Closed Bug 348981 Opened 18 years ago Closed 18 years ago

Crash [@ nsComposerCommandsUpdater::TimerCallback][@ nsGetInterface::operator()] with evil editor testcase doing stuff

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8.1

People

(Reporter: martijn.martijn, Assigned: pkasting)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [sg:moderate?] after 1.8.0.x)

Crash Data

Attachments

(4 files)

testcase
1.53 KB, text/html
Details
Patch for assertions
1.03 KB, patch
pkasting
: review+
dbaron
: approval1.8.1+
Details | Diff | Splinter Review
crash fix, trunk version
3.33 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
crash fix, branch version
3.55 KB, patch
dbaron
: approval1.8.1+
Details | Diff | Splinter Review 
See upcoming testcase, which crashes current Mozilla trunk and 1.8.1 branch builds.
The testcase crashes Mozilla usually within 3 reloads.
If it doesn't crash by then, try it, by pressing the 'Go' button.

This regressed on trunk between 2006-08-07 and 2006-08-08.
On 1.8.1 branch, this regressed between 2006-08-08 and 2006-08-09.
Probably a regression from bug 347200.
Attached file testcase 
The testcase reloads automatically.
Apparently, the testcase doesn't crash online, please test it locally to get the crash.
I confirm that backing out bug 347200 fixes this.

Stack trace when crashed:

#1  0x4cdb6d66 in __nanosleep_nocancel () from /lib/tls/i686/cmov/libc.so.6
#2  0x4cdb6b6c in sleep () from /lib/tls/i686/cmov/libc.so.6
#3  0x080656ab in ah_crap_handler (signum=11) at nsSigHandlers.cpp:133
#4  0x0806693f in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:210
#5  <signal handler called>
#6  0xb7e1a861 in nsQueryInterfaceWithError::operator() (this=0xbfffedf8, aIID=@0xb7ed3b14, answer=0xbfffed94) at nsCOMPtr.cpp:64
#7  0xb7e1bcf2 in nsCOMPtr<nsIInterfaceRequestor>::assign_from_qi_with_error (this=0xbfffedf0, qi=@0xbfffedf8, aIID=@0xb7ed3b14) at nsCOMPtr.h:1242
#8  0xb7e1bd3f in nsCOMPtr (this=0xbfffedf0, qi=@0xbfffedf8) at nsCOMPtr.h:653
#9  0xb7e1ba80 in nsGetInterface::operator() (this=0xbfffee84, aIID=@0xb3dbe974, aInstancePtr=0xbfffee20) at nsIInterfaceRequestorUtils.cpp:49
#10 0xb3db4927 in nsCOMPtr<nsICommandManager>::assign_from_helper (this=0xbfffee80, helper=@0xbfffee84, aIID=@0xb3dbe974) at nsCOMPtr.h:1292
#11 0xb3db6455 in nsCOMPtr (this=0xbfffee80, helper=@0xbfffee84) at nsCOMPtr.h:694
#12 0xb3db7083 in nsComposerCommandsUpdater::UpdateCommandGroup (this=0x8824550, aCommandGroup=@0xbfffeec0) at /pkasting/firefox-branch/mozilla/editor/composer/src/nsComposerCommandsUpdater.cpp:307
#13 0xb3db7967 in nsComposerCommandsUpdater::TimerCallback (this=0x8824550) at /pkasting/firefox-branch/mozilla/editor/composer/src/nsComposerCommandsUpdater.cpp:280
#14 0xb3db7a1b in nsComposerCommandsUpdater::Notify (this=0x8824550, timer=0x8c79528) at /pkasting/firefox-branch/mozilla/editor/composer/src/nsComposerCommandsUpdater.cpp:399
#15 0xb7e9ce2d in nsTimerImpl::Fire (this=0x8c79528) at /pkasting/firefox-branch/mozilla/xpcom/threads/nsTimerImpl.cpp:397
#16 0xb7e9d097 in handleTimerEvent (event=0xb53f2d10) at /pkasting/firefox-branch/mozilla/xpcom/threads/nsTimerImpl.cpp:459
#17 0xb7e94baa in PL_HandleEvent (self=0xb53f2d10) at /pkasting/firefox-branch/mozilla/xpcom/threads/plevent.c:688
#18 0xb7e94a36 in PL_ProcessPendingEvents (self=0x80e9a30) at /pkasting/firefox-branch/mozilla/xpcom/threads/plevent.c:623
#19 0xb7e97bcd in nsEventQueueImpl::ProcessPendingEvents (this=0x80eea18) at /pkasting/firefox-branch/mozilla/xpcom/threads/nsEventQueue.cpp:417
#20 0xb700e048 in event_processor_callback (source=0x83d2f50, condition=G_IO_IN, data=0x80eea18) at /pkasting/firefox-branch/mozilla/widget/src/gtk2/nsAppShell.cpp:67
#21 0x4d19731c in g_vasprintf () from /usr/lib/libglib-2.0.so.0
#22 0x4d1704ee in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#23 0x4d1734f6 in g_main_context_check () from /usr/lib/libglib-2.0.so.0
#24 0x4d1737e3 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#25 0x49408e65 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#26 0xb700ea3e in nsAppShell::Run (this=0x8162f38) at /pkasting/firefox-branch/mozilla/widget/src/gtk2/nsAppShell.cpp:139
#27 0xb6f6d7f0 in nsAppStartup::Run (this=0x8162e48) at /pkasting/firefox-branch/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:151
#28 0x080529b0 in XRE_main (argc=3, argv=0xbffff5d4, aAppData=0x806cae0) at /pkasting/firefox-branch/mozilla/toolkit/xre/nsAppRunner.cpp:2438
#29 0x0804b436 in main (argc=3, argv=0xbffff5d4) at /pkasting/firefox-branch/mozilla/browser/app/nsBrowserApp.cpp:61
Flags: blocking1.8.1?
Target Milestone: --- → mozilla1.8.1beta2
Blocks: 348802
Just before crashing, I get a lot of:

###!!! ASSERTION: JoinNode called with node not listed in offset table.: '0', file /pkasting/firefox-branch/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp, line 2637
Break: at file /pkasting/firefox-branch/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp, line 2637
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file /pkasting/firefox-branch/mozilla/extensions/spellcheck/src/mozInlineSpellChecker.cpp, line 206
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file /pkasting/firefox-branch/mozilla/extensions/spellcheck/src/mozInlineSpellChecker.cpp, line 804
WARNING: nsComposerCommandsUpdater::SelectionIsCollapsed - no domSelection, file /pkasting/firefox-branch/mozilla/editor/composer/src/nsComposerCommandsUpdater.cpp, line 386

Program ./firefox-bin (pid = 25622) received signal 11.
Assignee: nobody → pkasting
Putting on the 1.8.1/FF2 radar...
Flags: blocking1.8.1? → blocking1.8.1+
Target Milestone: mozilla1.8.1beta2 → mozilla1.8.1
Martijn: With all these "evil" testcases, are you sure *you're* not the evil one? :)
No longer blocks: 348802
Flags: blocking1.8.1+ → blocking1.8.1?
Target Milestone: mozilla1.8.1 → ---
Restoring stuff brett clobbered...
Blocks: 348802
Target Milestone: --- → mozilla1.8.1
I can't restore the blocking+, apparently.
Flags: blocking1.8.1? → blocking1.8.1+
(In reply to comment #7)
> Restoring stuff brett clobbered...

Crap, how did I do that? Sorry.
This fixes some of the assertions that Peter had. I made a copy-and-paste error that causes the end to not get set properly when making a range. This patch is very low risk and possibly important.
Attachment #234329 - Flags: review?(pkasting)
Attachment #234329 - Flags: approval1.8.1?
Comment on attachment 234329 [details] [diff] [review]
Patch for assertions

Obvious typo fix.  This should go in to trunk and branch, but probably doesn't need to make B2.  This will not fix the crash.
Attachment #234329 - Flags: review?(pkasting) → review+
OK, this backs out the patch for bug 347200 entirely, and takes the safest possible route to solving that bug instead: resync the editor's spellchecking after creation, instead of reporting designMode differently.

This should hopefully prevent any more fallout from bug 347200.
Attachment #234330 - Flags: superreview?(bzbarsky)
Attachment #234330 - Flags: review?(bugmail)
I'd really like to get this in for B2 if at all possible.  Bug 347200 has already caused two crashes, who knows how many more it could trigger if we don't do it more safely.

(Obviously approval here assumes r+/sr+/baking for the trunk patch)
Attachment #234331 - Flags: approval1.8.1?
My assertion fix, while important and correct, does not actually fix the assertion. The problem is the offset is wrong, which I think can happen for paste operations. Fixing paste operations is bug 345103.
Comment on attachment 234330 [details] [diff] [review]
crash fix, trunk version

Yeah, this seems like the safe way to go for the time being...
Attachment #234330 - Flags: superreview?(bzbarsky)
Attachment #234330 - Flags: superreview+
Attachment #234330 - Flags: review?(bugmail)
Attachment #234330 - Flags: review+
Landed on trunk to bake.  I had to make a small change from the patch posted on this bug because I hadn't properly ported the branch fix to the trunk (left an extraneous "_1_8" in).

mozilla/content/html/document/src/nsHTMLDocument.cpp 3.696
Whiteboard: [baking]
(In reply to comment #6)
> Martijn: With all these "evil" testcases, are you sure *you're* not the evil
> one? :)

Yes, I know I am evil :)
Basically I find these crashers with a fuzzer tool, see bug 321107. The situations in which the crash occurs are mostly weird, but there is a real chance that regular websites also can trigger some of these crashes.


Comment on attachment 234329 [details] [diff] [review]
Patch for assertions

a=dbaron on behalf of drivers (for checkin today).  Please check in to MOZILLA_1_8_BRANCH and add the fixed1.8.1 keyword once you have done so.
Attachment #234329 - Flags: approval1.8.1? → approval1.8.1+
Comment on attachment 234331 [details] [diff] [review]
crash fix, branch version

a=dbaron on behalf of drivers (for checkin today).  Please check in to MOZILLA_1_8_BRANCH and add the fixed1.8.1 keyword once you have done so.
Attachment #234331 - Flags: approval1.8.1? → approval1.8.1+
Checked in on branch.

/mozilla/content/html/document/src/nsHTMLDocument.cpp 3.615.2.31
Status: NEW → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
Whiteboard: [baking]
The typo fix is also on branch and trunk
https://bugzilla.mozilla.org/attachment.cgi?id=234198
ff2b2 debug/nightly windows/linux no crash

###!!! ASSERTION: JoinNode called with node not listed in offset table.: '0', file /work/mozilla/builds/ff/2.0/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp, line 2637
Break: at file /work/mozilla/builds/ff/2.0/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp, line 2637

verified fixed 1.8
Keywords: fixed1.8.1verified1.8.1
Flags: blocking1.8.0.8?
testcase does not crash in 1.8.0.7
Flags: blocking1.8.0.8? → blocking1.8.0.8-
Whiteboard: [sg:moderate?] after 1.8.0.x
Group: security
Flags: in-testsuite?
Crash Signature: [@ nsComposerCommandsUpdater::TimerCallback] [@ nsGetInterface::operator()]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: