Closed
Bug 37264
Opened 25 years ago
Closed 25 years ago
Clearing Gfx TextField with "" causes crash
Categories
(Core :: DOM: Editor, defect, P1)
Tracking
()
VERIFIED
FIXED
M16
People
(Reporter: bugzilla, Assigned: buster)
References
Details
(Keywords: crash, platform-parity, Whiteboard: [dogfood+])
Attachments
(2 files)
|
211 bytes,
text/html
|
Details | |
|
746 bytes,
patch
|
Details | Diff | Splinter Review |
occurred using opt comm bits on winNT (not a problem on linux), 2000.04.26.09.
to repro:
1. open a new editor window.
2. type the word 'indeedy' and highlight (select) it.
3. click Spell button. spellchecker correctly suggests 'indeed' as a
replacement.
4. click Change in spellchecker.
result: browser and editor crash. will attach talkback info soon...
|
Reporter | |
Comment 1•25 years ago
|
||
Incident ID 9453505
Trigger Time
2000-04-26 11:40:14
Email Address
sairuh@netscape.com
User Comments
spellcheck
Build ID
2000042609
Product ID
Netscape6
Platform ID
Win32
Stack Trace
nsTextFrame::PaintAsciiText
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsTextFrame.cpp, line 2452]
nsTextFrame::Paint
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsTextFrame.cpp, line 1250]
nsContainerFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line
211]
nsBlockFrame::PaintChildren
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 6089]
nsBlockFrame::Paint
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 5967]
nsGfxTextControlFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxTextControlFrame.cpp,
line 1570]
nsGfxTextControlFrame::PaintTextControl
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxTextControlFrame.cpp,
line 1623]
nsGfxTextControlFrame::Paint
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxTextControlFrame.cpp,
line 1497]
nsContainerFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line
211]
nsBoxFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1174]
nsBoxFrame::PaintChildren
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1289]
nsHTMLContainerFrame::Paint
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLContainerFrame.cpp, line
89]
nsBoxFrame::Paint
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1146]
nsContainerFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line
211]
nsBoxFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1174]
nsBoxFrame::PaintChildren
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1289]
nsHTMLContainerFrame::Paint
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLContainerFrame.cpp, line
89]
nsBoxFrame::Paint
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1146]
nsContainerFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line
211]
nsBoxFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1174]
nsBoxFrame::PaintChildren
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1289]
nsHTMLContainerFrame::Paint
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLContainerFrame.cpp, line
89]
nsBoxFrame::Paint
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1146]
nsContainerFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line
211]
nsBoxFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1174]
nsBoxFrame::PaintChildren
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1289]
nsHTMLContainerFrame::Paint
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLContainerFrame.cpp, line
89]
nsBoxFrame::Paint
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1146]
nsContainerFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line
211]
nsBoxFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1174]
nsBoxFrame::PaintChildren
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1289]
nsHTMLContainerFrame::Paint
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLContainerFrame.cpp, line
89]
nsBoxFrame::Paint
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1146]
nsContainerFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line
211]
nsBoxFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1174]
nsBoxFrame::PaintChildren
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1289]
nsHTMLContainerFrame::Paint
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLContainerFrame.cpp, line
89]
nsBoxFrame::Paint
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1146]
nsContainerFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line
211]
nsContainerFrame::PaintChildren
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line
155]
nsContainerFrame::Paint
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line
134]
PresShell::Paint
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 3091]
nsView::Paint [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 272]
nsViewManager2::RenderDisplayListElement
[d:\builds\seamonkey\mozilla\view\src\nsViewManager2.cpp, line 818]
nsViewManager2::RenderViews
[d:\builds\seamonkey\mozilla\view\src\nsViewManager2.cpp, line 765]
nsViewManager2::Refresh
[d:\builds\seamonkey\mozilla\view\src\nsViewManager2.cpp, line 645]
nsViewManager2::DispatchEvent
[d:\builds\seamonkey\mozilla\view\src\nsViewManager2.cpp, line 1286]
HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 69]
nsWindow::DispatchEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 515]
nsWindow::DispatchWindowEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 537]
nsWindow::OnPaint [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp,
line 3085]
nsWindow::ProcessMessage
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 2243]
nsWindow::WindowProc
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 741]
USER32.dll + 0x19d0 (0x77e719d0)
USER32.dll + 0x1982 (0x77e71982)
ntdll.dll + 0x163a3 (0x77f763a3)
I'm currently looking into this. The crash is not caused by the spellchecker
code itself ... it is caused by the JavaScript, used in the spellchecker dialog,
that clears the replace word textfield with a "" value.
The line in particular is in chrome/editor/content/EdSpellCheck.js in the
JavaScript function SetWidgetsForMisspelledWord(), it looks like:
dialog.ReplaceWordInput.value = MisspelledWord;
Assignee: beppe → kin
Accepting bug. Setting to M16.
Status: NEW → ASSIGNED
Target Milestone: --- → M16
Ok here is what's going on ...
The frame that is causing the crash in nsTextFrame::PaintAsciiText() is the Gfx
TextField's content frame ... that is, the frame that displays the value in the
TextField. This frame only exists if the mouse has never been clicked inside the
textfield. If you click inside the textfield before clicking the change button
on the spellchecker dialog, you will notice that it doesn't crash.
nsTextFrame::PaintAsciiText() is crashing because the text frame's
mContentLength is out of sync with it's content node's text fragment. With the
example above, mContentLength is 6 (number of chars in the word 'indeed') while
the text frag says it should be zero, because we've just set the textfield's
value to "". This causes the code in PaintAsciiText to dereference a null
text pointer.
mContentLength gets out of sync when the nsGfxTextControlFrame updates the
content to be the "" string, this causes the TextField's content frame to be
marked as dirty. This then triggers the content frame's parent to do a reflow
... but since the content frame is not in it's parent's child list, it never
gets reflowed, so mContentLength never gets updated properly.
I talked to buster@netscape.com, and he said he would fix this.
Assignee: kin → buster
Status: ASSIGNED → NEW
Priority: P3 → P1
Changing summary from "spellchecker crash after clicking change button" to
"Clearing Gfx TextField with "" causes crash"
Summary: spellchecker crash after clicking Change button → Clearing Gfx TextField with "" causes crash
I've got the fix for this. The tree is so messed up, I don't know when I'll be
able to check it in though. I'll attach the diff so someone on the editor team
can verify that this fixes their problems.
Status: NEW → ASSIGNED
Whiteboard: dogfood → dogfood fix in hand
|
|
Assignee | |
Comment 10•25 years ago
|
||
*** Bug 37816 has been marked as a duplicate of this bug. ***
|
|
||
Comment 11•25 years ago
|
||
Steve, I'd sure like to see this checked in soon -- the bug is making it very
hard to address email messages. Marking dogfood+
Whiteboard: dogfood fix in hand → [dogfood+] fix in hand
|
|
Assignee | |
Comment 12•25 years ago
|
||
yeah, I know, but I'm travelling in MV all the rest of this week. I'll see what
I can do, but my ETA is Saturday. Maybe I can get someone else to check it in
for me?
|
|
||
Comment 13•25 years ago
|
||
Phil (et al): this bug has been no end of trouble to repair. In this mornings
build I can't even get the editor to accept keystrokes. Sorry for the delay, but
it's slow going.
|
|
Assignee | |
Comment 14•25 years ago
|
||
Rick: I don't understand your last comment. This bug doesn't have anything to
do with the editor accepting keystrokes or not. And I have a fix in had, with a
patch attached. Did you comment on the right bug?
|
|
Assignee | |
Comment 15•25 years ago
|
||
fixed. we now flush pending notifications after setting the value of the text
control field. this synchronizes the frame with the content.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Whiteboard: [dogfood+] fix in hand → [dogfood+]
You need to log in
before you can comment on or make changes to this bug.
Description
•