Closed
Bug 325386
Opened 19 years ago
Closed 18 years ago
[FIX] Crash when trying to create an htmleditor instance [@ nsEditor::GetDOMEventReceiver]
Categories
(Core :: DOM: Editor, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: martijn.martijn, Assigned: MatsPalmgren_bugz)
References
Details
(Keywords: crash, fixed1.8.1, testcase)
Crash Data
Attachments
(3 files)
407 bytes,
text/html
|
Details | |
20.35 KB,
text/plain
|
Details | |
2.84 KB,
patch
|
timeless
:
review+
roc
:
superreview+
beltzner
:
approval1.8.1+
|
Details | Diff | Splinter Review |
See upcoming testcase, you need to test the testcase locally to get the crash.
Reporter | ||
Comment 1•19 years ago
|
||
Reporter | ||
Comment 2•19 years ago
|
||
This is the backtrace I get. First I get an assertion:
###!!! ASSERTION: bad state, null mDocWeak: 'mDocWeak', file c:/mozilla/mozilla/
editor/libeditor/base/nsEditor.cpp, line 2334
Break: at file c:/mozilla/mozilla/editor/libeditor/base/nsEditor.cpp, line 2334
Another assertion:
###!!! ASSERTION: null parameter: 'aSource', file ../../../dist/include/xpcom/ns
IWeakReferenceUtils.h, line 59
Break: at file ../../../dist/include/xpcom/nsIWeakReferenceUtils.h, line 59
And then the crash:
Program received signal SIGSEGV, Segmentation fault.
0x0f237177 in unsigned CallQueryReferent<nsDerivedSafe<nsIWeakReference>, nsIDOM
EventReceiver>(nsDerivedSafe<nsIWeakReference>*, nsIDOMEventReceiver**) (
aSource=<incomplete type>, aDestination=0x22d980)
at ../../../dist/include/xpcom/nsIWeakReferenceUtils.h:62
62 return aSource->QueryReferent(NS_GET_TEMPLATE_IID(DestinationType),
Current language: auto; currently c++
(gdb) bt
#0 0x0f237177 in unsigned CallQueryReferent<nsDerivedSafe<nsIWeakReference>, ns
IDOMEventReceiver>(nsDerivedSafe<nsIWeakReference>*, nsIDOMEventReceiver**) (
aSource=<incomplete type>, aDestination=0x22d980)
at ../../../dist/include/xpcom/nsIWeakReferenceUtils.h:62
#1 0x0f21931a in nsEditor::GetDOMEventReceiver() (this=0x1035a428)
at c:/mozilla/mozilla/editor/libeditor/base/nsEditor.cpp:5363
#2 0x0f161699 in nsHTMLEditor::RemoveEventListeners() (this=0x1035a428)
at c:/mozilla/mozilla/editor/libeditor/html/nsHTMLEditor.cpp:370
#3 0x0f160a7e in nsHTMLEditor::~nsHTMLEditor() (this=0x1035a428)
at c:/mozilla/mozilla/editor/libeditor/html/nsHTMLEditor.cpp:237
etc.
Assignee | ||
Updated•18 years ago
|
OS: Windows XP → All
Assignee | ||
Comment 3•18 years ago
|
||
RemoveEventListeners() is called from a lot of places when destroying
an editor, when failures occur etc. so I think it's reasonable for it to be
callable even if Init() has not been done.
This patch adds some null-checks to do that.
It fixes this bug and I also think it might fix the crash in bug 341058
although I can't reproduce that crash myself.
Attachment #225434 -
Flags: review?(mozeditor)
Comment on attachment 225434 [details] [diff] [review]
Patch rev. 1
floppy moose isn't around.
Attachment #225434 -
Flags: review?(mozeditor) → review+
Assignee | ||
Updated•18 years ago
|
Attachment #225434 -
Flags: superreview?(roc)
Assignee | ||
Updated•18 years ago
|
Assignee: mozeditor → mats.palmgren
Summary: Crash when trying to create an htmleditor instance → [FIX] Crash when trying to create an htmleditor instance
Attachment #225434 -
Flags: superreview?(roc) → superreview+
Assignee | ||
Comment 5•18 years ago
|
||
Checked in to trunk 2006-06-16 17:17 PDT
Checking in editor/libeditor/base/nsEditor.cpp;
/cvsroot/mozilla/editor/libeditor/base/nsEditor.cpp,v <-- nsEditor.cpp
new revision: 1.469; previous revision: 1.468
done
Checking in editor/libeditor/html/nsHTMLEditor.cpp;
/cvsroot/mozilla/editor/libeditor/html/nsHTMLEditor.cpp,v <-- nsHTMLEditor.cpp
new revision: 1.540; previous revision: 1.539
done
-> FIXED
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•18 years ago
|
Summary: [FIX] Crash when trying to create an htmleditor instance → [FIX] Crash when trying to create an htmleditor instance [@ nsEditor::GetDOMEventReceiver]
Assignee | ||
Comment 6•18 years ago
|
||
Comment on attachment 225434 [details] [diff] [review]
Patch rev. 1
The crash still occurs on 1.8 branch (bug 341058).
I searched http://talkback-public.mozilla.org/ and there were
124 crashes between 2006-04-14 -- 2006-08-07 with
"GetDOMEventReceiver" on the stack.
The patch is low risk, just a few null-pointer checks basically.
It has baked on trunk for about two months now.
Attachment #225434 -
Flags: approval1.8.1?
Comment 7•18 years ago
|
||
Comment on attachment 225434 [details] [diff] [review]
Patch rev. 1
a=drivers, null checks ftw!
Attachment #225434 -
Flags: approval1.8.1? → approval1.8.1+
Comment 8•18 years ago
|
||
fixed1.8.1 kw?
Assignee | ||
Comment 9•18 years ago
|
||
I usually wait until all tier-1 platforms go green first, in case I need to
back it out for some reason.
http://tinderbox.mozilla.org/showbuilds.cgi?tree=Mozilla1.8
Assignee | ||
Comment 10•18 years ago
|
||
Checked in to MOZILLA_1_8_BRANCH at 2006-08-10 07:41 PDT.
Keywords: fixed1.8.1
Updated•13 years ago
|
Crash Signature: [@ nsEditor::GetDOMEventReceiver]
You need to log in
before you can comment on or make changes to this bug.
Description
•