Closed Bug 382778 Opened 17 years ago Closed 16 years ago

Crash [@ nsEditor::InsertNode] with execCommand insertorderedlist and selection in text node

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha8

People

(Reporter: jruderman, Assigned: peterv)

References

Details

(5 keywords, Whiteboard: [sg:critical?])

Crash Data

Attachments

(6 files)

testcase
1.03 KB, text/html
Details
v1
17.03 KB, patch
smaug
: review+
sicking
: superreview+
Details | Diff | Splinter Review
Additional fix v1
1.89 KB, patch
smaug
: review+
sicking
: superreview+
dveditz
: approval1.8.1.5+
dveditz
: approval1.8.0.13+
Details | Diff | Splinter Review
v1 (Ported to branch)
16.38 KB, patch
dveditz
: approval1.8.1.5+
dveditz
: approval1.8.0.13+
Details | Diff | Splinter Review
branch testcase
1019 bytes, text/html
Details
Crash report using the second testcase.
46.04 KB, text/html
Details
Attached file testcase 
Loading the testcase makes Firefox (Mac trunk debug) crash [@ nsEditor::InsertNode] dereferencing the bogus address 0x5590c3d1.
Flags: blocking1.9?
Whiteboard: [sg:critical?]
Are any of you interested in fixing this sg:critical bug? :)
Doesn't peterv own editor now? :)
Linux trunk crashes too, OS -> All
OS: Mac OS X → All
Assignee: nobody → Olli.Pettay
Peterv has the patch already
Assignee: Olli.Pettay → peterv
Attached patch v1Splinter Review 
This fixes the crash and similar lurking crashes.
Attachment #268120 - Flags: superreview?(jonas)
Attachment #268120 - Flags: review?
Attachment #268120 - Flags: review? → review?(Olli.Pettay)
After fixing the crash the testcase still throws an exception. This is a small aditional fix for that: when getting an array of nodes from the selection's ranges we should not have duplicates in the array.
Attachment #268122 - Flags: superreview?(jonas)
Attachment #268122 - Flags: review?(Olli.Pettay)
Attachment #268120 - Flags: review?(Olli.Pettay) → review+
Comment on attachment 268122 [details] [diff] [review]
Additional fix v1


>+    else {
>+      nsCOMArray<nsIDOMNode> nodes;
>+      nsUniqueFunctor functor(outArrayOfNodes);
>+      res = iter.AppendList(functor, nodes);
>+      if (NS_FAILED(res)) return res;
>+      if (!outArrayOfNodes.AppendObjects(nodes))
>+        return NS_ERROR_OUT_OF_MEMORY;
>+    }

Some comment here might be useful.
Attachment #268122 - Flags: review?(Olli.Pettay) → review+
Blocks: 384704
This doesn't crash me in FF2 windows. Is this a Mac only or trunk-only issue?
This blocks some blocking1.8.1.5+ bugs.
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
Whiteboard: [sg:critical?] → [sg:critical?] need sr=jonas
Comment on attachment 268120 [details] [diff] [review]
v1

>@@ -2693,13 +2684,10 @@ NS_IMETHODIMP nsEditor::InsertTextIntoTe
>     {
>       DeleteNode(mIMETextNode);
>       mIMETextNode = nsnull;
>-      ((IMETextTxn*)txn)->MarkFixed();  // mark the ime txn "fixed"
>+      ((IMETextTxn*)txn.get())->MarkFixed();  // mark the ime txn "fixed"

Please change this to NS_STATIC_CAST

sr=me
Attachment #268120 - Flags: superreview?(jonas) → superreview+
Attachment #268122 - Flags: superreview?(jonas) → superreview+
Will the patch in this bug work for the branch as well, or do you need another patch to get approval?
Whiteboard: [sg:critical?] need sr=jonas → [sg:critical?] need trunk landing, branch approval
This is just attachment 268120 [details] [diff] [review] with some fixes to make it compile on branches.
Attachment #271687 - Flags: approval1.8.1.5?
Attachment #271687 - Flags: approval1.8.0.13?
Attachment #268122 - Flags: approval1.8.1.5?
Attachment #268122 - Flags: approval1.8.0.13?
has this landed on trunk yet? If not please land so QA can verify the fix.
Keywords: qawanted
Hrmpf, apparently I forgot to mark this fixed when I landed it last week.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical?] need trunk landing, branch approval → [sg:critical?] need branch approval
Target Milestone: --- → mozilla1.9beta1
Comment on attachment 271687 [details] [diff] [review]
v1 (Ported to branch)

approved for 1.8.1.5 and 1.8.0.13, a=dveditz for release-drivers.

This has to land within ~36 hrs or we have to pull the plug on getting it this release.
Attachment #271687 - Flags: approval1.8.1.5?
Attachment #271687 - Flags: approval1.8.1.5+
Attachment #271687 - Flags: approval1.8.0.13?
Attachment #271687 - Flags: approval1.8.0.13+
Attachment #268122 - Flags: approval1.8.1.5?
Attachment #268122 - Flags: approval1.8.1.5+
Attachment #268122 - Flags: approval1.8.0.13?
Attachment #268122 - Flags: approval1.8.0.13+
Whiteboard: [sg:critical?] need branch approval → [sg:critical?] need branch landing
Keywords: fixed1.8.0.13, fixed1.8.1.5
Whiteboard: [sg:critical?] need branch landing → [sg:critical?]
verified fixed 1.8.1.5 using the testcase with :

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.5pre) Gecko/2007071103 BonEcho/2.0.0.5pre on Mac OSX

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.5pre) Gecko/2007071103 BonEcho/2.0.0.5pre on Linux Fedora F7

and Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.5pre) Gecko/2007071103 BonEcho/2.0.0.5pre

no crash on Testcase - adding verified keyword.

I want to mention that using this testcase cause on all plattform this error message in the error console :
Error: uncaught exception: [Exception... "Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIDOM3Document.adoptNode]"  nsresult: "0x80004001 (NS_ERROR_NOT_IMPLEMENTED)"  location: "JS frame :: https://bugzilla.mozilla.org/attachment.cgi?id=266879 :: init2 :: line 26"  data: no]
Keywords: fixed1.8.1.5verified1.8.1.5
Attached file branch testcase 
Ah, yes, adoptNode isn't implemented on the branch. Here's a testcase for the branch.
the 2nd testcase works fine on windows but crash the mac and linux build.

On Linux talkback doesn`t catch the crash. But the Mac Crash Reporting comes up:

Date/Time:      2007-07-11 18:19:49.403 +0200
OS Version:     10.4.10 (Build 8R2232)
Report Version: 4

Command: firefox-bin
Path:    /Volumes/BonEcho/BonEcho.app/Contents/MacOS/firefox-bin
Parent:  launchd [1]

Version: 2.0.0.5pre (2.0.0.5pre)

PID:    235
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000000

Thread 0 Crashed:
0   org.mozilla.firefox                 0x006a6950 nsNodeInfo::GetQualifiedName(nsAString_internal&) const + 132
1   org.mozilla.firefox                0x004c6c21 nsGenericHTMLElement::GetNodeName(nsAString_internal&) + 29
2   org.mozilla.firefox                 0x003bf541 nsHTMLEditor::RemoveListenerAndDeleteRef(nsAString_internal const&, nsIDOMEventListener*, int, nsIDOMElement*, nsIContent*, nsIPresShell*) + 1447
3   org.mozilla.firefox                0x000d27a4 nsHTMLEditor::EndUpdateViewBatch() + 102
4   org.mozilla.firefox                0x003cdc39 nsEditor::RemoveEventListeners() + 1605
5   org.mozilla.firefox                0x000de22a nsHTMLEditor::~nsHTMLEditor [in-charge]() + 10176
6   org.mozilla.firefox                 0x0052989f nsListCommand::ToggleState(nsIEditor*, char const*) + 397
7   org.mozilla.firefox                0x00528cc3 nsAbsolutePositioningCommand::ToggleState(nsIEditor*, char const*) + 775
8   org.mozilla.firefox                 0x00208811 nsControllerCommandTable::~nsControllerCommandTable [in-charge]() + 465
9   org.mozilla.firefox                0x0020669e nsBaseCommandController::~nsBaseCommandController [in-charge]() + 1116
10  org.mozilla.firefox                0x001f8ac1 nsCommandManager::GetControllerForCommand(char const*, nsIDOMWindow*, nsIController**) + 585
11  org.mozilla.firefox                0x00142f59 nsHTMLDocument::OpenCommon(nsACString_internal const&, int) + 3587
12  libxpcom_core.dylib                0x00e5a8d9 XPTC_InvokeByIndex + 81
13  org.mozilla.firefox                0x0037045b XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) + 743
14  org.mozilla.firefox                0x003626fb XPC_WN_CallMethod(JSContext*, JSObject*, unsigned, long*, long*) + 261
15  libmozjs.dylib                     0x00c556d7 js_Invoke + 858
16  libmozjs.dylib                     0x00c47e61 js_Interpret + 4632
17  libmozjs.dylib                     0x00c55e7e js_Invoke + 2817
18  libmozjs.dylib                     0x00c5655e js_InternalInvoke + 146
19  libmozjs.dylib                     0x00c1b3b1 JS_CallFunctionValue + 62
20  org.mozilla.firefox                0x004fff6a nsJSContext::CallEventHandler(JSObject*, JSObject*, unsigned, long*, long*) + 430
21  org.mozilla.firefox                0x0040a537 nsGlobalWindow::RunTimeout(nsTimeout*) + 1475
22  org.mozilla.firefox                0x0040a5b6 nsGlobalWindow::TimerCallback(nsITimer*, void*) + 32
23  libxpcom_core.dylib                0x00e47781 nsTimerImpl::Fire() + 187
24  libxpcom_core.dylib                0x00e47f53 handleTimerEvent(TimerEventType*) + 107
25  libxpcom_core.dylib                0x00e44551 PL_HandleEvent + 21
26  libxpcom_core.dylib                0x00e4480a PL_ProcessPendingEvents + 103
27  com.apple.CoreFoundation           0x9082cf92 CFRunLoopRunSpecific + 1213
28  com.apple.CoreFoundation           0x9082cace CFRunLoopRunInMode + 61
29  com.apple.HIToolbox                0x92ddc8d8 RunCurrentEventLoopInMode + 285
30  com.apple.HIToolbox                0x92ddbfe2 ReceiveNextEventCommon + 385
31  com.apple.HIToolbox                0x92e24a74 _AcquireNextEvent + 58
32  com.apple.HIToolbox                0x92e248bc RunApplicationEventLoop + 150
33  org.mozilla.firefox                0x0023520f nsAppShell::~nsAppShell [in-charge deleting]() + 133
34  org.mozilla.firefox                0x002c0d9a nsAppStartup::DestroyExitEvent(PLEvent*) + 148
35  org.mozilla.firefox                0x000066ae XRE_main + 5892
36  org.mozilla.firefox                0x000032b8 main + 32
37  org.mozilla.firefox                0x0000323e start + 270
38  org.mozilla.firefox                0x00003159 start + 41

Thread 1:
0   libSystem.B.dylib                  0x9001a1cc select + 12
1   libnspr4.dylib                      0x00ed99bc PR_Poll + 134
2   org.mozilla.firefox                0x0033c5af nsSocketTransportService::Poll(unsigned*) + 99
3   org.mozilla.firefox                0x0033cc00 nsSocketTransportService::ServiceEventQ() + 606
4   libxpcom_core.dylib                0x00e46fe3 nsThread::Main(void*) + 41
5   libnspr4.dylib                     0x00edaffd PR_Select + 813
6   libSystem.B.dylib                  0x90024227 _pthread_body + 84

Thread 2:
0   libSystem.B.dylib                  0x90047dd7 semaphore_timedwait_signal_trap + 7
1   libnspr4.dylib                     0x00ed6694 PR_Lock + 246
2   libnspr4.dylib                     0x00ed69eb PR_WaitCondVar + 75
3   libxpcom_core.dylib                0x00e492fc TimerThread::Shutdown() + 284
4   libxpcom_core.dylib                0x00e46fe3 nsThread::Main(void*) + 41
5   libnspr4.dylib                     0x00edaffd PR_Select + 813
6   libSystem.B.dylib                  0x90024227 _pthread_body + 84

Thread 3:
0   libSystem.B.dylib                  0x900248c7 semaphore_wait_signal_trap + 7
1   libnspr4.dylib                     0x00ed6a75 PR_WaitCondVar + 213
2   org.mozilla.firefox                0x0034f8b0 nsSSLThread::Run() + 162
3   libnspr4.dylib                     0x00edaffd PR_Select + 813
4   libSystem.B.dylib                  0x90024227 _pthread_body + 84

Thread 4:
0   libSystem.B.dylib                  0x900248c7 semaphore_wait_signal_trap + 7
1   libnspr4.dylib                     0x00ed6a75 PR_WaitCondVar + 213
2   org.mozilla.firefox                0x0034c4e5 nsCertVerificationThread::Run() + 239
3   libnspr4.dylib                     0x00edaffd PR_Select + 813
4   libSystem.B.dylib                  0x90024227 _pthread_body + 84

Thread 5:
0   libSystem.B.dylib                  0x900248c7 semaphore_wait_signal_trap + 7
1   libnspr4.dylib                     0x00ed6a75 PR_WaitCondVar + 213
2   org.mozilla.firefox                0x005240d0 mozStorageService::FinishAsyncIO() + 284
3   org.mozilla.firefox                0x008636a2 nsPluginNativeWindow::~nsPluginNativeWindow [in-charge deleting]() + 424
4   libxpcom_core.dylib                0x00e46fe3 nsThread::Main(void*) + 41
5   libnspr4.dylib                     0x00edaffd PR_Select + 813
6   libSystem.B.dylib                  0x90024227 _pthread_body + 84

Thread 6:
0   libSystem.B.dylib                  0x900248c7 semaphore_wait_signal_trap + 7
1   libnspr4.dylib                     0x00ed6a75 PR_WaitCondVar + 213
2   libnspr4.dylib                     0x00ed6cd5 PR_Wait + 53
3   libxpcom_core.dylib                0x00e4466e PL_WaitForEvent + 62
4   libxpcom_core.dylib                0x00e45939 nsEventQueueImpl::CheckForDeactivation() + 149
5   org.mozilla.firefox                0x002e678d nsUrlClassifierDBServiceWorker::~nsUrlClassifierDBServiceWorker [in-charge]() + 345
6   libnspr4.dylib                     0x00edaffd PR_Select + 813
7   libSystem.B.dylib                  0x90024227 _pthread_body + 84

Thread 7:
0   libSystem.B.dylib                  0x90009cd7 mach_msg_trap + 7
1   ...romedia.Flash Player.plugin     0x1a7ee52d Flash_EnforceLocalSecurity + 360501
2   libSystem.B.dylib                  0x90024227 _pthread_body + 84

Thread 8:
0   libSystem.B.dylib                  0x90047dd7 semaphore_timedwait_signal_trap + 7
1   libnspr4.dylib                     0x00ed6694 PR_Lock + 246
2   libnspr4.dylib                     0x00ed69eb PR_WaitCondVar + 75
3   org.mozilla.firefox                0x0059bd5a nsHostResolver::GetHostToLookup(nsHostRecord**) + 212
4   org.mozilla.firefox                0x0059c507 nsHostResolver::ThreadFunc(void*) + 123
5   libnspr4.dylib                     0x00edaffd PR_Select + 813
6   libSystem.B.dylib                  0x90024227 _pthread_body + 84

Thread 9:
0   libSystem.B.dylib                  0x90047dd7 semaphore_timedwait_signal_trap + 7
1   libnspr4.dylib                     0x00ed6694 PR_Lock + 246
2   libnspr4.dylib                     0x00ed69eb PR_WaitCondVar + 75
3   org.mozilla.firefox                0x00301921 nsIOThreadPool::ThreadFunc(void*) + 145
4   libnspr4.dylib                     0x00edaffd PR_Select + 813
5   libSystem.B.dylib                  0x90024227 _pthread_body + 84

Thread 0 crashed with X86 Thread State (32-bit):
  eax: 0x00000000  ebx: 0xbfffdf28  ecx: 0xbfffe024  edx: 0x00010000
  edi: 0x1917e110  esi: 0xbfffe024  ebp: 0xbfffdfd8  esp: 0xbfffdf10
   ss: 0x0000001f  efl: 0x00010213  eip: 0x006a6950   cs: 0x00000017
   ds: 0x0000001f   es: 0x0000001f   fs: 0x00000000   gs: 0x00000037

Binary Images Description:
    0x1000 -   0x98afff org.mozilla.firefox 2.0.0.5pre    /Volumes/BonEcho/BonEcho.app/Contents/MacOS/firefox-bin
  0xc16000 -   0xca7fff libmozjs.dylib     /Volumes/BonEcho/BonEcho.app/Contents/MacOS/libmozjs.dylib
  0xcc2000 -   0xcc2fff libxpcom.dylib     /Volumes/BonEcho/BonEcho.app/Contents/MacOS/libxpcom.dylib
  0xcc6000 -   0xccbfff libplds4.dylib     /Volumes/BonEcho/BonEcho.app/Contents/MacOS/libplds4.dylib
  0xcd0000 -   0xcd6fff libplc4.dylib     /Volumes/BonEcho/BonEcho.app/Contents/MacOS/libplc4.dylib
  0xcdc000 -   0xcebfff libxpcom_compat.dylib     /Volumes/BonEcho/BonEcho.app/Contents/MacOS/libxpcom_compat.dylib
  0xe05000 -   0xe75fff libxpcom_core.dylib     /Volumes/BonEcho/BonEcho.app/Contents/MacOS/libxpcom_core.dylib
  0xec0000 -   0xee5fff libnspr4.dylib     /Volumes/BonEcho/BonEcho.app/Contents/MacOS/libnspr4.dylib
  0xef6000 -   0xf0ffff libsmime3.dylib     /Volumes/BonEcho/BonEcho.app/Contents/MacOS/libsmime3.dylib
  0xf1b000 -   0xf3bfff libssl3.dylib     /Volumes/BonEcho/BonEcho.app/Contents/MacOS/libssl3.dylib
  0xf45000 -   0xf9bfff libnss3.dylib     /Volumes/BonEcho/BonEcho.app/Contents/MacOS/libnss3.dylib
 0x1808000 -  0x184efff libsoftokn3.dylib     /Volumes/BonEcho/BonEcho.app/Contents/MacOS/libsoftokn3.dylib
 0x1a42000 -  0x1a4cfff libjsd.dylib     /Volumes/BonEcho/BonEcho.app/Contents/MacOS/components/libjsd.dylib
 0x1a51000 -  0x1a59fff libmyspell.dylib     /Volumes/BonEcho/BonEcho.app/Contents/MacOS/components/libmyspell.dylib
 0x1a5d000 -  0x1a67fff libspellchecker.dylib     /Volumes/BonEcho/BonEcho.app/Contents/MacOS/components/libspellchecker.dylib
 0x1a6c000 -  0x1a9cfff libxpinstall.dylib     /Volumes/BonEcho/BonEcho.app/Contents/MacOS/components/libxpinstall.dylib
 0x1ac1000 -  0x1ac2fff com.apple.textencoding.unicode 2.1    /System/Library/TextEncodings/Unicode Encodings.bundle/Contents/MacOS/Unicode Encodings
0x149d5000 - 0x149d8fff com.netscape.DefaultPlugin Default Plug-in version 1.0 (1.0)    /Volumes/BonEcho/BonEcho.app/Contents/MacOS/plugins/Default Plugin.plugin/Contents/MacOS/Default Plugin
0x14b05000 - 0x14b62fff libfreebl3.dylib     /Volumes/BonEcho/BonEcho.app/Contents/MacOS/libfreebl3.dylib
0x14c23000 - 0x14c54fff libnssckbi.dylib     /Volumes/BonEcho/BonEcho.app/Contents/MacOS/libnssckbi.dylib
0x14c67000 - 0x14c97fff com.netscape.MRJPlugin MRJ Plugin version 1.0-JEP-0.9.6.2 (1.0-JEP-0.9.6.2)    /Volumes/BonEcho/BonEcho.app/Contents/MacOS/plugins/MRJPlugin.plugin/Contents/MacOS/MRJPlugin
0x14cb0000 - 0x14cf2fff JavaEmbeddingPlugin Java Embedding Plugin version 0.9.6.2 (0.9.6.2)    /Volumes/BonEcho/BonEcho.app/Contents/MacOS/plugins/JavaEmbeddingPlugin.bundle/Contents/MacOS/JavaEmbeddingPlugin
0x1a405000 - 0x1a928fff com.macromedia.Flash Player.plugin 9.0.28 (1.0.4f22)    /Library/Internet Plug-Ins/Flash Player.plugin/Contents/MacOS/Flash Player
0x8fe00000 - 0x8fe4afff dyld 46.12    /usr/lib/dyld
0x90000000 - 0x90171fff libSystem.B.dylib     /usr/lib/libSystem.B.dylib
0x901c1000 - 0x901c3fff libmathCommon.A.dylib     /usr/lib/system/libmathCommon.A.dylib
0x901c5000 - 0x90202fff com.apple.CoreText 1.1.2 (???)    /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreText.framework/Versions/A/CoreText
0x90229000 - 0x902fffff ATS     /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/ATS
0x9031f000 - 0x90774fff com.apple.CoreGraphics 1.258.75 (???)    /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics
0x9080b000 - 0x908d3fff com.apple.CoreFoundation 6.4.7 (368.28)    /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
0x90911000 - 0x90911fff com.apple.CoreServices 10.4 (???)    /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
0x90913000 - 0x90a07fff libicucore.A.dylib     /usr/lib/libicucore.A.dylib
0x90a57000 - 0x90ad6fff libobjc.A.dylib     /usr/lib/libobjc.A.dylib
0x90aff000 - 0x90b63fff libstdc++.6.dylib     /usr/lib/libstdc++.6.dylib
0x90bd2000 - 0x90bd9fff libgcc_s.1.dylib     /usr/lib/libgcc_s.1.dylib
0x90bde000 - 0x90c51fff com.apple.framework.IOKit 1.4.8 (???)    /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
0x90c66000 - 0x90c78fff libauto.dylib     /usr/lib/libauto.dylib
0x90c7e000 - 0x90f24fff com.apple.CoreServices.CarbonCore 682.26    /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/CarbonCore
0x90f67000 - 0x90fcffff com.apple.CoreServices.OSServices 4.1    /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/OSServices.framework/Versions/A/OSServices
0x91007000 - 0x91045fff com.apple.CFNetwork 129.20    /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CFNetwork.framework/Versions/A/CFNetwork
0x91058000 - 0x91068fff com.apple.WebServices 1.1.3 (1.1.0)    /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/WebServicesCore.framework/Versions/A/WebServicesCore
0x91073000 - 0x910f1fff com.apple.SearchKit 1.0.5    /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/SearchKit.framework/Versions/A/SearchKit
0x91126000 - 0x91144fff com.apple.Metadata 10.4.4 (121.36)    /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Metadata
0x91150000 - 0x9115efff libz.1.dylib     /usr/lib/libz.1.dylib
0x91161000 - 0x91300fff com.apple.security 4.5.2 (29774)    /System/Library/Frameworks/Security.framework/Versions/A/Security
0x913fe000 - 0x91406fff com.apple.DiskArbitration 2.1.1    /System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration
0x9140d000 - 0x91414fff libbsm.dylib     /usr/lib/libbsm.dylib
0x91418000 - 0x9143efff com.apple.SystemConfiguration 1.8.6    /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
0x91450000 - 0x914c6fff com.apple.audio.CoreAudio 3.0.4    /System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio
0x91517000 - 0x91517fff com.apple.ApplicationServices 10.4 (???)    /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
0x91519000 - 0x91544fff com.apple.AE 314 (313)    /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/AE
0x91557000 - 0x9162bfff com.apple.ColorSync 4.4.9    /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ColorSync.framework/Versions/A/ColorSync
0x91666000 - 0x916d9fff com.apple.print.framework.PrintCore 4.6 (177.13 )    /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/PrintCore
0x91707000 - 0x917b0fff com.apple.QD 3.10.24 (???)    /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/QD.framework/Versions/A/QD
0x917d6000 - 0x91821fff com.apple.HIServices 1.5.2 (???)    /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices
0x91840000 - 0x91856fff com.apple.LangAnalysis 1.6.3    /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LangAnalysis.framework/Versions/A/LangAnalysis
0x91862000 - 0x9187cfff com.apple.FindByContent 1.5    /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/FindByContent.framework/Versions/A/FindByContent
0x91886000 - 0x918c3fff com.apple.LaunchServices 182    /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/LaunchServices
0x918d7000 - 0x918e3fff com.apple.speech.synthesis.framework 3.5    /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/SpeechSynthesis.framework/Versions/A/SpeechSynthesis
0x918ea000 - 0x9192afff com.apple.ImageIO.framework 1.5.5    /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/ImageIO
0x9193d000 - 0x919effff libcrypto.0.9.7.dylib     /usr/lib/libcrypto.0.9.7.dylib
0x91a35000 - 0x91a4bfff libcups.2.dylib     /usr/lib/libcups.2.dylib
0x91a50000 - 0x91a6efff libJPEG.dylib     /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJPEG.dylib
0x91a73000 - 0x91ad2fff libJP2.dylib     /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJP2.dylib
0x91ae4000 - 0x91ae8fff libGIF.dylib     /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libGIF.dylib
0x91aea000 - 0x91b70fff libRaw.dylib     /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRaw.dylib
0x91b74000 - 0x91bb1fff libTIFF.dylib     /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libTIFF.dylib
0x91bb7000 - 0x91bd1fff libPng.dylib     /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib
0x91bd6000 - 0x91bd8fff libRadiance.dylib     /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRadiance.dylib
0x91bda000 - 0x91cb8fff libxml2.2.dylib     /usr/lib/libxml2.2.dylib
0x91cd5000 - 0x91cd5fff com.apple.Accelerate 1.3.1 (Accelerate 1.3.1)    /System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate
0x91cd7000 - 0x91d65fff com.apple.vImage 2.5    /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vImage.framework/Versions/A/vImage
0x91d6c000 - 0x91d6cfff com.apple.Accelerate.vecLib 3.3.1 (vecLib 3.3.1)    /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/vecLib
0x91d6e000 - 0x91dc7fff libvMisc.dylib     /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvMisc.dylib
0x91dd0000 - 0x91df4fff libvDSP.dylib     /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvDSP.dylib
0x91dfc000 - 0x92205fff libBLAS.dylib     /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib
0x9223f000 - 0x925f3fff libLAPACK.dylib     /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libLAPACK.dylib
0x92620000 - 0x9270dfff libiconv.2.dylib     /usr/lib/libiconv.2.dylib
0x9270f000 - 0x9278cfff com.apple.DesktopServices 1.3.6    /System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv
0x927cd000 - 0x929fdfff com.apple.Foundation 6.4.8 (567.29)    /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
0x92b17000 - 0x92b2efff libGL.dylib     /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGL.dylib
0x92b39000 - 0x92b91fff libGLU.dylib     /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLU.dylib
0x92ba5000 - 0x92ba5fff com.apple.Carbon 10.4 (???)    /System/Library/Frameworks/Carbon.framework/Versions/A/Carbon
0x92ba7000 - 0x92bb7fff com.apple.ImageCapture 3.0.4    /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/ImageCapture.framework/Versions/A/ImageCapture
0x92bc6000 - 0x92bcefff com.apple.speech.recognition.framework 3.6    /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SpeechRecognition.framework/Versions/A/SpeechRecognition
0x92bd4000 - 0x92bd9fff com.apple.securityhi 2.0.1 (24742)    /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SecurityHI.framework/Versions/A/SecurityHI
0x92bdf000 - 0x92c70fff com.apple.ink.framework 101.2.1 (71)    /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Ink.framework/Versions/A/Ink
0x92c84000 - 0x92c87fff com.apple.help 1.0.3 (32.1)    /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Help.framework/Versions/A/Help
0x92c8a000 - 0x92ca8fff com.apple.openscripting 1.2.5 (???)    /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/OpenScripting.framework/Versions/A/OpenScripting
0x92cba000 - 0x92cc0fff com.apple.print.framework.Print 5.2 (192.4)    /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Print.framework/Versions/A/Print
0x92cc6000 - 0x92d29fff com.apple.htmlrendering 66.1 (1.1.3)    /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HTMLRendering.framework/Versions/A/HTMLRendering
0x92d4d000 - 0x92d8efff com.apple.NavigationServices 3.4.4 (3.4.3)    /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/NavigationServices.framework/Versions/A/NavigationServices
0x92db5000 - 0x92dc2fff com.apple.audio.SoundManager 3.9.1    /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CarbonSound.framework/Versions/A/CarbonSound
0x92dc9000 - 0x92dcefff com.apple.CommonPanels 1.2.3 (73)    /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CommonPanels.framework/Versions/A/CommonPanels
0x92dd3000 - 0x930c8fff com.apple.HIToolbox 1.4.9 (???)    /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox
0x931ce000 - 0x931d9fff com.apple.opengl 1.4.16    /System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL
0x93202000 - 0x93206fff com.apple.JavaVM 11.5.0    /System/Library/Frameworks/JavaVM.framework/Versions/A/JavaVM
0x93249000 - 0x93249fff com.apple.Cocoa 6.4 (???)    /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
0x9324b000 - 0x93901fff com.apple.AppKit 6.4.8 (824.42)    /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
0x93c82000 - 0x93cfdfff com.apple.CoreData 91 (92.1)    /System/Library/Frameworks/CoreData.framework/Versions/A/CoreData
0x93d36000 - 0x93df0fff com.apple.audio.toolbox.AudioToolbox 1.4.5    /System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox
0x93e33000 - 0x93e33fff com.apple.audio.units.AudioUnit 1.4.2    /System/Library/Frameworks/AudioUnit.framework/Versions/A/AudioUnit
0x93e35000 - 0x93ff6fff com.apple.QuartzCore 1.4.12    /System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore
0x9403c000 - 0x9407dfff libsqlite3.0.dylib     /usr/lib/libsqlite3.0.dylib
0x94085000 - 0x940bffff libGLImage.dylib     /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLImage.dylib
0x940c4000 - 0x940dafff com.apple.CoreVideo 1.4    /System/Library/Frameworks/CoreVideo.framework/Versions/A/CoreVideo
0x9426d000 - 0x9427cfff libCGATS.A.dylib     /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCGATS.A.dylib
0x94283000 - 0x9428efff libCSync.A.dylib     /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCSync.A.dylib
0x942da000 - 0x942f4fff libRIP.A.dylib     /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libRIP.A.dylib
0x942fa000 - 0x945f9fff com.apple.QuickTime 7.1.6    /System/Library/Frameworks/QuickTime.framework/Versions/A/QuickTime
0x96ec7000 - 0x96edbfff com.apple.audio.CoreAudioKit 1.0.1    /System/Library/Frameworks/CoreAudioKit.framework/Versions/A/CoreAudioKit


I can't reproduce that crash on a current OS X branch build.
I crash when I try to run the second testcase. I can repro 100% of the time on the latest 2.0.0.5pre.
I'll try an optimized build tomorrow, but my debug build doesn't crash at all.
Can't reproduce the crash in my own build. Yesterday's nightly does crash for me but I don't think it had the fix: the build started at 2007/07/11 03:01 and my checkin was at 2007-07-11 03:13. Let's try again with today's nightly.
Doesn't crash for me in the latest 2.0.0.5pre nightlies. Marcia/Carsten, can you confirm?
hi Peter, no crash on 2005 RC1 candidate builds on Mac and Linux and Vista Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.5) Gecko/2007071216 Firefox/2.0.0.5

so i can confirm this bug as verified fixed for 1.8.1.5
I was not able to reproduce the crash on Tbird 15012 or Tbird 15013 in XP.
verified fixed using 1.8.0.13 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.13pre) Gecko/20070822 Firefox/1.5.0.13pre

No crash on testcase - adding verified keyword
Keywords: fixed1.8.0.13verified1.8.0.13
Flags: in-testsuite?
Group: security
Blocks: 386018
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsEditor::InsertNode]
You need to log in before you can comment on or make changes to this bug.