Closed Bug 325386 Opened 19 years ago Closed 18 years ago

[FIX] Crash when trying to create an htmleditor instance [@ nsEditor::GetDOMEventReceiver]

Categories

(Core :: DOM: Editor, defect)

x86
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: martijn.martijn, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: crash, fixed1.8.1, testcase)

Crash Data

Attachments

(3 files)

See upcoming testcase, you need to test the testcase locally to get the crash.
Attached file testcase
Attached file backtrace
This is the backtrace I get. First I get an assertion: ###!!! ASSERTION: bad state, null mDocWeak: 'mDocWeak', file c:/mozilla/mozilla/ editor/libeditor/base/nsEditor.cpp, line 2334 Break: at file c:/mozilla/mozilla/editor/libeditor/base/nsEditor.cpp, line 2334 Another assertion: ###!!! ASSERTION: null parameter: 'aSource', file ../../../dist/include/xpcom/ns IWeakReferenceUtils.h, line 59 Break: at file ../../../dist/include/xpcom/nsIWeakReferenceUtils.h, line 59 And then the crash: Program received signal SIGSEGV, Segmentation fault. 0x0f237177 in unsigned CallQueryReferent<nsDerivedSafe<nsIWeakReference>, nsIDOM EventReceiver>(nsDerivedSafe<nsIWeakReference>*, nsIDOMEventReceiver**) ( aSource=<incomplete type>, aDestination=0x22d980) at ../../../dist/include/xpcom/nsIWeakReferenceUtils.h:62 62 return aSource->QueryReferent(NS_GET_TEMPLATE_IID(DestinationType), Current language: auto; currently c++ (gdb) bt #0 0x0f237177 in unsigned CallQueryReferent<nsDerivedSafe<nsIWeakReference>, ns IDOMEventReceiver>(nsDerivedSafe<nsIWeakReference>*, nsIDOMEventReceiver**) ( aSource=<incomplete type>, aDestination=0x22d980) at ../../../dist/include/xpcom/nsIWeakReferenceUtils.h:62 #1 0x0f21931a in nsEditor::GetDOMEventReceiver() (this=0x1035a428) at c:/mozilla/mozilla/editor/libeditor/base/nsEditor.cpp:5363 #2 0x0f161699 in nsHTMLEditor::RemoveEventListeners() (this=0x1035a428) at c:/mozilla/mozilla/editor/libeditor/html/nsHTMLEditor.cpp:370 #3 0x0f160a7e in nsHTMLEditor::~nsHTMLEditor() (this=0x1035a428) at c:/mozilla/mozilla/editor/libeditor/html/nsHTMLEditor.cpp:237 etc.
OS: Windows XP → All
Attached patch Patch rev. 1Splinter Review
RemoveEventListeners() is called from a lot of places when destroying an editor, when failures occur etc. so I think it's reasonable for it to be callable even if Init() has not been done. This patch adds some null-checks to do that. It fixes this bug and I also think it might fix the crash in bug 341058 although I can't reproduce that crash myself.
Attachment #225434 - Flags: review?(mozeditor)
Comment on attachment 225434 [details] [diff] [review] Patch rev. 1 floppy moose isn't around.
Attachment #225434 - Flags: review?(mozeditor) → review+
Attachment #225434 - Flags: superreview?(roc)
Assignee: mozeditor → mats.palmgren
Summary: Crash when trying to create an htmleditor instance → [FIX] Crash when trying to create an htmleditor instance
Attachment #225434 - Flags: superreview?(roc) → superreview+
Checked in to trunk 2006-06-16 17:17 PDT Checking in editor/libeditor/base/nsEditor.cpp; /cvsroot/mozilla/editor/libeditor/base/nsEditor.cpp,v <-- nsEditor.cpp new revision: 1.469; previous revision: 1.468 done Checking in editor/libeditor/html/nsHTMLEditor.cpp; /cvsroot/mozilla/editor/libeditor/html/nsHTMLEditor.cpp,v <-- nsHTMLEditor.cpp new revision: 1.540; previous revision: 1.539 done -> FIXED
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Summary: [FIX] Crash when trying to create an htmleditor instance → [FIX] Crash when trying to create an htmleditor instance [@ nsEditor::GetDOMEventReceiver]
Blocks: 341058
Comment on attachment 225434 [details] [diff] [review] Patch rev. 1 The crash still occurs on 1.8 branch (bug 341058). I searched http://talkback-public.mozilla.org/ and there were 124 crashes between 2006-04-14 -- 2006-08-07 with "GetDOMEventReceiver" on the stack. The patch is low risk, just a few null-pointer checks basically. It has baked on trunk for about two months now.
Attachment #225434 - Flags: approval1.8.1?
Comment on attachment 225434 [details] [diff] [review] Patch rev. 1 a=drivers, null checks ftw!
Attachment #225434 - Flags: approval1.8.1? → approval1.8.1+
fixed1.8.1 kw?
I usually wait until all tier-1 platforms go green first, in case I need to back it out for some reason. http://tinderbox.mozilla.org/showbuilds.cgi?tree=Mozilla1.8
Checked in to MOZILLA_1_8_BRANCH at 2006-08-10 07:41 PDT.
Keywords: fixed1.8.1
Crash Signature: [@ nsEditor::GetDOMEventReceiver]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: