Closed Bug 537828 Opened 10 years ago Closed 10 years ago

crash [@ nsAString_internal::Assign(nsAString_internal const&)] related to IME


(Core :: DOM: Editor, defect, critical)

Windows Vista
Not set



Tracking Status
status1.9.2 --- .2-fixed
status1.9.1 --- .9-fixed


(Reporter: wsmwk, Assigned: masayuki)


(4 keywords)

Crash Data


(1 file, 2 obsolete files)

crash [@ nsAString_internal::Assign(nsAString_internal const&)]

#52 crash for v3.0.0

bp-4d3e6aa0-a1b0-4ce6-a706-c68492100102 no extensions
0	xpcom_core.dll	nsAString_internal::Assign	 xpcom/string/src/nsTSubstring.cpp:404
1	thunderbird.exe	CSSLoaderImpl::GetPreferredSheet	xpfe/components/find/src/nsFindService.cpp:80
2	thunderbird.exe	nsEditor::InsertTextIntoTextNodeImpl	editor/libeditor/base/nsEditor.cpp:2705
3	thunderbird.exe	nsWSRunObject::CheckTrailingNBSPOfRun	editor/libeditor/html/nsWSRunObject.cpp:2143
4	thunderbird.exe	nsWSRunObject::AdjustWhitespace	editor/libeditor/html/nsWSRunObject.cpp:681
5	thunderbird.exe	nsHTMLEditRules::AdjustWhitespace	editor/libeditor/html/nsHTMLEditRules.cpp:7491
6	thunderbird.exe	nsHTMLEditRules::AfterEditInner	editor/libeditor/html/nsHTMLEditRules.cpp:514
7	thunderbird.exe	nsHTMLEditRules::AfterEdit	editor/libeditor/html/nsHTMLEditRules.cpp:401
8	thunderbird.exe	nsHTMLEditor::EndOperation	editor/libeditor/html/nsHTMLEditor.cpp:4168
9	thunderbird.exe	nsAutoRules::~nsAutoRules	editor/libeditor/base/nsEditorUtils.h:123
10	thunderbird.exe	nsPlaintextEditor::InsertText	editor/libeditor/text/nsPlaintextEditor.cpp:784
11	thunderbird.exe	nsPlaintextEditor::SetCompositionString	editor/libeditor/text/nsPlaintextEditor.cpp:1748
12	thunderbird.exe	nsTextEditorTextListener::HandleText	editor/libeditor/text/nsEditorEventListeners.cpp:479 

bp-2dbaf6c8-d712-4655-abf9-1980c2091224 comment "When type Chinese on top of a photo(jpg) , it crashed. multiple times"

bp-0d2bc2fc-2e95-4f6f-bb95-004de2091108 (3.0b2 eudora) has comment too long to quote

going back 5 months, no other crashes with comments
Crashed when I clicked play button on a flash video I had paused seconds before.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20100108 Minefield/3.7a1pre ID:20100108043818

Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	nsAString_internal::Assign 	xpcom/string/src/nsTSubstring.cpp:398
1 	xul.dll 	gfxPlatformFontList::FindFontForChar 	gfx/thebes/src/gfxPlatformFontList.cpp:351
2 	xul.dll 	gfxWindowsFontGroup::WhichSystemFontSupportsChar 	gfx/thebes/src/gfxWindowsFonts.cpp:1879
3 	xul.dll 	gfxFontGroup::FindFontForChar 	
4 	xul.dll 	gfxFontGroup::ComputeRanges 	gfx/thebes/src/gfxFont.cpp:1641
5 	xul.dll 	gfxWindowsFontGroup::InitTextRunUniscribe 	gfx/thebes/src/gfxWindowsFonts.cpp:1920
6 	xul.dll 	gfxWindowsFontGroup::InitTextRunGDI 	
7 	xul.dll 	gfxWindowsFontGroup::MakeTextRun 	gfx/thebes/src/gfxWindowsFonts.cpp:741
8 	xul.dll 	TextRunWordCache::MakeTextRun 	gfx/thebes/src/gfxTextRunWordCache.cpp:683
9 	xul.dll 	MakeTextRun 	layout/generic/nsTextFrameThebes.cpp:436
10 	xul.dll 	BuildTextRunsScanner::BuildTextRunForFrames 	layout/generic/nsTextFrameThebes.cpp:1798
11 	xul.dll 	BuildTextRunsScanner::FlushFrames 	layout/generic/nsTextFrameThebes.cpp:1229
12 	xul.dll 	BuildTextRuns 	layout/generic/nsTextFrameThebes.cpp:1160
13 	xul.dll 	nsTextFrame::EnsureTextRun 	layout/generic/nsTextFrameThebes.cpp:1987
14 	xul.dll 	nsTextFrame::AddInlineMinWidthForFlow 	layout/generic/nsTextFrameThebes.cpp:5661
15 	xul.dll 	nsTextFrame::AddInlineMinWidth 	layout/generic/nsTextFrameThebes.cpp:5773
16 	xul.dll 	nsBlockFrame::GetMinWidth 	layout/generic/nsBlockFrame.cpp:700
17 	xul.dll 	nsLayoutUtils::IntrinsicForContainer 	layout/base/nsLayoutUtils.cpp:2063
18 	xul.dll 	nsBlockFrame::GetMinWidth 	layout/generic/nsBlockFrame.cpp:684
19 	xul.dll 	nsListControlFrame::GetMinWidth 	layout/forms/nsListControlFrame.cpp:541
20 	xul.dll 	nsContainerFrame::ComputeAutoSize 	layout/generic/nsContainerFrame.cpp:727
21 	xul.dll 	nsFrame::ComputeSize 	layout/generic/nsFrame.cpp:3104
22 	xul.dll 	nsHTMLReflowState::InitConstraints 	layout/generic/nsHTMLReflowState.cpp:1855
23 	xul.dll 	nsHTMLReflowState::Init 	layout/generic/nsHTMLReflowState.cpp:281
24 	xul.dll 	nsHTMLReflowState::nsHTMLReflowState 	layout/generic/nsHTMLReflowState.cpp:174
25 	xul.dll 	nsComboboxControlFrame::ReflowDropdown 	layout/forms/nsComboboxControlFrame.cpp:440
26 	xul.dll 	nsComboboxControlFrame::Reflow 	layout/forms/nsComboboxControlFrame.cpp:643
27 	xul.dll 	nsLineLayout::ReflowFrame 	layout/generic/nsLineLayout.cpp:852
28 	xul.dll 	nsBlockFrame::ReflowInlineFrame 	layout/generic/nsBlockFrame.cpp:3752
29 	xul.dll 	nsBlockFrame::DoReflowInlineFrames 	layout/generic/nsBlockFrame.cpp:3546
30 	xul.dll 	nsBlockFrame::ReflowInlineFrames 	layout/generic/nsBlockFrame.cpp:3400
31 	xul.dll 	nsBlockFrame::ReflowLine 	layout/generic/nsBlockFrame.cpp:2439
32 	xul.dll 	nsBlockFrame::ReflowDirtyLines 	layout/generic/nsBlockFrame.cpp:1885
33 	xul.dll 	nsBlockFrame::Reflow 	layout/generic/nsBlockFrame.cpp:993
34 	xul.dll 	nsBlockReflowContext::ReflowBlock 	layout/generic/nsBlockReflowContext.cpp:310
35 	xul.dll 	nsBlockFrame::ReflowBlockFrame 	layout/generic/nsBlockFrame.cpp:3119
36 	xul.dll 	nsBlockFrame::ReflowLine 	layout/generic/nsBlockFrame.cpp:2384
37 	xul.dll 	nsBlockFrame::ReflowDirtyLines 	layout/generic/nsBlockFrame.cpp:1885
38 	xul.dll 	nsBlockFrame::Reflow 	layout/generic/nsBlockFrame.cpp:993
39 	xul.dll 	nsBlockReflowContext::ReflowBlock 	layout/generic/nsBlockReflowContext.cpp:310
40 	xul.dll 	nsBlockFrame::ReflowBlockFrame 	layout/generic/nsBlockFrame.cpp:3119
41 	xul.dll 	nsBlockFrame::ReflowLine 	layout/generic/nsBlockFrame.cpp:2384
42 	xul.dll 	nsBlockFrame::ReflowDirtyLines 	layout/generic/nsBlockFrame.cpp:1885
43 	xul.dll 	nsBlockFrame::Reflow 	layout/generic/nsBlockFrame.cpp:993
44 	xul.dll 	nsContainerFrame::ReflowChild 	layout/generic/nsContainerFrame.cpp:774
45 	xul.dll 	nsTableCellFrame::Reflow 	layout/tables/nsTableCellFrame.cpp:912
46 	xul.dll 	nsContainerFrame::ReflowChild 	layout/generic/nsContainerFrame.cpp:774
47 	xul.dll 	nsTableRowFrame::ReflowChildren 	layout/tables/nsTableRowFrame.cpp:918
48 	xul.dll 	nsTableRowFrame::Reflow 	layout/tables/nsTableRowFrame.cpp:1074
49 	xul.dll 	nsContainerFrame::ReflowChild 	layout/generic/nsContainerFrame.cpp:774
50 	xul.dll 	nsTableRowGroupFrame::ReflowChildren 	layout/tables/nsTableRowGroupFrame.cpp:422
51 	xul.dll 	nsTableRowGroupFrame::Reflow 	layout/tables/nsTableRowGroupFrame.cpp:1323
52 	xul.dll 	nsContainerFrame::ReflowChild 	layout/generic/nsContainerFrame.cpp:774
53 	xul.dll 	nsTableFrame::ReflowChildren 	layout/tables/nsTableFrame.cpp:2893
54 	xul.dll 	nsTableFrame::ReflowTable 	layout/tables/nsTableFrame.cpp:1949
55 	xul.dll 	nsTableFrame::Reflow 	layout/tables/nsTableFrame.cpp:1853
56 	xul.dll 	nsContainerFrame::ReflowChild 	layout/generic/nsContainerFrame.cpp:774
57 	xul.dll 	nsTableOuterFrame::Reflow 	layout/tables/nsTableOuterFrame.cpp:1152
58 	xul.dll 	nsBlockReflowContext::ReflowBlock 	layout/generic/nsBlockReflowContext.cpp:310
59 	xul.dll 	nsBlockFrame::ReflowBlockFrame 	layout/generic/nsBlockFrame.cpp:3119
60 	xul.dll 	nsBlockFrame::ReflowLine 	layout/generic/nsBlockFrame.cpp:2384
61 	xul.dll 	nsBlockFrame::ReflowDirtyLines 	layout/generic/nsBlockFrame.cpp:1885
62 	xul.dll 	nsBlockFrame::Reflow 	layout/generic/nsBlockFrame.cpp:993
63 	xul.dll 	nsBlockReflowContext::ReflowBlock 	layout/generic/nsBlockReflowContext.cpp:310
64 	xul.dll 	nsBlockFrame::ReflowBlockFrame 	layout/generic/nsBlockFrame.cpp:3119
65 	xul.dll 	nsBlockFrame::ReflowLine 	layout/generic/nsBlockFrame.cpp:2384
66 	xul.dll 	nsBlockFrame::ReflowDirtyLines 	layout/generic/nsBlockFrame.cpp:1885
67 	xul.dll 	nsBlockFrame::Reflow 	layout/generic/nsBlockFrame.cpp:993
68 	xul.dll 	nsBlockReflowContext::ReflowBlock 	layout/generic/nsBlockReflowContext.cpp:310
69 	xul.dll 	nsBlockFrame::ReflowBlockFrame 	layout/generic/nsBlockFrame.cpp:3119
