crash during spell check [@ nsTextServicesDocument::IsBlockNode(nsIContent*)]

RESOLVED FIXED in mozilla2.0b7

Status

()

--
critical
RESOLVED FIXED
9 years ago
8 years ago

People

(Reporter: wsmwk, Unassigned)

Tracking

({crash, topcrash})

1.9.1 Branch
mozilla2.0b7
x86
All
crash, topcrash
Points:
---

Firefox Tracking Flags

(status1.9.2 .11-fixed, status1.9.1 .14-fixed)

Details

(Whiteboard: [tb31wanted][tbird topcrash][fixed TB316][approved-patches-landed], crash signature)

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

9 years ago
crash during spell check?  [@ nsTextServicesDocument::IsBlockNode(nsIContent*)]
Crash Address	0x8 in most cases
rarely seen in FF (avg 2 per month) bp-ceff975e-8aac-4bdc-af7f-524422091020

bp-a5286843-5a4a-4c5c-a8ac-f92022090508
Ran spell checker and when I chose to replace a word, the carsh occurred.
0	thunderbird.exe	nsTextServicesDocument::IsBlockNode	 editor/txtsvc/src/nsTextServicesDocument.cpp:3095
1	thunderbird.exe	nsTextServicesDocument::FirstTextNodeInNextBlock	editor/txtsvc/src/nsTextServicesDocument.cpp:4263
2	thunderbird.exe	nsTextServicesDocument::GetFirstTextNodeInNextBlock	editor/txtsvc/src/nsTextServicesDocument.cpp:4325
3	thunderbird.exe	nsTextServicesDocument::FirstBlock	editor/txtsvc/src/nsTextServicesDocument.cpp:615
4	thunderbird.exe	mozSpellChecker::Replace	extensions/spellcheck/src/mozSpellChecker.cpp:223
5	thunderbird.exe	nsEditorSpellCheck::ReplaceWord	editor/composer/src/nsEditorSpellCheck.cpp:308
6	xpcom_core.dll	NS_InvokeByIndex_P	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101
7	thunderbird.exe	XPCWrappedNative::CallMethod	js/src/xpconnect/src/xpcwrappednative.cpp:2291
8	thunderbird.exe	XPC_WN_CallMethod	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1583 

bp-dc47f80f-aa41-4b8c-98ce-5d2b42091016
(Reporter)

Updated

9 years ago
Component: Message Compose Window → Spelling checker
Product: Thunderbird → Core
QA Contact: message-compose → spelling-checker
Version: 3.0 → 1.9.1 Branch
(Reporter)

Comment 2

9 years ago
can you reproduce this crash using trunk build (v3.2 alpha)?
  ftp://ftp.mozilla.org/pub/thunderbird/nightly/latest-comm-central-trunk/
  backup your profile before testing. and note, your global index will reindex

The reason for asking about trunk, is hunspell got updated on trunk a couple days ago. [1]

#25 crash for 3.0.4, and exists in 3.1
~3% of crashes have email addresses (pretty amazing). PMed them to see if anyone can reproduce with trunk build.

[1] as noted in mdat newsgroup...
On Sat, 12 Jun 2010 12:58:15 -0400, Wayne Mery wrote:
> new 1.2.11 2010-05-06
> previous 1.2.8 2009-03-03
See: https://bugzilla.mozilla.org/show_bug.cgi?id=564608
Bug 564608 - Update Hunspell to 1.2.11

And:
http://groups.google.com/group/mozilla.dev.planning/browse_thread/thread/2fa9ff59395cbcec
Keywords: topcrash
Whiteboard: [tb31wants]
I've been unable to reproduce this at all, unfortunately.  The breakpad ID I linked in comment #1 was from one of our employees.

Comment 4

9 years ago
bug 302775 is the last to change nearby lines.

the crash is because:
4242 nsTextServicesDocument::FirstTextNodeInNextBlock(nsIContentIterator *aIterator)

4254 nsCOMPtr<nsIContent> content = do_QueryInterface(aIterator->GetCurrentNode());

content is null

4256 if (IsTextNode(content))

this is false.

4257 {
4262 }
4263 else if (!crossedBlockBoundary && IsBlockNode(content)) 

we pass null to IsBlockNode() which crashes.
Component: Spelling checker → Editor
QA Contact: spelling-checker → editor

Comment 5

9 years ago
The analysis in comment 4 is true, and it's very easy to add the null check, but I'm trying to understand what the underlying reason for the crash is.

Updated

9 years ago
Assignee: nobody → ehsan
Status: NEW → ASSIGNED

Comment 6

9 years ago
Created attachment 468915 [details] [diff] [review]
Patch (v1)

Well, I guess taking a fix here won't hurt.
Attachment #468915 - Flags: review?(roc)
Comment on attachment 468915 [details] [diff] [review]
Patch (v1)

Can you put an NS_ERROR in here and leave the bug open? I think we should at some point understand how null can get in here.
Attachment #468915 - Flags: review?(roc) → review+

Comment 8

9 years ago
Created attachment 468928 [details] [diff] [review]
Patch (v1.1)

(In reply to comment #7)
> Comment on attachment 468915 [details] [diff] [review]
> Patch (v1)
> 
> Can you put an NS_ERROR in here and leave the bug open? I think we should at
> some point understand how null can get in here.

Sure, makes sense.
Attachment #468915 - Attachment is obsolete: true
Attachment #468928 - Flags: approval2.0?

Comment 9

9 years ago
http://hg.mozilla.org/mozilla-central/rev/e75a780dfd06
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b6

Updated

9 years ago
Attachment #468928 - Flags: approval1.9.2.10?
Attachment #468928 - Flags: approval1.9.1.13?
Comment on attachment 468928 [details] [diff] [review]
Patch (v1.1)

Approved for 1.9.2.11 and 1.9.1.14, a=dveditz
Attachment #468928 - Flags: approval1.9.2.11?
Attachment #468928 - Flags: approval1.9.2.11+
Attachment #468928 - Flags: approval1.9.1.14?
Attachment #468928 - Flags: approval1.9.1.14+
(Reporter)

Comment 11

9 years ago
thanks to all, for the quick attention to this topcrash.
reopening per comment 7
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: [tb31wants] → [tb31wants][tbird topcrash]

Comment 12

9 years ago
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/f2cfe1e0111f
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/df70c8bcf9b1
Status: REOPENED → NEW
status1.9.1: --- → .14-fixed
status1.9.2: --- → .11-fixed

Updated

9 years ago
Assignee: ehsan → nobody
(Reporter)

Updated

8 years ago
Whiteboard: [tb31wants][tbird topcrash] → [tb31wanted][tbird topcrash][fixed TB316]
Should this bug be marked FIXED?
Whiteboard: [tb31wanted][tbird topcrash][fixed TB316] → [tb31wanted][tbird topcrash][fixed TB316][approved-patches-landed]

Comment 14

8 years ago
(In reply to comment #13)
> Should this bug be marked FIXED?

No, see comment 7 please.

Comment 15

8 years ago
OK, I give up, and I'm closing this.  The possible NS_ERRORs that we get can probably be filed as new bugs.  This bug is showing up in all sorts of queries all the time, and it's really misleading to leave this open.
Status: NEW → RESOLVED
Last Resolved: 9 years ago8 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsTextServicesDocument::IsBlockNode(nsIContent*)]
You need to log in before you can comment on or make changes to this bug.