Closed
Bug 343741
Opened 18 years ago
Closed 18 years ago
Crash with strange text in textarea in xul window
Categories
(Core :: Spelling checker, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Assigned: roc)
References
Details
(4 keywords)
Attachments
(3 files, 1 obsolete file)
|
233 bytes,
application/vnd.mozilla.xul+xml
|
Details | |
|
27 bytes,
text/html
|
Details | |
|
1.81 KB,
patch
|
mscott
:
review+
mscott
:
superreview+
dbaron
:
approval1.8.1+
|
Details | Diff | Splinter Review |
See upcoming testcase, which crashes current trunk builds of Firefox. It doesn't crash with the 2006-07-03 build, it crashes in the 2006-07-04 build, so this looks like a regression from bug 339066. It also crashes current branch builds of Firefox2.
|
Reporter | |
Comment 1•18 years ago
|
||
The testcase consists of this: <window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" title="Testcase bug 343741 - Crash with strange text in textarea in xul window"> <textarea xmlns="http://www.w3.org/1999/xhtml">ý </textarea> </window> Talkback ID: TB20646354Z From a debug build, I get this (not very useful, I suspect): Program received signal SIGSEGV, Segmentation fault. 0x77bebc99 in msvcrt!isspace () from /cygdrive/c/WINDOWS/system32/msvcrt.dll (gdb) b Breakpoint 1 at 0x77bebc99 (gdb) bt #0 0x77bebc99 in msvcrt!isspace () from /cygdrive/c/WINDOWS/system32/msvcrt.dll #1 0x0022e400 in ?? () (gdb)
|
|
Reporter | |
Comment 2•18 years ago
|
||
From talkback ID: MSVCR80.dll + 0x1be6c (0x6025be6c) MSVCR80.dll + 0x1bea8 (0x6025bea8) mozInlineSpellWordUtil::BuildRealWords 0x0012f110 0x0012f158 kEventListenerManagerCID 0xa81ce948
|
||
Comment 3•18 years ago
|
||
It seems that people are crashing with seamonkey/thunderbird while they're sending mail, see bug 343748 and bug 343742 (Talkback ID:s in the bugs). Looks pretty much similar to this crash.
|
|
Reporter | |
Comment 4•18 years ago
|
||
Ah, I see. Well, this bug has a nice testcase that triggers the crash, so marking those bugs dependant on this bug.
|
Assignee | |
Comment 5•18 years ago
|
||
I don't crash in my fresh trunk build. Martijn, what charset is that document supposed to be, and what character is that mystery character? I wonder if Bugzilla is telling me the wrong charset and that's why this works. If you can get this to crash in a debug build on your machine, give me that stack and I bet we can fix it from there.
|
|
Reporter | |
Comment 6•18 years ago
|
||
(In reply to comment #5) > I don't crash in my fresh trunk build. Martijn, what charset is that document > supposed to be, and what character is that mystery character? I wonder if > Bugzilla is telling me the wrong charset and that's why this works. In a build that doesn't crash, it gives me UTF-8. I don't really know what that mystery character is, I just pasted it from somewhere. I shows up as a 'ý' in my text editor. > If you can get this to crash in a debug build on your machine, give me that > stack and I bet we can fix it from there. It is crashing in my debug build. I've added a stack from the debug build in comment 1, but as you can see, it's not very useful.
|
|
Assignee | |
Comment 7•18 years ago
|
||
Are you opening that file in a content window, or using -chrome?
|
|
Reporter | |
Comment 8•18 years ago
|
||
Just opening in a content window.
|
|
Assignee | |
Comment 9•18 years ago
|
||
Martijn, can you get a stack trace using the VC++ debugger?
|
||
Comment 10•18 years ago
|
||
Found this Bug while searching for Crash with Stack Signature MSVCR80.dll + 0x1be6c (0x7814be6c) maybe it's the same Bug? Firefox Branch and Trunk immediately crash at this url: http://www.high-beyond.com/perspective.aspx?action=edit-form&page=sandbox.EditMe Firefox 1.5.0.4 does not crash. Dont know when this started because I just stumbled upon this url. Talkback IDs Branch: TB20722089Y TB20721614M TB20721596K TB20721584Z TB20721571W Trunk: TB20721697Z TB20721648H TB20671208Q TB20671198Y Tested with: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1a3) Gecko/20060707 BonEcho/2.0a3 and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060706 Minefield/3.0a1
|
||
Comment 11•18 years ago
|
||
I'm not sure if adding this is redundant, but here's another testcase that yields an identical talkback stack.
|
||
Comment 12•18 years ago
|
||
(In reply to comment #10) > Found this Bug while searching for Crash with Stack Signature MSVCR80.dll + > 0x1be6c (0x7814be6c) maybe it's the same Bug? > > Firefox Branch and Trunk immediately crash at this url: > http://www.high-beyond.com/perspective.aspx?action=edit-form&page=sandbox.EditMe > Firefox 1.5.0.4 does not crash. > Dont know when this started because I just stumbled upon this url. > Talkback IDs Branch: TB20722089Y TB20721614M TB20721596K TB20721584Z > TB20721571W > Trunk: TB20721697Z TB20721648H TB20671208Q TB20671198Y > > Tested with: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1a3) > Gecko/20060707 BonEcho/2.0a3 > and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060706 > Minefield/3.0a1 Bon Echo 2006070805 did not crash for me at this 'insta-crash' URL example. I've customized my tab settings (tabclipwidth, tabminwidth) and have these extensions: CustomizeGoogle 0.49 DOM Inspector 1.8.1b1 DownThemAll! 0.9.9.5.1 Forecastfox 0.9.2 Leak Monitor 0.3.4 Nightly Tester Tools 1.0.4 Talkback 2.0b1 UnPlug 1.4.0
|
|
Reporter | |
Comment 13•18 years ago
|
||
(In reply to comment #9) > Martijn, can you get a stack trace using the VC++ debugger? I currently don't have a vc build running, this could take me a while.
|
||
Comment 14•18 years ago
|
||
I can't get this to crash with VC8 attached, but I do get a series of Microsoft debug assertions(not NS_ASSERT) that read:
File: isctype.c
Line: 68
Expression: (unsigned)(c+1)<= 256
Here's the stack which would be consistent with a crash in isspace mentioned earlier:
msvcr80d.dll!1023c92d()
[Frames below may be incorrect and/or missing, no symbols loaded for msvcr80d.dll]
msvcr80d.dll!1023cf01()
msvcr80d.dll!1023cf49()
> spellchk.dll!WordSplitState::ClassifyCharacter(int aIndex=0, int aRecurse=1) Line 841 + 0x16 bytes C++
spellchk.dll!mozInlineSpellWordUtil::SplitDOMWord(int aStart=0, int aEnd=1) Line 1008 + 0xc bytes C++
spellchk.dll!mozInlineSpellWordUtil::BuildRealWords() Line 640 C++
spellchk.dll!mozInlineSpellWordUtil::EnsureWords() Line 264 C++
spellchk.dll!mozInlineSpellWordUtil::SetPosition(nsIDOMNode * aNode=0x04c42ba0, int aOffset=0) Line 250 C++
spellchk.dll!mozInlineSpellChecker::DoSpellCheck(mozInlineSpellWordUtil & aWordUtil={...}, nsIDOMRange * aRange=0x04b65820, nsIDOMRange * aNoCheckRange=0x00000000, nsISelection * aSpellCheckSelection=0x04c1ec80) Line 868 C++
spellchk.dll!mozInlineSpellChecker::SpellCheckBetweenNodes(nsIDOMNode * aStartNode=0x04bf2ff4, int aStartOffset=0, nsIDOMNode * aEndNode=0x04bf2ff4, int aEndOffset=2, nsISelection * aSpellCheckSelection=0x04c1ec80) Line 751 + 0x23 bytes C++
spellchk.dll!mozInlineSpellChecker::SpellCheckRange(nsIDOMRange * aRange=0x00000000) Line 412 + 0x27 bytes C++
spellchk.dll!mozInlineSpellChecker::SetEnableRealTimeSpell(int aEnabled=1) Line 265 + 0x10 bytes C++
gklayout.dll!nsTextControlFrame::SetEnableRealTimeSpell(int aEnabled=1) Line 1642 C++
gklayout.dll!nsTextControlFrame::SyncRealTimeSpell() Line 1680 C++
gklayout.dll!nsTextControlFrame::InitEditor() Line 1780 C++
gklayout.dll!nsTextControlFrame::PostCreateFrames() Line 1418 C++
gklayout.dll!nsCSSFrameConstructor::CreateAnonymousFrames(nsFrameConstructorState & aState={...}, nsIContent * aParent=0x04bf3f10, nsIDocument * aDocument=0x03923e58, nsIFrame * aParentFrame=0x03cc1ab4, int aForceBindingParent=0, int aAppendToExisting=0, nsFrameItems & aChildItems={...}, nsIFrame * aAnonymousCreator=0x00000000, nsIContent * aInsertionNode=0x00000000, int aAnonymousParentIsBlock=0) Line 6025 C++
gklayout.dll!nsCSSFrameConstructor::CreateAnonymousFrames(nsIAtom * aTag=0x01d6d4a8, nsFrameConstructorState & aState={...}, nsIContent * aParent=0x04bf3f10, nsIFrame * aNewFrame=0x03cc1ab4, int aAppendToExisting=0, nsFrameItems & aChildItems={...}, int aIsRoot=0) Line 5898 C++
gklayout.dll!nsCSSFrameConstructor::ConstructHTMLFrame(nsFrameConstructorState & aState={...}, nsIContent * aContent=0x04bf3f10, nsIFrame * aParentFrame=0x03cc13e4, nsIAtom * aTag=0x01d6d4a8, int aNameSpaceID=3, nsStyleContext * aStyleContext=0x03cc15a4, nsFrameItems & aFrameItems={...}, int aHasPseudoParent=0) Line 5834 C++
gklayout.dll!nsCSSFrameConstructor::ConstructFrameInternal(nsFrameConstructorState & aState={...}, nsIContent * aContent=0x04bf3f10, nsIFrame * aParentFrame=0x03cc13e4, nsIAtom * aTag=0x01d6d4a8, int aNameSpaceID=3, nsStyleContext * aStyleContext=0x03cc15a4, nsFrameItems & aFrameItems={...}, int aXBLBaseTag=0) Line 8069 + 0x30 bytes C++
gklayout.dll!nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState & aState={...}, nsIContent * aContent=0x04bf3f10, nsIFrame * aParentFrame=0x03cc13e4, nsFrameItems & aFrameItems={...}) Line 7949 + 0x35 bytes C++
gklayout.dll!nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState & aState={...}, nsIContent * aContent=0x03aaba08, nsIFrame * aFrame=0x03cc13e4, int aCanHaveGeneratedContent=1, nsFrameItems & aFrameItems={...}, int aParentIsBlock=0, nsTableCreator * aTableCreator=0x00000000) Line 11790 + 0x3a bytes C++
gklayout.dll!nsCSSFrameConstructor::ConstructDocElementFrame(nsFrameConstructorState & aState={...}, nsIContent * aDocElement=0x03aaba08, nsIFrame * aParentFrame=0x03cc10d0, nsIFrame * * aNewFrame=0x0012f3fc) Line 4629 C++
gklayout.dll!nsCSSFrameConstructor::ContentInserted(nsIContent * aContainer=0x00000000, nsIContent * aChild=0x03aaba08, int aIndexInContainer=0, nsILayoutHistoryState * aFrameState=0x00000000, int aInReinsertContent=0) Line 9331 C++
gklayout.dll!PresShell::InitialReflow(int aWidth=9264, int aHeight=12048) Line 2859 C++
gklayout.dll!nsXULDocument::StartLayout() Line 1996 + 0x16 bytes C++
gklayout.dll!nsXULDocument::ResumeWalk() Line 2955 C++
gklayout.dll!nsXULDocument::EndLoad() Line 560 C++
gklayout.dll!XULContentSinkImpl::DidBuildModel() Line 445 C++
gkparser.dll!nsExpatDriver::DidBuildModel(unsigned int anErrorCode=0, int aNotifySink=1, nsIParser * aParser=0x04aac1c8, nsIContentSink * aSink=0x03cc0138) Line 1249 + 0xe bytes C++
gkparser.dll!nsParser::DidBuildModel(unsigned int anErrorCode=0) Line 948 + 0x35 bytes C++
gkparser.dll!nsParser::ResumeParse(int allowIteration=1, int aIsFinalChunk=1, int aCanInterrupt=1) Line 1665 C++
gkparser.dll!nsParser::OnStopRequest(nsIRequest * request=0x04a78ec0, nsISupports * aContext=0x00000000, unsigned int status=0) Line 2289 + 0x17 bytes C++
docshell.dll!nsDocumentOpenInfo::OnStopRequest(nsIRequest * request=0x04a78ec0, nsISupports * aCtxt=0x00000000, unsigned int aStatus=0) Line 378 C++
necko.dll!nsStreamListenerTee::OnStopRequest(nsIRequest * request=0x04a78ec0, nsISupports * context=0x00000000, unsigned int status=0) Line 66 C++
necko.dll!nsHttpChannel::OnStopRequest(nsIRequest * request=0x04bf3c90, nsISupports * ctxt=0x00000000, unsigned int status=0) Line 4054 C++
necko.dll!nsInputStreamPump::OnStateStop() Line 567 C++
necko.dll!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream * stream=0x03aabac8) Line 391 + 0xb bytes C++
xpcom_core.dll!nsInputStreamReadyEvent::Run() Line 112 C++
xpcom_core.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012fc34) Line 483 C++
xpcom_core.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x00af8a20, int mayWait=1) Line 225 + 0x16 bytes C++
gkwidget.dll!nsBaseAppShell::Run() Line 153 + 0xc bytes C++
tkitcmps.dll!nsAppStartup::Run() Line 171 + 0x1c bytes C++
xul.dll!XRE_main(int argc=1, char * * argv=0x00af7d70, const nsXREAppData * aAppData=0x004036b0) Line 2349 + 0x25 bytes C++
firefox.exe!main(int argc=1, char * * argv=0x00af7d70) Line 61 + 0x13 bytes C++
firefox.exe!__tmainCRTStartup() Line 586 + 0x19 bytes C
firefox.exe!mainCRTStartup() Line 403 C
kernel32.dll!7c816d4f()
kernel32.dll!7c8399f3()
|
|
Assignee | |
Comment 15•18 years ago
|
||
This ought to fix it. However this function needs to be extended to handle Unicode propertly.
