Closed Bug 37264 Opened 24 years ago Closed 24 years ago

Clearing Gfx TextField with "" causes crash

Categories

(Core :: DOM: Editor, defect, P1)

Product:
Core
Component:
DOM: Editor
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: bugzilla, Assigned: buster)

References

Details

(Keywords: crash, platform-parity, Whiteboard: [dogfood+])

Attachments

(2 files)

simplified test case, does not require editor or shell checker
211 bytes, text/html
Details
proposed patch
746 bytes, patch
Details | Diff | Splinter Review 
occurred using opt comm bits on winNT (not a problem on linux), 2000.04.26.09.

to repro:
1. open a new editor window.
2. type the word 'indeedy' and highlight (select) it.
3. click Spell button. spellchecker correctly suggests 'indeed' as a
replacement.
4. click Change in spellchecker.

result: browser and editor crash. will attach talkback info soon...
Incident ID 9453505 
 Trigger Time 
                2000-04-26 11:40:14 
 Email Address 
                sairuh@netscape.com 
 User Comments 
                spellcheck 
 Build ID
                2000042609 
 Product ID
                Netscape6 
 Platform ID
                Win32 
 Stack Trace

nsTextFrame::PaintAsciiText
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsTextFrame.cpp, line 2452] 
nsTextFrame::Paint
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsTextFrame.cpp, line 1250] 
nsContainerFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line
211] 
nsBlockFrame::PaintChildren
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 6089] 
nsBlockFrame::Paint
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 5967] 
nsGfxTextControlFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxTextControlFrame.cpp,
line 1570] 
nsGfxTextControlFrame::PaintTextControl
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxTextControlFrame.cpp,
line 1623] 
nsGfxTextControlFrame::Paint
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxTextControlFrame.cpp,
line 1497] 
nsContainerFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line
211] 
nsBoxFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1174] 
nsBoxFrame::PaintChildren
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1289] 
nsHTMLContainerFrame::Paint
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLContainerFrame.cpp, line
89] 
nsBoxFrame::Paint
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1146] 
nsContainerFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line
211] 
nsBoxFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1174] 
nsBoxFrame::PaintChildren
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1289] 
nsHTMLContainerFrame::Paint
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLContainerFrame.cpp, line
89] 
nsBoxFrame::Paint
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1146] 
nsContainerFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line
211] 
nsBoxFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1174] 
nsBoxFrame::PaintChildren
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1289] 
nsHTMLContainerFrame::Paint
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLContainerFrame.cpp, line
89] 
nsBoxFrame::Paint
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1146] 
nsContainerFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line
211] 
nsBoxFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1174] 
nsBoxFrame::PaintChildren
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1289] 
nsHTMLContainerFrame::Paint
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLContainerFrame.cpp, line
89] 
nsBoxFrame::Paint
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1146] 
nsContainerFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line
211] 
nsBoxFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1174] 
nsBoxFrame::PaintChildren
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1289] 
nsHTMLContainerFrame::Paint
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLContainerFrame.cpp, line
89] 
nsBoxFrame::Paint
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1146] 
nsContainerFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line
211] 
nsBoxFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1174] 
nsBoxFrame::PaintChildren
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1289] 
nsHTMLContainerFrame::Paint
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLContainerFrame.cpp, line
89] 
nsBoxFrame::Paint
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1146] 
nsContainerFrame::PaintChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line
211] 
nsContainerFrame::PaintChildren
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line
155] 
nsContainerFrame::Paint
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line
134] 
PresShell::Paint
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 3091] 
nsView::Paint [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 272] 
nsViewManager2::RenderDisplayListElement
[d:\builds\seamonkey\mozilla\view\src\nsViewManager2.cpp, line 818] 
nsViewManager2::RenderViews
[d:\builds\seamonkey\mozilla\view\src\nsViewManager2.cpp, line 765] 
nsViewManager2::Refresh
[d:\builds\seamonkey\mozilla\view\src\nsViewManager2.cpp, line 645] 
nsViewManager2::DispatchEvent
[d:\builds\seamonkey\mozilla\view\src\nsViewManager2.cpp, line 1286] 
HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 69] 
nsWindow::DispatchEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 515] 
nsWindow::DispatchWindowEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 537] 
nsWindow::OnPaint [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp,
line 3085] 
nsWindow::ProcessMessage
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 2243] 
nsWindow::WindowProc
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 741] 
USER32.dll + 0x19d0 (0x77e719d0) 
USER32.dll + 0x1982 (0x77e71982) 
ntdll.dll + 0x163a3 (0x77f763a3)
Keywords: crash, pp
I'm currently looking into this. The crash is not caused by the spellchecker

