lines of text.
3. Press Ctrl-Shift-Home, and start typing a few more lines of text to replace
the selection.
4. Repeat 3 once.

Actual Results:  
The app segfaults.
This prevents the segfault by trapping on mIterator being null.  However, it
doesn't fix the underlying problem of the spellchecking code introducing
invalid nodes/iterators in the first place.  Debugging output is now:

WARNING: NS_ENSURE_TRUE(currentAnchorNode) failed, file
/usr/local/src/mozilla/extensions/spellcheck/src/mozInlineSpellChecker.cpp,
line 1134
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file
/usr/local/src/mozilla/editor/txtsvc/src/nsFilteredContentIterator.cpp, line
110
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(res)) failed, file
/usr/local/src/mozilla/extensions/spellcheck/src/mozInlineSpellChecker.cpp,
line 905
###!!! ASSERTION: Invalid Iterator in Delete Node!: 'mIterator', file
/usr/local/src/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp, line 2537
Break: at file
/usr/local/src/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp, line 2537

but at least it doesn't segfault.
(bumping the severity of this up to major as it's a fairly painful crash).
Severity: normal → major
For what it's worth, this behaviour doesn't present on a snapshot from 12th July
2005), but does exist on a snapshot from 11th August 2005.
it's a crash, all crashes are critical unless they're not in normally reachable 
code :)
Severity: major → critical
Keywords: crash
Attachment #192741 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #192741 - Flags: review?(akkzilla)
Comment on attachment 192741 [details] [diff] [review]
Workaround for trapping null iterator in nsTextServiceDocument

Most of the other functions seem to begin with NS_ENSURE_TRUE(mIterator,
NS_ERROR_FAILURE);
Comment on attachment 192741 [details] [diff] [review]
Workaround for trapping null iterator in nsTextServiceDocument

I don't suppose anyone has any idea why mozInlineSpellChecker is calling
DeleteNote when the iterator is null?

Anyway, other functions in this file do the check (either with ! or with
NS_ENSURE_TRUE -- it's not that consistent, and ! as in the patch is fine as
far as I'm concerned) and fixing the crash is most important.

r=akkana, but please leave this bug open, or open a new one, to whoever owns
the spellchecker, since this sounds like it's probably a bug in the way
mozInlineSpellChecker works.
Attachment #192741 - Flags: review?(akkzilla) → review+
Confirming this crasher.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Blocks: 316690
regression?  asking b/c I just recently upgraded to this build and I thought something like this was fixed at one time.

patch is on the way?

Incident ID: 11843706
Stack Signature	nsTextServicesDocument::DeleteNode e00281ec
Product ID	ThunderbirdTrunk
Build ID	2005111308
Trigger Time	2005-11-14 13:52:56.0
Platform	Win32
Operating System	Windows NT 5.0 build 2195
Module	thunderbird.exe + (0031bd5c)
URL visited	
User Comments	
Since Last Crash	17969 sec
Total Uptime	17969 sec
Trigger Reason	Access violation
Source File, Line No.	e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp, line 2525
Stack Trace 	
nsTextServicesDocument::DeleteNode  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp, line 2525]
nsTSDNotifier::DidDeleteNode  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/editor/txtsvc/src/nsTSDNotifier.cpp, line 119]
nsHTMLEditor::DeleteNode  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/editor/libeditor/html/nsHTMLEditor.cpp, line 3882]
nsTextEditRules::DidDeleteSelection  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/editor/libeditor/text/nsTextEditRules.cpp, line 1005]
nsHTMLEditRules::DidDeleteSelection  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/editor/libeditor/html/nsHTMLEditRules.cpp, line 2858]
nsHTMLEditRules::DidDoAction  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/editor/libeditor/html/nsHTMLEditRules.cpp, line 641]
nsPlaintextEditor::DeleteSelection  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp, line 721]
nsTextEditorKeyListener::KeyPress  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/editor/libeditor/text/nsEditorEventListeners.cpp, line 203]
DispatchToInterface  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 140]
nsEventListenerManager::HandleEvent  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1776]
nsDocument::HandleDOMEvent  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/content/base/src/nsDocument.cpp, line 4232]
nsGenericElement::HandleDOMEvent  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2202]
PresShell::HandleEventInternal  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp, line 6056]
PresShell::HandleEvent  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp, line 5857]
nsViewManager::HandleEvent  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp, line 2504]
nsViewManager::DispatchEvent  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp, line 2237]
HandleEvent  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/view/src/nsView.cpp, line 176]
nsWindow::DispatchEvent  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1140]
nsWindow::DispatchKeyEvent  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 3344]
nsWindow::OnKeyDown  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 3482]
nsWindow::ProcessMessage  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4427]
nsWindow::WindowProc  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1329]
USER32.dll + 0x3158f (0x77e4158f)
USER32.dll + 0x31dc9 (0x77e41dc9)
USER32.dll + 0x31e7e (0x77e41e7e)
nsAppStartup::Run  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 162]
main  [e:/builds/tinderbox/thunderbird-trunk/WINNT_5.0_Depend/mozilla/mail/app/nsMailApp.cpp, line 62]
KERNEL32.dll + 0x28989 (0x7c598989)
I just moved to a trunk build recently and I'm hitting this quite frequently. I've never run into it on the branch though. I wonder what has aggravated it so much lately.
Attached patch better fix β€” β€” Splinter Review 
Using the NS_ENSURE_TRUE macro is a better way to catch this case.
Attachment #192741 - Attachment is obsolete: true
Attachment #203858 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #192741 - Flags: superreview?(neil.parkwaycc.co.uk)
Incident ID: 12136182
Stack Signature	nsTextServicesDocument::DeleteNode
Product ID	MozillaTrunk
Build ID	2005112110
Platform	Win32 (win98)