70 	xul.dll 	nsBlockFrame::ReflowLine 	layout/generic/nsBlockFrame.cpp:2384
71 	xul.dll 	nsBlockFrame::ReflowDirtyLines 	layout/generic/nsBlockFrame.cpp:1885
72 	xul.dll 	nsBlockFrame::Reflow 	layout/generic/nsBlockFrame.cpp:993
73 	xul.dll 	nsBlockReflowContext::ReflowBlock 	layout/generic/nsBlockReflowContext.cpp:310
74 	xul.dll 	nsBlockFrame::ReflowBlockFrame 	layout/generic/nsBlockFrame.cpp:3119
75 	xul.dll 	nsBlockFrame::ReflowLine 	layout/generic/nsBlockFrame.cpp:2384
76 	xul.dll 	nsBlockFrame::ReflowDirtyLines 	layout/generic/nsBlockFrame.cpp:1885
77 	xul.dll 	nsBlockFrame::Reflow 	layout/generic/nsBlockFrame.cpp:993
78 	xul.dll 	nsContainerFrame::ReflowChild 	layout/generic/nsContainerFrame.cpp:774
79 	xul.dll 	nsCanvasFrame::Reflow 	layout/generic/nsCanvasFrame.cpp:550
80 	xul.dll 	nsContainerFrame::ReflowChild 	layout/generic/nsContainerFrame.cpp:774
81 	xul.dll 	nsHTMLScrollFrame::ReflowScrolledFrame 	layout/generic/nsGfxScrollFrame.cpp:545
82 	xul.dll 	nsHTMLScrollFrame::ReflowContents 	layout/generic/nsGfxScrollFrame.cpp:639
83 	xul.dll 	nsHTMLScrollFrame::Reflow 	layout/generic/nsGfxScrollFrame.cpp:840
84 	xul.dll 	nsContainerFrame::ReflowChild 	layout/generic/nsContainerFrame.cpp:774
85 	xul.dll 	ViewportFrame::Reflow 	layout/generic/nsViewportFrame.cpp:285
86 	xul.dll 	PresShell::DoReflow 	layout/base/nsPresShell.cpp:7288
87 	xul.dll 	PresShell::ProcessReflowCommands 	layout/base/nsPresShell.cpp:7418
88 	xul.dll 	PresShell::FlushPendingNotifications 	layout/base/nsPresShell.cpp:4807
89 	nspr4.dll 	_MD_CURRENT_THREAD 	nsprpub/pr/src/md/windows/w95thred.c:308
90 	xul.dll 	PresShell::ReflowEvent::Run 	layout/base/nsPresShell.cpp:7098
91 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:527
92 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:118
93 	xul.dll 	xul.dll@0x994d63 	
94 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/
95 	xul.dll 	_IsNonwritableInCurrentImage 	
96 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/
97 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:174
98 	nspr4.dll 	PR_GetEnv 	
99 	xul.dll 	nsAppShell::Run 	widget/src/windows/nsAppShell.cpp:239
Could someone please change Product to "Core", because Firefox is also affected.  As for component, I'm not sure what it should be.
Ignore my comments here.  I have opened a new bug report for my crash, because it's a regression to a specific recent check-in.
now a top 50 crash
Component: Composition → Graphics
Product: MailNews Core → Core
QA Contact: composition → thebes
Summary: crash [@ nsAString_internal::Assign(nsAString_internal const&)] → crash [@ nsAString_internal::Assign(nsAString_internal const&)] Thunderbird
Closed: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 538628
It is possible this bug is NOT related to the bug 538628 crash.  At first I assumed it was, which is why I posted my stack, but I may have been wrong.