Assignee: mscott → roc
Status: NEW → ASSIGNED
Attachment #228619 -
Flags: superreview?
Attachment #228619 -
Flags: review?
|
|
Assignee | |
Comment 16•18 years ago
|
||
This ought to fix it. However this function needs to be extended to handle Unicode propertly.
Attachment #228620 -
Flags: superreview?(mscott)
Attachment #228620 -
Flags: review?(mscott)
|
|
Assignee | |
Updated•18 years ago
|
Attachment #228619 -
Attachment is obsolete: true
Attachment #228619 -
Flags: superreview?
Attachment #228619 -
Flags: review?
|
||
Comment 17•18 years ago
|
||
for people who don't speak msvcr80d, the top 3 frames are: MSVCR80D!_chvalidator_l+0x3d MSVCR80D!_isspace_l+0x61 MSVCR80D!_isspace_l+0xa9 http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/extensions/spellcheck/src/mozInlineSpellWordUtil.cpp&rev=1.4&mark=839-840#822 brettw: isspace doesn't accept 8bit data, it wants ascii or something like it.
|
||
Comment 18•18 years ago
|
||
*** Bug 344095 has been marked as a duplicate of this bug. ***
|
||
Comment 19•18 years ago
|
||
Comment on attachment 228620 [details] [diff] [review] fix Does this mean the inline spell checker isn't currently working for non ascii words if this routine in the word searching code doesn't handle unicode properly?
|
|
Assignee | |
Comment 20•18 years ago
|
||
I don't think my patch changes anything in that regard. Before or after, every non-ASCII character that comes in here gets classified as CHAR_CLASS_WORD. That means that Unicode punctuation and whitespace will be treated as part of a word, and likely therefore induce a spelling error. Text that's simply Unicode words separated by ASCII whitespace should work OK (here; I have no idea whether the rest of the spellcheck code can handle it).
|
|
||
Comment 21•18 years ago
|
||
Comment on attachment 228620 [details] [diff] [review] fix Thanks Roc.
Attachment #228620 -
Flags: superreview?(mscott)
Attachment #228620 -
Flags: superreview+
Attachment #228620 -
Flags: review?(mscott)
Attachment #228620 -
Flags: review+
|
|
Assignee | |
Comment 22•18 years ago
|
||
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 23•18 years ago
|
||
Comment on attachment 228620 [details] [diff] [review] fix needed on branch
Attachment #228620 -
Flags: approval1.8.1?
|
|
Reporter | |
Comment 24•18 years ago
|
||
Verified fixed, using an hourly build: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060713 Minefield/3.0a1
Status: RESOLVED → VERIFIED
|
||
Comment 25•18 years ago
|
||
We're gonna let this sit and bake before making a call for 1.8.1 ... if you feel it's very important, please nominate for blocking.
|
|
Reporter | |
Updated•18 years ago
|
Flags: blocking1.8.1?
Was a followup bug filed on the XXX comment? I'd also note that isspace, ispunct, iswspace, iswpunct are locale-sensitive, so probably not what we really want to be using here either.
|
|
Assignee | |
Comment 27•18 years ago
|
||
You're right, this needs to be rewritten to just use Unicode properties not the libc functions. Filed bug 344607.
Comment on attachment 228620 [details] [diff] [review] fix a=dbaron on behalf of drivers. Please check in to MOZILLA_1_8_BRANCH and marked fixed1.8.1 when you have done so.
Attachment #228620 -
Flags: approval1.8.1? → approval1.8.1+
|
|
Assignee | |
Comment 29•18 years ago
|
||
I won't be able to do it right away due to travel...
|
||
Updated•18 years ago
|
Flags: blocking1.8.1? → blocking1.8.1+
|
||
Comment 31•18 years ago
|
||
verified with Windows 2.0b2 build of 20060821
Keywords: fixed1.8.1 → verified1.8.1
You need to log in
before you can comment on or make changes to this bug.
Description
•