Closed Bug 345726 Opened 18 years ago Closed 18 years ago

[@ nsString::CharAt] mozInlineSpellChecker::EndOfAWord crash while editing email

Categories

(Core :: Spelling checker, defect)

Product:
Core
Component:
Spelling checker
Version:
1.8 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 328606

People

(Reporter: mozilla-bugs, Assigned: mscott)

Details

(Keywords: crash)

Crash Data

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.8.0.4) Gecko/20060614 SeaMonkey/1.0.2
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.8.0.4) Gecko/20060614 SeaMonkey/1.0.2

Looking at the dump the problem here is that offset went negative then got used as an index to an array.  I am on x86_64 maybe that is relevant.  "void *" is 64 bits, "long" is 64 bits, "int" is 32 bits.


Unfortunatly I do not have a procedure to follow to re-create the problem but can say that most of my crashes occur when editing emails and I believe the HTML/email authoring functionatility to be buggy.  This is a long standing problem for me as Mozilla for the past 4 years had has these same problems.

#0  0x0000003eca20c22c in raise () from /lib64/libpthread.so.0
(gdb) bt
#0  0x0000003eca20c22c in raise () from /lib64/libpthread.so.0
#1  0x00002aaaac651b5f in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:206
#2  <signal handler called>
#3  0x00002aaab328222c in nsString::CharAt (this=0x7fffff9cba90, i=4294967295) at ../../../dist/include/string/nsTString.h:134
#4  0x00002aaab328224f in nsString::operator[] (this=0x7fffff9cba90, i=4294967295) at ../../../dist/include/string/nsTString.h:139
#5  0x00002aaab327cd74 in mozInlineSpellChecker::EndOfAWord (this=0xbe244a0, aNode=0xbb14348, aOffset=-1) at mozInlineSpellChecker.cpp:980
#6  0x00002aaab327f96a in mozInlineSpellChecker::AdjustSpellHighlighting (this=0xbe244a0, aNode=0xbb14348, aOffset=-1, aSpellCheckSelection=0xbeac5f0, isDeletion=0)
    at mozInlineSpellChecker.cpp:848
#7  0x00002aaab3281792 in mozInlineSpellChecker::SpellCheckAfterEditorChange (this=0xbe244a0, action=1001, aSelection=0xbeac540, previousSelectedNode=0xbb14348,
    previousSelectedOffset=0, aStartNode=0xbb14348, aStartOffset=0, aEndNode=0xbb14348, aEndOffset=1) at mozInlineSpellChecker.cpp:261
#8  0x00002aaaafb658ad in nsEditor::HandleInlineSpellCheck (this=0x988c110, action=1001, aSelection=0xbeac540, previousSelectedNode=0xbb14348, previousSelectedOffset=0,
    aStartNode=0xbb14348, aStartOffset=0, aEndNode=0xbb14348, aEndOffset=1) at nsEditor.cpp:5412
#9  0x00002aaaafb13834 in nsHTMLEditRules::AfterEditInner (this=0x8b1c6f0, action=1001, aDirection=1) at nsHTMLEditRules.cpp:547
#10 0x00002aaaafb139b0 in nsHTMLEditRules::AfterEdit (this=0x8b1c6f0, action=1001, aDirection=1) at nsHTMLEditRules.cpp:391
#11 0x00002aaaaface4ac in nsHTMLEditor::EndOperation (this=0x988c110) at nsHTMLEditor.cpp:4128
#12 0x00002aaaafaabe99 in ~nsAutoRules (this=0x7fffff9cc370) at nsEditorUtils.h:123
#13 0x00002aaaafb52778 in nsPlaintextEditor::InsertText (this=0x988c110, aStringToInsert=@0x7fffff9cc4a0) at nsPlaintextEditor.cpp:776
#14 0x00002aaaafb4fa56 in nsPlaintextEditor::TypedText (this=0x988c110, aString=@0x7fffff9cc4a0, aAction=0) at nsPlaintextEditor.cpp:402
#15 0x00002aaaaface63f in nsHTMLEditor::TypedText (this=0x988c110, aString=@0x7fffff9cc4a0, aAction=0) at nsHTMLEditor.cpp:1356
#16 0x00002aaaafad764b in nsHTMLEditor::HandleKeyPress (this=0x988c110, aKeyEvent=0xbc170a0) at nsHTMLEditor.cpp:1334
#17 0x00002aaaafb5da89 in nsTextEditorKeyListener::KeyPress (this=0x8c3a5b0, aKeyEvent=0xbc170c0) at nsEditorEventListeners.cpp:249
#18 0x00002aaaab61fa95 in DispatchToInterface (aEvent=0xbc170c0, aListener=0x8c3a5b0, aMethod={__pfn = 0x31, __delta = 0}, aIID=@0x2aaaab97deb0,
    aHasInterface=0x7fffff9cc76c) at nsEventListenerManager.cpp:141
#19 0x00002aaaab625ce7 in nsEventListenerManager::HandleEvent (this=0xbeacd80, aPresContext=0xaa53d60, aEvent=0x7fffff9cd340, aDOMEvent=0x7fffff9cca48,
    aCurrentTarget=0xa0619b0, aFlags=514, aEventStatus=0x7fffff9ccfcc) at nsEventListenerManager.cpp:1781
#20 0x00002aaaab5b6f03 in nsDocument::HandleDOMEvent (this=0xa061870, aPresContext=0xaa53d60, aEvent=0x7fffff9cd340, aDOMEvent=0x7fffff9cca48, aFlags=514,
    aEventStatus=0x7fffff9ccfcc) at nsDocument.cpp:3945
#21 0x00002aaaab5e0d54 in nsGenericElement::HandleDOMEvent (this=0xca1a7f0, aPresContext=0xaa53d60, aEvent=0x7fffff9cd340, aDOMEvent=0x7fffff9cca48, aFlags=519,
    aEventStatus=0x7fffff9ccfcc) at nsGenericElement.cpp:2210
#22 0x00002aaaab358cce in PresShell::HandleEventInternal (this=0x982bb60, aEvent=0x7fffff9cd340, aView=0xb4c7160, aFlags=1, aStatus=0x7fffff9ccfcc)
    at nsPresShell.cpp:6432
#23 0x00002aaaab35a09d in PresShell::HandleEvent (this=0x982bb60, aView=0xb4c7160, aEvent=0x7fffff9cd340, aEventStatus=0x7fffff9ccfcc, aForceHandle=1,
    aHandled=@0x7fffff9ccfc8) at nsPresShell.cpp:6215
#24 0x00002aaaab7689ba in nsViewManager::HandleEvent (this=0x183b530, aView=0xb4c7160, aEvent=0x7fffff9cd340, aCaptured=0) at nsViewManager.cpp:2512
#25 0x00002aaaab769ded in nsViewManager::DispatchEvent (this=0x183b530, aEvent=0x7fffff9cd340, aStatus=0x7fffff9cd274) at nsViewManager.cpp:2246
#26 0x00002aaaab7586eb in HandleEvent (aEvent=0x7fffff9cd340) at nsView.cpp:171
#27 0x00002aaaac3e2e34 in nsCommonWidget::DispatchEvent (this=0x4a2ccb0, aEvent=0x7fffff9cd340, aStatus=@0x7fffff9cd3a8) at nsCommonWidget.cpp:219
#28 0x00002aaaac3d62f3 in nsWindow::OnKeyPressEvent (this=0x4a2ccb0, aWidget=0xaf55860, aEvent=0x8c0390) at nsWindow.cpp:1785
#29 0x00002aaaac3d63f8 in key_press_event_cb (widget=0xaf55860, event=0x8c0390) at nsWindow.cpp:3876
#30 0x0000003ece803e62 in gtk_marshal_VOID__UINT_STRING () from /usr/lib64/libgtk-x11-2.0.so.0
#31 0x0000003ecc60a27c in g_closure_invoke () from /usr/lib64/libgobject-2.0.so.0
#32 0x0000003ecc6172ea in g_signal_stop_emission () from /usr/lib64/libgobject-2.0.so.0
#33 0x0000003ecc61854b in g_signal_emit_valist () from /usr/lib64/libgobject-2.0.so.0
#34 0x0000003ecc618bc2 in g_signal_emit () from /usr/lib64/libgobject-2.0.so.0
#35 0x0000003ece8c84a8 in gtk_widget_activate () from /usr/lib64/libgtk-x11-2.0.so.0
#36 0x0000003ece8d4c81 in gtk_window_propagate_key_event () from /usr/lib64/libgtk-x11-2.0.so.0
#37 0x0000003ece8d88dc in gtk_window_activate_key () from /usr/lib64/libgtk-x11-2.0.so.0
#38 0x0000003ece803e2e in gtk_marshal_VOID__UINT_STRING () from /usr/lib64/libgtk-x11-2.0.so.0
#39 0x0000003ecc60a27c in g_closure_invoke () from /usr/lib64/libgobject-2.0.so.0
#40 0x0000003ecc617720 in g_signal_stop_emission () from /usr/lib64/libgobject-2.0.so.0
#41 0x0000003ecc61854b in g_signal_emit_valist () from /usr/lib64/libgobject-2.0.so.0
#42 0x0000003ecc618bc2 in g_signal_emit () from /usr/lib64/libgobject-2.0.so.0
#43 0x0000003ece8c84a8 in gtk_widget_activate () from /usr/lib64/libgtk-x11-2.0.so.0
#44 0x0000003ece802891 in gtk_propagate_event () from /usr/lib64/libgtk-x11-2.0.so.0
...SNIP...

(gdb) frame 3
#3  0x00002aaab328222c in nsString::CharAt (this=0x7fffff9cba90, i=4294967295) at ../../../dist/include/string/nsTString.h:134
134               return mData[i];
(gdb) p mData[i]
Cannot access memory at address 0x8001ff9cbab6
(gdb) p i
$1 = 4294967295
(gdb) up
#4  0x00002aaab328224f in nsString::operator[] (this=0x7fffff9cba90, i=4294967295) at ../../../dist/include/string/nsTString.h:139
139               return CharAt(i);
(gdb) up
#5  0x00002aaab327cd74 in mozInlineSpellChecker::EndOfAWord (this=0xbe244a0, aNode=0xbb14348, aOffset=-1) at mozInlineSpellChecker.cpp:980
980           if (NS_SUCCEEDED(res) && IsNonwordChar(text[aOffset]))
(gdb) up
#6  0x00002aaab327f96a in mozInlineSpellChecker::AdjustSpellHighlighting (this=0xbe244a0, aNode=0xbb14348, aOffset=-1, aSpellCheckSelection=0xbeac5f0, isDeletion=0)
    at mozInlineSpellChecker.cpp:848
848       if (!EndOfAWord(currentNode, aOffset) && !isDeletion)
(gdb)
#7  0x00002aaab3281792 in mozInlineSpellChecker::SpellCheckAfterEditorChange (this=0xbe244a0, action=1001, aSelection=0xbeac540, previousSelectedNode=0xbb14348,
    previousSelectedOffset=0, aStartNode=0xbb14348, aStartOffset=0, aEndNode=0xbb14348, aEndOffset=1) at mozInlineSpellChecker.cpp:261
261             res = AdjustSpellHighlighting(anchorNode, offset, spellCheckSelection, PR_FALSE);
(gdb) list
256
257           if (anchorNode == previousSelectedNode)
258           {
259             if (offset == anchorOffset)
260               offset--;
261             res = AdjustSpellHighlighting(anchorNode, offset, spellCheckSelection, PR_FALSE);
262           }
263           else
264             res = SpellCheckBetweenNodes(aStartNode, aStartOffset, anchorNode, offset, spellCheckSelection);
265           break;
(gdb) p offset
$2 = -1
(gdb) p anchorOffset
$3 = 0


Reproducible: Didn't try
could you please file bugs into Core based on the file containing the frame you pick as problematic? you seem to be doing very well at picking frames, but no one actively triages this product and there's no reason your bugs shouldn't be filed in the right product.
Assignee: general → mscott
Severity: normal → critical
Component: General → Spelling checker
Keywords: crash
Product: Mozilla Application Suite → Core
QA Contact: general → spelling-checker
Summary: mozInlineSpellChecker::EndOfAWord crash while editing email → [@ nsString::CharAt] mozInlineSpellChecker::EndOfAWord crash while editing email
Version: unspecified → 1.8 Branch
Should be fixed in recent trunk/branch builds.

*** This bug has been marked as a duplicate of 328606 ***
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Sorry, I think its just the way your Bugzilla works. 

https://bugzilla.mozilla.org/enter_bug.cgi

Thats where everyone starts and it makes a big thing about picking the correct product first.  So I can clearly understand that it wants me to pick the product from that page; go ask anyone of your friends what decision that page is wanting the webuser to make.

"Other Products" does not mean "Core Components" the two meanings are unrelated.  Other Products means lesser known products, but why would I pick that when I can see the product I am using in the headline list.

So I pick it.

From then onwards I am screwed for allocating it to the correct component.

So you can't really blame anyone for doing their best on this matter.



Looking at the recent changes to the affected source file it looks like FireFox has paved the way to getting the spell checker working in textarea's and other places and in doing so the section of code causing the crashes has been replaced in the process.

I wonder when a new SeaMonkey release is due...
*nod*. you're just slightly beyond average, if your next couple of bugs are filed appropriately I'll change your profile so that you have more privs.

I'm not used to people knowing how to use a debugger and build a debug build who treat Bugzilla like an end user.

the way Bugzilla here works, it wants people who don't know anything not to file bugs in Core, if you can find some way that we could change the page so that you would know to file your useful bugs in Core and yet normal end users wouldn't file their less detailed bugs there, I'd gladly work to change the page.
Crash Signature: [@ nsString::CharAt]
You need to log in before you can comment on or make changes to this bug.