As such, I'm not sure this bug should be listed under component "Graphics."  It looks like something else.  But if now, it will be apparent once the bug 538628 patch is checked in.
Ah, you're right, the original crash listing is in CSS code.  Reopening and switching the component.
Component: Graphics → Style System (CSS)
QA Contact: thebes → style-system
Resolution: DUPLICATE → ---
I have read through a lot of the comments related to this crash (per the signature in the original report).  The vast majority of the crashes have this characteristic:

1. Crash occurs for those using the Chinese Traditional input method (Microsoft IME?)
2. Affects both Firefox 3.5.x and Thunderbird 3.0.x

So if anyone knows someone who knows how to input Chinese, then it may be possible to narrow this down.
err... Japanese too.
see comment 9, comment 10
Add Japanese/Chinese keyboard layout from control panel.
(In reply to comment #12)
> Add Japanese/Chinese keyboard layout from control panel.

Actually, I already tried reproducing this a couple of days ago.  I installed the Microsoft supplemental language support for East Asian language, configured Chinese (PRC) and Japanese pinyin and typed either Chinese, Japanese, or both into Thunderbird (both new mail and replies) and Firefox (reporter mentioned sites: Yahoo chat and Google docs) and was unable to get a crash.  So we need more info.  I'm an English speaker/typist and don't understand any of the Asian languages.  This bug has been hitting (it appears) only Chinese and Japanese users using an IME.

What's needed are detailed STRs along with system hardware, OS and localization details for any system where this bug is reproducible.  For instance, what is the language of the OS and Mozilla apps where a crash is reproducible?  Also, some Asian computer users install third-party language apps (e.g. dictionaries) that integrate with the OS and provides functionality to apps in use.  I'm aware of one such that used to crash Windows Explorer, if P4 HyperThreading was enabled.

So, since the bug is primarily affecting Asian-language users (primarily Chinese and Japanese), what is needed is for a technically savvy Chinese/Japanese typist, who can replicate this bug, to provide detailed info.
I cannot understand these stack.

0  	xpcom_core.dll  	nsAString_internal::Assign  	 xpcom/string/src/nsTSubstring.cpp:404
1 	thunderbird.exe 	CSSLoaderImpl::GetPreferredSheet 	xpfe/components/find/src/nsFindService.cpp:80
2 	thunderbird.exe 	nsEditor::InsertTextIntoTextNodeImpl 	editor/libeditor/base/nsEditor.cpp:2705
> jwalden@3233
>   2705      static_cast<IMETextTxn*>(txn.get())->MarkFixed();  // mark the ime txn "fixed"

Was the |txn| broken before this line?

0  	xul.dll  	nsAString_internal::Assign  	 xpcom/string/src/nsTSubstring.cpp:404
1 	xul.dll 	nsString::operator= 	obj-firefox/dist/include/string/nsTString.h:107
2 	xul.dll 	InsertTextTxn::GetData 	editor/libeditor/base/InsertTextTxn.cpp:179
3 	xul.dll 	nsEditor::InsertTextIntoTextNodeImpl 	editor/libeditor/base/nsEditor.cpp:2705
4 	xul.dll 	xul.dll@0x8b7cc3 	
5 	xul.dll 	nsWSRunObject::CheckTrailingNBSPOfRun 	editor/libeditor/html/nsWSRunObject.cpp:2143

Looks similar. I guess that this is nsEditor's bug.
O.K. I see the cause.
Assignee: nobody → masayuki
Component: Style System (CSS) → Editor
QA Contact: style-system → editor
Summary: crash [@ nsAString_internal::Assign(nsAString_internal const&)] Thunderbird → crash [@ nsAString_internal::Assign(nsAString_internal const&)]
Attached patch Patch v1.0 (obsolete) — Splinter Review
The cause is

This changed the condition of creating the IME transaction or not. However, this didn't change this patch's if block's condition. Therefore, we miscast the |txn| when this is called by nsWSRunObject. It always calls with aSuppressIME == TRUE.
Attachment #421208 - Flags: review?(Olli.Pettay)
Comment on attachment 421208 [details] [diff] [review]
Patch v1.0

+  // aSuppressIME s used when editor must insert text, yet this text is not

please change 's used' to 'is used'
Attached patch Patch v1.0.1 (obsolete) — Splinter Review
Attachment #421208 - Attachment is obsolete: true
Attachment #421248 - Flags: review?(Olli.Pettay)
Attachment #421208 - Flags: review?(Olli.Pettay)
Comment on attachment 421248 [details] [diff] [review]
Patch v1.0.1

InsertTextIntoTextNodeImpl isn't defined in any interface, and there is only one implementation for it, so could you make it non-virtual while you're changing the code here.

So NS_IMETHOD -> nsresult
NS_IMETHODIMP -> nsresult
Attachment #421248 - Flags: review?(Olli.Pettay) → review+
Attached patch Patch v1.1Splinter Review
Attachment #421248 - Attachment is obsolete: true
can you speculate on steps needed to cause this in thunderbird?

asking because perhaps a manual listmus test would be wise, in addition to an automated test.  ... a regression from 2002?  :)

* bp-44b39d5c-276d-4ecd-9da1-444822100107
* free | nsAString_internal::Assign(nsAString_internal const&) bp-0d23ea44-7c87-4fab-8d35-254892100111
Keywords: intl
(In reply to comment #22)
> can you speculate on steps needed to cause this in thunderbird?

I'm not sure. I cannot reproduce this manually because I cannot find the nsPlaintextEditor::InsertText() failed case. It failed to get the selection, but such case is very rare case because I don't know such case that happens with some strange chrome permission script (e.g., see bug 537041 comment 5).

> asking because perhaps a manual listmus test would be wise, in addition to an
> automated test.  ... a regression from 2002?  :)

We cannot create automated tests with IME transaction. See bug 528396, we cannot create IME transaction from JS.

The cause of the regression is from 2002. However, the trigger may be from after that because this bug may be occurred with some chrome script (or strange HTML editor which doesn't have <body>).

> related?
> * bp-44b39d5c-276d-4ecd-9da1-444822100107

This is another bug because it calls InsertTextIntoTextNodeImpl() without aSuppressIME (it means the value is PR_FALSE).

> bp-0d23ea44-7c87-4fab-8d35-254892100111

This is same.

We should take the patch if we cannot find any regressions.
Closed: 10 years ago10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a1
Since this is also an issue for gecko 1.9.(0-2), it would be nice to have it checked in there too.
Comment on attachment 421254 [details] [diff] [review]
Patch v1.1

I think the risk is low.
Attachment #421254 - Flags: approval1.9.2.1?
Attachment #421254 - Flags: approval1.9.1.8?
Attachment #421254 - Flags: approval1.9.0.18?
Attachment #421254 - Flags: approval1.9.1.9?
Attachment #421254 - Flags: approval1.9.1.8?
Attachment #421254 - Flags: approval1.9.0.19?
Attachment #421254 - Flags: approval1.9.0.18?
Comment on attachment 421254 [details] [diff] [review]
Patch v1.1

a=beltzner for everywhere!
Attachment #421254 - Flags: approval1.9.2.2?
Attachment #421254 - Flags: approval1.9.2.2+
Attachment #421254 - Flags: approval1.9.1.9?
Attachment #421254 - Flags: approval1.9.1.9+
Attachment #421254 - Flags: approval1.9.0.19?
Attachment #421254 - Flags: approval1.9.0.19+
Keywords: checkin-needed
Whiteboard: [needs landing on 192][needs landing on 190]
landed on 1.9.2 branch.
Keywords: checkin-needed
Whiteboard: [needs landing on 192]
From comments, I see that there is no way to reproduce this crash manually. Am I correct in this understanding?
(In reply to comment #31)
> From comments, I see that there is no way to reproduce this crash manually. Am
> I correct in this understanding?

Al, there is no reported method. 

On 1/4 I emailed two thunderbird crash reporters and followed up on 2/23 -  neither has come forward. :(  so much for email addresses in crash reports
I just PMd the only Thunderbird crash of the past month for which I could find with an address 

Have you looked at FF crash-stats for URLs? I don't know that anyone has looked at them.

For 4 weeks of seamonkey crashes list non-sensitive URLs include
* from bp-ac783198-6669-4b82-818a-17b972100324
* and a couple for google and yahoo mail, which aren't useful  for our purposes
v.fixed according to crash-stats.  only 4 crashes in version 3.0.4 and none match this bug's stack

thanks Masayuki
Summary: crash [@ nsAString_internal::Assign(nsAString_internal const&)] → crash [@ nsAString_internal::Assign(nsAString_internal const&)] related to IME
Crash Signature: [@ nsAString_internal::Assign(nsAString_internal const&)]
You need to log in before you can comment on or make changes to this bug.