code itself ... it is caused by the JavaScript, used in the spellchecker dialog,

that clears the replace word textfield with a "" value.



The line in particular is in chrome/editor/content/EdSpellCheck.js in the

JavaScript function SetWidgetsForMisspelledWord(), it looks like:



    dialog.ReplaceWordInput.value = MisspelledWord;
Assignee: beppe → kin
Accepting bug. Setting to M16.
Status: NEW → ASSIGNED
Target Milestone: --- → M16
Ok here is what's going on ...

The frame that is causing the crash in nsTextFrame::PaintAsciiText() is the Gfx 
TextField's content frame ... that is, the frame that displays the value in the 
TextField. This frame only exists if the mouse has never been clicked inside the 
textfield. If you click inside the textfield before clicking the change button 
on the spellchecker dialog, you will notice that it doesn't crash.

nsTextFrame::PaintAsciiText() is crashing because the text frame's 
mContentLength is out of sync with it's content node's text fragment. With the 
example above, mContentLength is 6 (number of chars in the word 'indeed') while 
the text frag says it should be zero, because we've just set the textfield's 
value to "". This causes the code in PaintAsciiText to dereference a null 
text pointer.

mContentLength gets out of sync when the nsGfxTextControlFrame updates the 
content to be the "" string, this causes the TextField's content frame to be 
marked as dirty. This then triggers the content frame's parent to do a reflow 
... but since the content frame is not in it's parent's child list, it never 
gets reflowed, so mContentLength never gets updated properly.

I talked to buster@netscape.com, and he said he would fix this.
Assignee: kin → buster
Status: ASSIGNED → NEW
Priority: P3 → P1
Changing summary from "spellchecker crash after clicking change button" to 
"Clearing Gfx TextField with "" causes crash"
Summary: spellchecker crash after clicking Change button → Clearing Gfx TextField with "" causes crash
Blocks: 36552
Adding "dogfood" to the whiteboard.
Whiteboard: dogfood
I've got the fix for this.  The tree is so messed up, I don't know when I'll be 
able to check it in though.  I'll attach the diff so someone on the editor team 
can verify that this fixes their problems.
Status: NEW → ASSIGNED
Whiteboard: dogfood → dogfood fix in hand
Attached patch proposed patchSplinter Review 

    
  
Blocks: 37171

    
    

    
  
*** Bug 37816 has been marked as a duplicate of this bug. ***

    
  
Keywords: dogfood

    
    

    
  
Steve, I'd sure like to see this checked in soon -- the bug is making it very
hard to address email messages. Marking dogfood+

Whiteboard: dogfood    fix in hand → [dogfood+]    fix in hand

    
    

    
  
yeah, I know, but I'm travelling in MV all the rest of this week.  I'll see what 
I can do, but my ETA is Saturday.  Maybe I can get someone else to check it in 
for me?

    
    

    
  
Phil (et al): this bug has been no end of trouble to repair. In this mornings 
build I can't even get the editor to accept keystrokes. Sorry for the delay, but 
it's slow going.

    
    

    
  
Rick:  I don't understand your last comment.  This bug doesn't have anything to 
do with the editor accepting keystrokes or not.  And I have a fix in had, with a 
patch attached.  Did you comment on the right bug?

    
    

    
  
fixed.  we now flush pending notifications after setting the value of the text 
control field. this synchronizes the frame with the content.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Whiteboard: [dogfood+]    fix in hand → [dogfood+]

    
    

    
  
verified in 5/12 build.
Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: