345342 - reproducible crash in [@ nsFind::NextNode]; content is null

Status: RESOLVED FIXED

(Toolkit :: Find Toolbar, defect)

Description

[(not reading, please use seth@sspitzer.org instead)]

crash in nsFind::NextNode(), content is null

I'm using a recent trunk build.  steps to reproduce coming next...

>	embedcomponents.dll!nsFind::NextNode(nsIDOMRange * aSearchRange=0x03de4bd0, nsIDOMRange * aStartPoint=0x03edeb98, nsIDOMRange * aEndPoint=0x03ceecd0, int aContinueOk=1)  Line 702 + 0x5 bytes	C++
 	embedcomponents.dll!nsFind::Find(const unsigned short * aPatText=0x0012d098, nsIDOMRange * aSearchRange=0x03de4bd0, nsIDOMRange * aStartPoint=0x03edeb98, nsIDOMRange * aEndPoint=0x03ceecd0, nsIDOMRange * * aRangeRet=0x0012d044)  Line 1009	C++
 	tkitcmps.dll!nsTypeAheadFind::FindItNow(nsIPresShell * aPresShell=0x00000000, int aIsRepeatingSameChar=0, int aIsLinksOnly=0, int aIsFirstVisiblePreferred=0, int aFindNext=1, int aHasFocus=1, unsigned short * aResult=0x0012d2d8)  Line 422 + 0x7f bytes	C++
 	tkitcmps.dll!nsTypeAheadFind::FindInternal(int aFindBackwards=0, int aHasFocus=1, unsigned short * aResult=0x0012d2d8)  Line 920 + 0x2a bytes	C++
 	tkitcmps.dll!nsTypeAheadFind::FindNext(int aHasFocus=1, unsigned short * aResult=0x0012d2d8)  Line 896	C++
 	xpcom_core.dll!XPTC_InvokeByIndex(nsISupports * that=0x00000005, unsigned int methodIndex=2, unsigned int paramCount=1233608, nsXPTCVariant * params=0x00c51680)  Line 102	C++
 	xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...}, XPCWrappedNative::CallMode mode=5)  Line 2162 + 0x1e bytes	C++
 	xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...}, XPCWrappedNative::CallMode mode=CALL_METHOD)  Line 2162 + 0x1e bytes	C++
 	xpc3250.dll!XPC_WN_CallMethod(JSContext * cx=0x02ed7a10, JSObject * obj=0x03ce63d0, unsigned int argc=1, long * argv=0x04d2e0b4, long * vp=0x0012d598)  Line 1450 + 0xe bytes	C++
 	js3250.dll!js_Invoke(JSContext * cx=0x02ed7a10, unsigned int argc=1, unsigned int flags=0)  Line 1349 + 0x20 bytes	C
 	js3250.dll!js_Interpret(JSContext * cx=0x02ed7a10, unsigned char * pc=0x02fdd319, long * result=0x0012e124)  Line 4084 + 0xf bytes	C
 	js3250.dll!js_Invoke(JSContext * cx=0x02ed7a10, unsigned int argc=1, unsigned int flags=2)  Line 1368 + 0x13 bytes	C
 	js3250.dll!js_InternalInvoke(JSContext * cx=0x02ed7a10, JSObject * obj=0x05fbd980, long fval=100391288, unsigned int flags=0, unsigned int argc=1, long * argv=0x04d2df70, long * rval=0x0012e278)  Line 1447 + 0x14 bytes	C
 	js3250.dll!JS_CallFunctionValue(JSContext * cx=0x02ed7a10, JSObject * obj=0x05fbd980, long fval=100391288, unsigned int argc=1, long * argv=0x04d2df70, long * rval=0x0012e278)  Line 4385 + 0x1f bytes	C
 	gklayout.dll!nsJSContext::CallEventHandler(nsISupports * aTarget=0x03802700, void * aScope=0x02f695e8, void * aHandler=0x05fbd978, nsIArray * aargv=0x062daf18, nsIVariant * * arv=0x0012e3e8)  Line 1731 + 0x21 bytes	C++
 	gklayout.dll!nsJSEventListener::HandleEvent(nsIDOMEvent * aEvent=0x062d468c)  Line 209 + 0x62 bytes	C++
 	gklayout.dll!nsEventListenerManager::HandleEventSubType(nsListenerStruct * aListenerStruct=0x03802860, nsIDOMEventListener * aListener=0x038027b8, nsIDOMEvent * aDOMEvent=0x062d468c, nsISupports * aCurrentTarget=0x03802700, unsigned int aSubType=8, unsigned int aPhaseFlags=6)  Line 1648 + 0x12 bytes	C++
 	gklayout.dll!nsEventListenerManager::HandleEvent(nsPresContext * aPresContext=0x030fe530, nsEvent * aEvent=0x0012e74c, nsIDOMEvent * * aDOMEvent=0x0012e6b0, nsISupports * aCurrentTarget=0x03802700, unsigned int aFlags=6, nsEventStatus * aEventStatus=0x0012e6b4)  Line 1752	C++
 	gklayout.dll!nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=6)  Line 356	C++
 	gklayout.dll!nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=6, nsDispatchingCallback * aCallback=0x00000000)  Line 433	C++
 	gklayout.dll!nsEventDispatcher::Dispatch(nsISupports * aTarget=0x03802700, nsPresContext * aPresContext=0x030fe530, nsEvent * aEvent=0x0012e74c, nsIDOMEvent * aDOMEvent=0x00000000, nsEventStatus * aEventStatus=0x0012e794, nsDispatchingCallback * aCallback=0x00000000, int aTargetIsChromeHandler=0)  Line 639 + 0x12 bytes	C++
 	gklayout.dll!nsXULElement::PreHandleEvent(nsEventChainPreVisitor & aVisitor={...})  Line 1749 + 0x2b bytes	C++
 	gklayout.dll!nsEventTargetChainItem::PreHandleEvent(nsEventChainPreVisitor & aVisitor={...})  Line 317 + 0x17 bytes	C++
 	gklayout.dll!nsEventDispatcher::Dispatch(nsISupports * aTarget=0x0380a288, nsPresContext * aPresContext=0x030fe530, nsEvent * aEvent=0x0012ea58, nsIDOMEvent * aDOMEvent=0x00000000, nsEventStatus * aEventStatus=0x0012ea54, nsDispatchingCallback * aCallback=0x00000000, int aTargetIsChromeHandler=0)  Line 597	C++
 	gklayout.dll!nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver * aReceiver=0x04d277e8, nsIDOMEvent * aEvent=0x04d27948)  Line 402 + 0x29 bytes	C++
 	gklayout.dll!nsXBLWindowHandler::WalkHandlersInternal(nsIDOMEvent * aEvent=0x04d27948, nsIAtom * aEventType=0x00be5098, nsXBLPrototypeHandler * aHandler=0x0633ccb0)  Line 322 + 0x15 bytes	C++
 	gklayout.dll!nsXBLWindowKeyHandler::WalkHandlers(nsIDOMEvent * aKeyEvent=0x04d27948, nsIAtom * aEventType=0x00be5098)  Line 199	C++
 	gklayout.dll!nsXBLWindowKeyHandler::KeyPress(nsIDOMEvent * aKeyEvent=0x04d27948)  Line 254	C++
 	gklayout.dll!DispatchToInterface(nsIDOMEvent * aEvent=0x04d27948, nsIDOMEventListener * aListener=0x0380b040, unsigned int (nsIDOMEvent *)* aMethod=0x02329070, const nsID & aIID={...}, int * aHasInterface=0x0012f088)  Line 145 + 0xb bytes	C++
 	gklayout.dll!nsEventListenerManager::HandleEvent(nsPresContext * aPresContext=0x030fe530, nsEvent * aEvent=0x0012f518, nsIDOMEvent * * aDOMEvent=0x0012f1a0, nsISupports * aCurrentTarget=0x02ee8978, unsigned int aFlags=514, nsEventStatus * aEventStatus=0x0012f1a4)  Line 1742 + 0x26 bytes	C++
 	gklayout.dll!nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=514)  Line 356	C++
 	gklayout.dll!nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=518, nsDispatchingCallback * aCallback=0x0012f25c)  Line 456	C++
 	gklayout.dll!nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=6, nsDispatchingCallback * aCallback=0x0012f25c)  Line 486	C++
 	gklayout.dll!nsEventDispatcher::Dispatch(nsISupports * aTarget=0x03c5ae60, nsPresContext * aPresContext=0x030fe530, nsEvent * aEvent=0x0012f518, nsIDOMEvent * aDOMEvent=0x00000000, nsEventStatus * aEventStatus=0x0012f32c, nsDispatchingCallback * aCallback=0x0012f25c, int aTargetIsChromeHandler=0)  Line 639 + 0x12 bytes	C++
 	gklayout.dll!PresShell::HandleEventInternal(nsEvent * aEvent=0x0012f518, nsIView * aView=0x030ff3c8, nsEventStatus * aStatus=0x0012f32c)  Line 6277 + 0x2b bytes	C++
 	gklayout.dll!PresShell::HandleEvent(nsIView * aView=0x030ff3c8, nsGUIEvent * aEvent=0x0012f518, nsEventStatus * aEventStatus=0x0012f32c)  Line 6048 + 0x17 bytes	C++
 	gklayout.dll!nsViewManager::HandleEvent(nsView * aView=0x030ff3c8, nsPoint aPoint={...}, nsGUIEvent * aEvent=0x0012f518, int aCaptured=0)  Line 1665	C++
 	gklayout.dll!nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012f518, nsEventStatus * aStatus=0x0012f454)  Line 1618 + 0x22 bytes	C++
 	gklayout.dll!HandleEvent(nsGUIEvent * aEvent=0x0012f518)  Line 174	C++
 	gkwidget.dll!nsWindow::DispatchEvent(nsGUIEvent * event=0x0012f518, nsEventStatus & aStatus=nsEventStatus_eIgnore)  Line 1102 + 0xc bytes	C++
 	gkwidget.dll!nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012f518)  Line 1123	C++
 	gkwidget.dll!nsWindow::DispatchKeyEvent(unsigned int aEventType=131, unsigned short aCharCode=103, unsigned int aVirtualCharCode=0, long aKeyData=2228225, unsigned int aFlags=0)  Line 3312 + 0x11 bytes	C++
 	gkwidget.dll!nsWindow::OnKeyDown(unsigned int aVirtualKeyCode=71, unsigned int aScanCode=34, long aKeyData=2228225)  Line 3514 + 0x2e bytes	C++
 	gkwidget.dll!nsWindow::ProcessMessage(unsigned int msg=256, unsigned int wParam=71, long lParam=2228225, long * aRetValue=0x0012fa48)  Line 4436 + 0x1d bytes	C++
 	gkwidget.dll!nsWindow::WindowProc(HWND__ * hWnd=0x00050252, unsigned int msg=256, unsigned int wParam=71, long lParam=2228225)  Line 1291 + 0x1d bytes	C++
 	user32.dll!77d48734() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for user32.dll]	
 	user32.dll!77d48816() 	
 	user32.dll!77d489cd() 	
 	user32.dll!77d48a10() 	
 	gkwidget.dll!nsAppShell::ProcessNextNativeEvent(int mayWait=1)  Line 149	C++
 	gkwidget.dll!nsBaseAppShell::DoProcessNextNativeEvent(int mayWait=1)  Line 136 + 0x11 bytes	C++
 	gkwidget.dll!nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal * thr=0x00b3acb0, int mayWait=1, unsigned int recursionDepth=0)  Line 231 + 0xf bytes	C++
 	xpcom_core.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012fc34)  Line 472	C++
 	xpcom_core.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x00b3acb0, int mayWait=1)  Line 225 + 0x16 bytes	C++
 	gkwidget.dll!nsBaseAppShell::Run()  Line 153 + 0xc bytes	C++
 	tkitcmps.dll!nsAppStartup::Run()  Line 171 + 0x1c bytes	C++
 	xul.dll!XRE_main(int argc=1, char * * argv=0x00b38338, const nsXREAppData * aAppData=0x004036b0)  Line 2382 + 0x25 bytes	C++
 	firefox.exe!main(int argc=1, char * * argv=0x00b38338)  Line 61 + 0x13 bytes	C++
 	firefox.exe!__tmainCRTStartup()  Line 586 + 0x19 bytes	C
 	firefox.exe!mainCRTStartup()  Line 403	C
 	kernel32.dll!7c816d4f() 	
 	nspr4.dll!_PR_MD_UNLOCK(_MDLock * lock=0x7c816d58)  Line 347	C
 	kernel32.dll!7c8399f3()

Comment 1

[(not reading, please use seth@sspitzer.org instead)]

here's where I crash, because content is null:

    content = mIterator->GetCurrentNode();
#ifdef DEBUG_FIND
    nsCOMPtr<nsIDOMNode> dnode (do_QueryInterface(content));
    printf(":::::: Got the first node "); DumpNode(dnode);
#endif
    if (content->IsNodeOfType(nsINode::eTEXT) && !SkipNode(content))

fwiw, on my console I get:

###!!! ASSERTION: No first node!: 'mFirst', file c:/builds/trunk/mozilla/content
/base/src/nsContentIterator.cpp, line 960

Comment 2

[(not reading, please use seth@sspitzer.org instead)]

I'm using my own trunk debug build:  "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060719 Minefield/3.0a1"

Comment 3

[:Gavin Sharp [email: gavin@gavinsharp.com]]

See also bug 344337 - I don't think it's a dupe, but it may be related.

Comment 4

[(not reading, please use seth@sspitzer.org instead)]

to reproduce this bug:

1)  go to http://lxr.mozilla.org/seamonkey/source/toolkit/content/widgets/tabbrowser.xml
2)  select "             this.mTabContainer.adjustTabstrip(false);" (see screen shot #1)
3)  copy and paste that into the fast find box at the bottom (which will turn the text green, see screen shot #2)
4)  hit enter in the fast find box
5)  BOOM!

Comment 5

[(not reading, please use seth@sspitzer.org instead)]

Attachment: step 1

Comment 6

[(not reading, please use seth@sspitzer.org instead)]

Attachment: step 2

Comment 7

[(not reading, please use seth@sspitzer.org instead)]

thanks for the bug reference, gavin.

cc'ing pkasting (in case this crasher rings a bell for him.)

Comment 8

[Peter Kasting]

Taking, though I don't know if this is actually my bug.

Any idea of a regression window on this?

Thanks for the testcase, I should be able to track this down somehow.

Comment 9

[(not reading, please use seth@sspitzer.org instead)]

> Any idea of a regression window on this?

sorry, I don't know that.  I also don't know if the branch suffers this crasher.

Comment 10

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

This looks like mine. I recently removed a null-check in this code assuming that the iterator always returned something.

Comment 11

[Ria Klaassen (not reading all bugmail)]

I have a crash here with a regression range between 1.9a1_2006071816 and 1.9a1_2006071821.
Go to http://mycroft.mozdev.org/download.html , call the findbar, search for the word engine and click Next.

Comment 12

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

Attachment: Patch to fix

Comment 13

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

Checked in