I was composing a mail in seamonkey mail composer, hard selected a part, copied soemthing from a gmail and pasted it over the selection in composer, crash.
Comment on attachment 203858 [details] [diff] [review]
better fix

Now that my build machine is back online I can't seem to reproduce this crash :-(
Note that the file is inconsistent and sometimes uses if (!mIterator) return
Attachment #203858 - Flags: superreview?(neil.parkwaycc.co.uk) → superreview+
I checked in this crash fix on the trunk.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Tested with SeaMonkey 1.5a trunk;Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051202 Mozilla/1.0

and Thunderbird trunk version 1.6a1 (20051202) on Windows XP

Ctrl-Shift-Home followed by typing (as a replacement of the selected text) no longer crashes...

Verified FIXED
Status: RESOLVED → VERIFIED
*** Bug 316690 has been marked as a duplicate of this bug. ***
No longer blocks: 316690
*** Bug 319536 has been marked as a duplicate of this bug. ***
Comment on attachment 203858 [details] [diff] [review]
better fix

This is becoming a topcrash for FC5 test2's Thunderbird 1.5 RCs.
Attachment #203858 - Flags: approval1.8.0.1?
Weird. I've never seen this stack trace in talkback on the 1.5 branch, only on the trunk. 
From the reports, I've managed to find a failsafe means of reproducing on 1.5 after playing with it today:

Using plaintext editor and spellcheck:
- Compose new mail
- Type a single character, hit return.
- Select all
- Type another character
- BOOM
Comment on attachment 203858 [details] [diff] [review]
better fix

too late for 1.8.0.1, moving milestones
Attachment #203858 - Flags: approval1.8.1?
Attachment #203858 - Flags: approval1.8.0.2?
Attachment #203858 - Flags: approval1.8.0.1?
Attachment #203858 - Flags: approval1.8.0.1-
Comment on attachment 203858 [details] [diff] [review]
better fix

approving for thunderbird 2.0
Attachment #203858 - Flags: approval1.8.1? → approval1.8.1+
Keywords: fixed1.8.1
Flags: blocking1.8.0.2+
Comment on attachment 203858 [details] [diff] [review]
better fix

approved for 1.8.0 branch, a=dveditz
Attachment #203858 - Flags: approval1.8.0.2? → approval1.8.0.2+
Whiteboard: [nvn-dl]
Verified fixed on the 1.8.0 branch using version 1.5.0.2 (20060308) following the reporter's STR. Adding SW term.
Whiteboard: [nvn-dl] → [nvn-dl][qa:verified-tb-1802]
*** Bug 326995 has been marked as a duplicate of this bug. ***
*** Bug 326521 has been marked as a duplicate of this bug. ***
*** Bug 335788 has been marked as a duplicate of this bug. ***
Crash Signature: [@ nsTextServicesDocument::DeleteNode]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: