Closed Bug 558983 Opened 15 years ago Closed 14 years ago

Holding Ctrl-Backspace from the middle of a sentence causes a crash. [@ nsEditor::CreateTxnForDeleteCharacter]

Categories

(Core :: DOM: Editor, defect)

1.9.1 Branch
x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla2.0b1
Tracking Status
status1.9.2 --- .7-fixed
status1.9.1 --- .11-fixed

People

(Reporter: snarkmaster, Assigned: ehsan.akhgari)

References

Details

(Keywords: crash, Whiteboard: [tbird crash] [qa-examined-191] [qa-needs-STR])

Crash Data

Attachments

(1 file)

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.8) Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.10pre) Gecko/20100410 Shredder/3.0.5pre Reproducible: Always Steps to Reproduce: 1) Click "Write" to compose a new message. 2) Type "asd asd asd asd das asd asd asd asd". 3) Put your cursor at the beginning of the word das. 4) Press Ctrl-Backspace until your cursor is at the beginning of the file. 5) Press Ctrl-Backspace once more. Actual Results: Thunderbird closes instantly, losing my message. Expected Results: Nothing happens.
can you reproduce in safe mode? https://support.mozillamessaging.com/en-US/kb/Safe+Mode please add your crash report id to the bug https://support.mozillamessaging.com/en-US/kb/Mozilla+Crash+Reporter if a crash report has not been generated, please try to get a stacktrace using one of the links on https://developer.mozilla.org/En/How_to_get_a_stacktrace_for_a_bug_report
Keywords: crash
Version: unspecified → 3.0
1) Yes, it happens in Safe Mode. 2) I don't get crash IDs. Here's a backtrace (compact and full): (gdb) bt #0 0x0000000000890c17 in nsEditor::CreateTxnForDeleteCharacter (this=0x7f7ad92d3c00, aData=0x7f7adae4a140, aOffset=0, aDirection=<value optimized out>, aTxn=<value optimized out>) at nsEditor.cpp:4916 #1 0x0000000000894391 in nsEditor::CreateTxnForDeleteInsertionPoint (this=0x7f7ad92d3c00, aRange=<value optimized out>, aAction=-1, aTxn=0x7f7adae0edf0, aNode=0x7fffe40f7d80, aOffset=0x7fffe40f7dac, aLength=0x7fffe40f7da8) at nsEditor.cpp:5063 #2 0x00000000008915c5 in nsEditor::CreateTxnForDeleteSelection (this=0x7f7ad92d3c00, aAction=4, aTxn=0x7fffe40f7d90, aNode=<value optimized out>, aOffset=<value optimized out>, aLength=0x7fffe40f7da8) at nsEditor.cpp:4879 #3 0x000000000088f73a in nsEditor::DeleteSelectionImpl (this=0x7f7ad92d3c00, aAction=<value optimized out>) at nsEditor.cpp:4440 #4 0x00000000008848e2 in nsPlaintextEditor::DeleteSelection (this=0x7f7ad92d3c00, aAction=0) at nsPlaintextEditor.cpp:756 #5 0x00000000009fe869 in nsDeleteCommand::DoCommand (this=<value optimized out>, aCommandName=0xf17b63 "cmd_deleteWordBackward", aCommandRefCon=<value optimized out>) at nsEditorCommands.cpp:534 #6 0x0000000000ab4917 in nsControllerCommandTable::DoCommand (this=0x7f7ade669320, aCommandName=0xf17b63 "cmd_deleteWordBackward", aCommandRefCon=0x7f7ad92d3c00) at nsControllerCommandTable.cpp:191 #7 0x0000000000ab2831 in nsBaseCommandController::DoCommand (this=0x7f7ad9feaf00, aCommand=0xf17b63 "cmd_deleteWordBackward") at nsBaseCommandController.cpp:169 #8 0x0000000000814ef4 in DoCommandCallback (aCommand=0xf17b63 "cmd_deleteWordBackward", aData=0x7f7ad9fed070) at nsXBLWindowKeyHandler.cpp:315 #9 0x00000000005fce42 in delete_from_cursor_cb (w=<value optimized out>, del_type=<value optimized out>, count=1, user_data=<value optimized out>) at nsNativeKeyBindings.cpp:134 #10 0x00007f7af44035ae in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0 #11 0x00007f7af4418983 in ?? () from /usr/lib/libgobject-2.0.so.0 #12 0x00007f7af5e0edf0 in ?? () from /usr/lib/libgtk-x11-2.0.so.0 #13 0x00007f7af5e0f310 in ?? () from /usr/lib/libgtk-x11-2.0.so.0 #14 0x00007f7af5e0f587 in ?? () from /usr/lib/libgtk-x11-2.0.so.0 #15 0x00007f7af5e0f914 in gtk_bindings_activate () from /usr/lib/libgtk-x11-2.0.so.0 #16 0x00000000005fca52 in nsNativeKeyBindings::KeyPressInternal (this=0x7f7ae25d7680, aEvent=<value optimized out>, aCallback=<value optimized out>, aCallbackData=<value optimized out>, aKeyCode=3826219984) at nsNativeKeyBindings.cpp:339 #17 0x00000000005fcaba in nsNativeKeyBindings::KeyPress (this=0x7f7ae25d7680, aEvent=..., aCallback=0x814eac <DoCommandCallback>, aCallbackData=0x7f7ad9fed070) at nsNativeKeyBindings.cpp:283 #18 0x0000000000815ec5 in nsXBLWindowKeyHandler::WalkHandlers (this=0x7f7adb2df6a0, aKeyEvent=0x7f7adc2f3b30, aEventType=0x7f7ae4354080) at nsXBLWindowKeyHandler.cpp:381 #19 0x0000000000815fe8 in nsXBLWindowKeyHandler::KeyPress (this=0x7f7adc225a90, aEvent=<value optimized out>) at nsXBLWindowKeyHandler.cpp:419 #20 0x00000000007bf5ef in DispatchToInterface (this=<value optimized out>, aPresContext=<value optimized out>, aEvent=0x7fffe40f8b60, aDOMEvent=0x7fffe40f87b0, aCurrentTarget=<value optimized out>, aFlags=<value optimized out>, aEventStatus=0x7fffe40f87b8) at nsEventListenerManager.cpp:184 #21 nsEventListenerManager::HandleEvent (this=<value optimized out>, aPresContext=<value optimized out>, aEvent=0x7fffe40f8b60, aDOMEvent=0x7fffe40f87b0, aCurrentTarget=<value optimized out>, aFlags=<value optimized out>, aEventStatus=0x7fffe40f87b8) at nsEventListenerManager.cpp:1202 #22 0x00000000007d289c in nsEventTargetChainItem::HandleEvent (this=0x7f7adae95268, aVisitor=..., aFlags=514, aMayHaveNewListenerManagers=0) at nsEventDispatcher.cpp:236 #23 0x00000000007d2a73 in nsEventTargetChainItem::HandleEventTargetChain (this=<value optimized out>, aVisitor=..., aFlags=518, aCallback=0x7fffe40f8850, aMayHaveNewListenerManagers=-468747312) at nsEventDispatcher.cpp:324 #24 0x00000000007d2aff in nsEventTargetChainItem::HandleEventTargetChain (this=<value optimized out>, aVisitor=..., aFlags=6, aCallback=0x7fffe40f8850, aMayHaveNewListenerManagers=<value optimized out>) at nsEventDispatcher.cpp:354 #25 0x00000000007d2e80 in nsEventDispatcher::Dispatch (aTarget=<value optimized out>, aPresContext=<value optimized out>, aEvent=0x7fffe40f8b60, aDOMEvent=0x0, aEventStatus=0x7fffe40f899c, aCallback=<value optimized out>) at nsEventDispatcher.cpp:514 #26 0x0000000000667060 in PresShell::HandleEventInternal (this=0x7f7ad9273000, aEvent=0x7fffe40f8b60, aView=0x7f7ad9fb9b00, aStatus=0x7fffe40f899c) at nsPresShell.cpp:6323 #27 0x0000000000667f97 in PresShell::HandleEvent (this=0x7f7ad9273000, aView=0x7f7ad9fb9b00, aEvent=0x7fffe40f8b60, aEventStatus=0x7fffe40f899c) at nsPresShell.cpp:6123 #28 0x000000000082d2dc in nsViewManager::HandleEvent (this=<value optimized out>, aView=0x0, aPoint=<value optimized out>, aEvent=0x7fffe40f8b60, aCaptured=-468747312) at nsViewManager.cpp:1400 #29 0x000000000082f4bb in nsViewManager::DispatchEvent (this=0x7f7add920bc0, aEvent=0x7fffe40f8b60, aStatus=0x7fffe40f8a8c) at nsViewManager.cpp:1359 #30 0x000000000082b845 in HandleEvent (aEvent=0x7fffe40f8b60) at nsView.cpp:168 #31 0x000000000061ae39 in nsWindow::DispatchEvent (this=0x7f7adb4aa780, aEvent=<value optimized out>, aStatus=@0xffffffff) at nsWindow.cpp:583 #32 0x0000000000624d06 in nsWindow::OnKeyPressEvent (this=0x7f7adb4aa780, aWidget=<value optimized out>, aEvent=0x7f7ad9585710) at nsWindow.cpp:3313 #33 0x0000000000624d6f in key_press_event_cb (widget=0x7f7adae2c780, event=0x7f7ad9585710) at nsWindow.cpp:5704 #34 0x00007f7af5ec8728 in ?? () from /usr/lib/libgtk-x11-2.0.so.0 #35 0x00007f7af44035ae in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0 #36 0x00007f7af4418983 in ?? () from /usr/lib/libgobject-2.0.so.0 #37 0x00007f7af4419bcc in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0 #38 0x00007f7af441a283 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0 #39 0x00007f7af5fcf71f in ?? () from /usr/lib/libgtk-x11-2.0.so.0 #40 0x00007f7af5fe21bb in gtk_window_propagate_key_event () from /usr/lib/libgtk-x11-2.0.so.0 #41 0x00007f7af5fe51bb in ?? () from /usr/lib/libgtk-x11-2.0.so.0 #42 0x00007f7af5ec8728 in ?? () from /usr/lib/libgtk-x11-2.0.so.0 #43 0x00007f7af44035ae in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0 #44 0x00007f7af441864d in ?? () from /usr/lib/libgobject-2.0.so.0 #45 0x00007f7af4419bcc in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0 #46 0x00007f7af441a283 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0 #47 0x00007f7af5fcf71f in ?? () from /usr/lib/libgtk-x11-2.0.so.0 #48 0x00007f7af5ec0da4 in gtk_propagate_event () from /usr/lib/libgtk-x11-2.0.so.0 #49 0x00007f7af5ec1ca3 in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0 #50 0x00007f7af5236cec in ?? () from /usr/lib/libgdk-x11-2.0.so.0 #51 0x00007f7af3f66bce in g_main_context_dispatch () from /lib/libglib-2.0.so.0 #52 0x00007f7af3f6a598 in ?? () from /lib/libglib-2.0.so.0 #53 0x00007f7af3f6a6c0 in g_main_context_iteration () from /lib/libglib-2.0.so.0 #54 0x000000000060a967 in nsBaseAppShell::DoProcessNextNativeEvent (this=0x7f7adb0a1060, mayWait=0) at nsBaseAppShell.cpp:151 #55 0x000000000060aac5 in nsBaseAppShell::OnProcessNextEvent (this=0x7f7ae4961a00, thr=0x7f7aeca4e160, mayWait=1, recursionDepth=<value optimized out>) at nsBaseAppShell.cpp:296 #56 0x00007f7af6c3fb9b in nsThread::ProcessNextEvent (this=0x7f7aeca4e160, mayWait=1, result=0x7fffe40f984c) at nsThread.cpp:508 #57 0x00007f7af6c14e12 in NS_ProcessNextEvent_P (thread=0x7f7adb0a1060, mayWait=0) at nsThreadUtils.cpp:247 #58 0x000000000060abaf in nsBaseAppShell::Run (this=0x7f7ae4961a00) at nsBaseAppShell.cpp:170 #59 0x0000000000b34be8 in nsAppStartup::Run (this=0x7f7ae49c5780) at nsAppStartup.cpp:193 #60 0x0000000000449bf2 in XRE_main (argc=<value optimized out>, argv=<value optimized out>, aAppData=<value optimized out>) at nsAppRunner.cpp:3321 #61 0x0000000000445610 in main (argc=2, argv=0x7fffe40fa048) at nsMailApp.cpp:103 (gdb) bt full #0 0x0000000000890c17 in nsEditor::CreateTxnForDeleteCharacter (this=0x7f7ad92d3c00, aData=0x7f7adae4a140, aOffset=0, aDirection=<value optimized out>, aTxn=<value optimized out>) at nsEditor.cpp:4916 data = {<nsFixedString> = {<nsString> = {<nsAString_internal> = {mData = 0x7fffe40f7ae0, mLength = 7, mFlags = 65553}, <No data fields>}, mFixedCapacity = 63, mFixedBuf = 0x7fffe40f7ae0}, mStorage = {97, 115, 100, 32, 97, 115, 100, 0, 31608, 58383, 32767, 0, 9019, 63169, 32634, 0, 41256, 56036, 32634, 0, 34768, 238, 0, 0, 41216, 56036, 32634, 0, 36346, 122, 0, 0, 31744, 58383, 32767, 0, 9019, 63169, 32634, 0, 115, 117, 112, 0, 31728, 58383, 32767, 0, 15360, 55597, 32634, 0, 32128, 58383, 32767, 0, 31776, 56034, 32634, 0, 2900, 63169, 32634, 0}} segOffset = 4294967295 segLength = <value optimized out> #1 0x0000000000894391 in nsEditor::CreateTxnForDeleteInsertionPoint (this=0x7f7ad92d3c00, aRange=<value optimized out>, aAction=-1, aTxn=0x7f7adae0edf0, aNode=0x7fffe40f7d80, aOffset=0x7fffe40f7dac, aLength=0x7fffe40f7da8) at nsEditor.cpp:5063 txn = {mRawPtr = 0x0} node = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adae4a140}, <No data fields>} count = 7 result = 0 offset = 0 nodeAsText = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adae4a140}, <No data fields>} #2 0x00000000008915c5 in nsEditor::CreateTxnForDeleteSelection (this=0x7f7ad92d3c00, aAction=4, aTxn=0x7fffe40f7d90, aNode=<value optimized out>, aOffset=<value optimized out>, aLength=0x7fffe40f7da8) at nsEditor.cpp:4879 range = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adae27c20}, <No data fields>} currentItem = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adae27bf0}, <No data fields>} isCollapsed = 1 selPrivate = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adb268388}, <No data fields>} enumerator = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adb12e1c0}, <No data fields>} selCon = {<nsCOMPtr_base> = {mRawPtr = 0x7f7ad92730e8}, <No data fields>} selection = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adb268380}, <No data fields>} result = <value optimized out> #3 0x000000000088f73a in nsEditor::DeleteSelectionImpl (this=0x7f7ad92d3c00, aAction=<value optimized out>) at nsEditor.cpp:4440 deleteCharOffset = 0 selection = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adb268380}, <No data fields>} res = <value optimized out> txn = {mRawPtr = 0x7f7adae0edf0} deleteNode = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>} deleteCharLength = 0 deleteCharData = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adae4a140}, <No data fields>} #4 0x00000000008848e2 in nsPlaintextEditor::DeleteSelection (this=0x7f7ad92d3c00, aAction=0) at nsPlaintextEditor.cpp:756 beginRulesSniffing = {mEd = 0x7f7ad92d3c00, mDoNothing = 0} ruleInfo = {<nsRulesInfo> = {_vptr.nsRulesInfo = 0xfa7ef0, action = 2002}, inString = 0x0, outString = 0x0, outputFormat = 0x0, maxLength = -1, collapsedAction = 4, bOrdered = 0, entireList = 0, bulletType = 0x0, alignType = 0x0, blockType = 0x0, insertElement = 0x0} cancel = 0 result = <value optimized out> batch = {mEd = {<nsCOMPtr_base> = {mRawPtr = 0x7f7ad92d3c00}, <No data fields>}} selection = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adb268380}, <No data fields>} bCollapsed = 1 handled = 0 #5 0x00000000009fe869 in nsDeleteCommand::DoCommand (this=<value optimized out>, aCommandName=0xf17b63 "cmd_deleteWordBackward", aCommandRefCon=<value optimized out>) at nsEditorCommands.cpp:534 editor = {<nsCOMPtr_base> = {mRawPtr = 0x7f7ad92d3c00}, <No data fields>} deleteDir = 0 #6 0x0000000000ab4917 in nsControllerCommandTable::DoCommand (this=0x7f7ade669320, aCommandName=0xf17b63 "cmd_deleteWordBackward", aCommandRefCon=0x7f7ad92d3c00) at nsControllerCommandTable.cpp:191 commandHandler = {<nsCOMPtr_base> = {mRawPtr = 0x7f7ade5086d0}, <No data fields>} #7 0x0000000000ab2831 in nsBaseCommandController::DoCommand (this=0x7f7ad9feaf00, aCommand=0xf17b63 "cmd_deleteWordBackward") at nsBaseCommandController.cpp:169 context = 0xffffffff weak = {<nsCOMPtr_base> = {mRawPtr = 0x7f7ad92d3c00}, <No data fields>} #8 0x0000000000814ef4 in DoCommandCallback (aCommand=0xf17b63 "cmd_deleteWordBackward", aData=0x7f7ad9fed070) at nsXBLWindowKeyHandler.cpp:315 controller = {<nsCOMPtr_base> = {mRawPtr = 0x7f7ad9feaf00}, <No data fields>} #9 0x00000000005fce42 in delete_from_cursor_cb (w=<value optimized out>, del_type=<value optimized out>, count=1, user_data=<value optimized out>) at nsNativeKeyBindings.cpp:134 i = 1 forward = <value optimized out> cmd = 0xf17b63 "cmd_deleteWordBackward" #10 0x00007f7af44035ae in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #11 0x00007f7af4418983 in ?? () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #12 0x00007f7af5e0edf0 in ?? () from /usr/lib/libgtk-x11-2.0.so.0 No symbol table info available. #13 0x00007f7af5e0f310 in ?? () from /usr/lib/libgtk-x11-2.0.so.0 No symbol table info available. #14 0x00007f7af5e0f587 in ?? () from /usr/lib/libgtk-x11-2.0.so.0 No symbol table info available. #15 0x00007f7af5e0f914 in gtk_bindings_activate () from /usr/lib/libgtk-x11-2.0.so.0 No symbol table info available. #16 0x00000000005fca52 in nsNativeKeyBindings::KeyPressInternal (this=0x7f7ae25d7680, aEvent=<value optimized out>, aCallback=<value optimized out>, aCallbackData=<value optimized out>, aKeyCode=3826219984) at nsNativeKeyBindings.cpp:339 modifiers = 4 #17 0x00000000005fcaba in nsNativeKeyBindings::KeyPress (this=0x7f7ae25d7680, aEvent=..., aCallback=0x814eac <DoCommandCallback>, aCallbackData=0x7f7ad9fed070) at nsNativeKeyBindings.cpp:283 keyCode = 3826219744 nativeKeyEvent = <value optimized out> #18 0x0000000000815ec5 in nsXBLWindowKeyHandler::WalkHandlers (this=0x7f7adb2df6a0, aKeyEvent=0x7f7adc2f3b30, aEventType=0x7f7ae4354080) at nsXBLWindowKeyHandler.cpp:381 nativeEvent = {nativeEvent = 0x7fffe40f8b60, keyCode = 8, charCode = 0, altKey = 0, ctrlKey = 1, shiftKey = 0, metaKey = 0} controllers = {<nsCOMPtr_base> = {mRawPtr = 0x7f7ad9fed070}, <No data fields>} root = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adb2ffd18}, <No data fields>} handled = <value optimized out> evt = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adc2f3b40}, <No data fields>} rv = 10466568 content = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>} prevent = 0 domNSEvent = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adc2f3b58}, <No data fields>} trustedEvent = 1 isEditor = 1 el = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>} nativeBindings = <value optimized out> #19 0x0000000000815fe8 in nsXBLWindowKeyHandler::KeyPress (this=0x7f7adc225a90, aEvent=<value optimized out>) at nsXBLWindowKeyHandler.cpp:419 keyEvent = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adc2f3b30}, <No data fields>} #20 0x00000000007bf5ef in DispatchToInterface (this=<value optimized out>, aPresContext=<value optimized out>, aEvent=0x7fffe40f8b60, aDOMEvent=0x7fffe40f87b0, aCurrentTarget=<value optimized out>, aFlags=<value optimized out>, aEventStatus=0x7fffe40f87b8) at nsEventListenerManager.cpp:184 ifaceListener = 0x7f7adc225a90 #21 nsEventListenerManager::HandleEvent (this=<value optimized out>, aPresContext=<value optimized out>, aEvent=0x7fffe40f8b60, aDOMEvent=0x7fffe40f87b0, aCurrentTarget=<value optimized out>, aFlags=<value optimized out>, aEventStatus=0x7fffe40f87b8) at nsEventListenerManager.cpp:1202 kungFuDeathGrip = {mRawPtr = 0x7f7adc225a90} ls = <value optimized out> useTypeInterface = <value optimized out> useGenericInterface = <value optimized out> hasListener = <value optimized out> pusher = {mScx = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mScriptIsRunning = 0} currentGroup = 512 typeData = 0xf75da8 dispData = 0xf75fe0 iter = {<nsAutoTObserverArray<nsListenerStruct, 2u>::ForwardIterator> = {<nsAutoTObserverArray<nsListenerStruct, 2u>::Iterator> = {<nsTObserverArray_base::Iterator_base> = {mPosition = 2, mNext = 0x0}, mArray = @0x7f7ade56cb88}, <No data fields>}, mEnd = {<nsAutoTObserverArray<nsListenerStruct, 2u>::Iterator> = {<nsTObserverArray_base::Iterator_base> = {mPosition = 2, mNext = 0x7fffe40f8580}, mArray = @0x7f7ade56cb88}, <No data fields>}} #22 0x00000000007d289c in nsEventTargetChainItem::HandleEvent (this=0x7f7adae95268, aVisitor=..., aFlags=514, aMayHaveNewListenerManagers=0) at nsEventDispatcher.cpp:236 currentTarget = <value optimized out> #23 0x00000000007d2a73 in nsEventTargetChainItem::HandleEventTargetChain (this=<value optimized out>, aVisitor=..., aFlags=518, aCallback=0x7fffe40f8850, aMayHaveNewListenerManagers=-468747312) at nsEventDispatcher.cpp:324 newTarget = 0x7fffe40f7ae0 createdELMs = 1589 firstTarget = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adb36cdc0}, <No data fields>} item = 0x7f7adae95268 #24 0x00000000007d2aff in nsEventTargetChainItem::HandleEventTargetChain (this=<value optimized out>, aVisitor=..., aFlags=6, aCallback=0x7fffe40f8850, aMayHaveNewListenerManagers=<value optimized out>) at nsEventDispatcher.cpp:354 createdELMs = 1589 firstTarget = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adb36cdc0}, <No data fields>} item = 0x0 #25 0x00000000007d2e80 in nsEventDispatcher::Dispatch (aTarget=<value optimized out>, aPresContext=<value optimized out>, aEvent=0x7fffe40f8b60, aDOMEvent=0x0, aEventStatus=0x7fffe40f899c, aCallback=<value optimized out>) at nsEventDispatcher.cpp:514 postVisitor = {<nsEventChainVisitor> = {mPresContext = 0x7f7ad9fc2800, mEvent = 0x7fffe40f8b60, mDOMEvent = 0x7f7adc2f3b50, mEventStatus = nsEventStatus_eIgnore, mItemFlags = 0, mItemData = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}}, <No data fields>} t = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adb36cdc0}, <No data fields>} topEtci = 0x7f7adae95268 rv = <value optimized out> targetEtci = <value optimized out> status = <value optimized out> target = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adb36cdc0}, <No data fields>} kungFuDeathGrip = {<nsCOMPtr_base> = {mRawPtr = 0x7f7ad9fc2800}, <No data fields>} preVisitor = {<nsEventChainVisitor> = {mPresContext = 0x7f7ad9fc2800, mEvent = 0x7fffe40f8b60, mDOMEvent = 0x0, mEventStatus = nsEventStatus_eIgnore, mItemFlags = 0, mItemData = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adc3aec00}, <No data fields>}}, mCanHandle = 1 '\001', mForceContentDispatch = 1 '\001', mRelatedTargetIsInAnon = 0 '\000', mWantsWillHandleEvent = 0 '\000', mParentTarget = 0x0, mEventTargetAtParent = 0x0} #26 0x0000000000667060 in PresShell::HandleEventInternal (this=0x7f7ad9273000, aEvent=0x7fffe40f8b60, aView=0x7f7ad9fb9b00, aStatus=0x7fffe40f899c) at nsPresShell.cpp:6323 eventCB = {<nsDispatchingCallback> = {_vptr.nsDispatchingCallback = 0xf2b640}, mPresShell = {mRawPtr = 0x7f7ad9273000}} weakView = {mPrev = 0x0, mView = 0x7f7ad9fb9b00} isHandlingUserInput = 1 manager = {<nsCOMPtr_base> = {mRawPtr = 0x7f7ae3525730}, <No data fields>} rv = 0 #27 0x0000000000667f97 in PresShell::HandleEvent (this=0x7f7ad9273000, aView=0x7f7ad9fb9b00, aEvent=0x7fffe40f8b60, aEventStatus=0x7fffe40f899c) at nsPresShell.cpp:6123 esm = 0x7f7ae3525730 widgetHandlingEvent = <value optimized out> frame = 0x7f7ad92bd7c0 dispatchUsingCoordinates = <value optimized out> rv = 3826219744 #28 0x000000000082d2dc in nsViewManager::HandleEvent (this=<value optimized out>, aView=0x0, aPoint=<value optimized out>, aEvent=0x7fffe40f8b60, aCaptured=-468747312) at nsViewManager.cpp:1400 obs = {<nsCOMPtr_base> = {mRawPtr = 0x7f7ad92730d8}, <No data fields>} status = nsEventStatus_eIgnore #29 0x000000000082f4bb in nsViewManager::DispatchEvent (this=0x7f7add920bc0, aEvent=0x7fffe40f8b60, aStatus=0x7fffe40f8a8c) at nsViewManager.cpp:1359 p2a = 60 baseView = <value optimized out> view = 0x7f7ad9fb9b00 capturedEvent = 0 #30 0x000000000082b845 in HandleEvent (aEvent=0x7fffe40f8b60) at nsView.cpp:168 vm = {<nsCOMPtr_base> = {mRawPtr = 0x7f7add920bc0}, <No data fields>} result = nsEventStatus_eIgnore #31 0x000000000061ae39 in nsWindow::DispatchEvent (this=0x7f7adb4aa780, aEvent=<value optimized out>, aStatus=@0xffffffff) at nsWindow.cpp:583 No locals. #32 0x0000000000624d06 in nsWindow::OnKeyPressEvent (this=0x7f7adb4aa780, aWidget=<value optimized out>, aEvent=0x7f7ad9585710) at nsWindow.cpp:3313 status = nsEventStatus_eIgnore isKeyDownCancelled = 0 kungFuDeathGrip = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adb4aa780}, <No data fields>} event = {<nsInputEvent> = {<nsGUIEvent> = {<nsEvent> = {eventStructType = 9 '\t', message = 131, refPoint = {x = 0, y = 0}, time = 103763944, flags = 2051, userType = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, target = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adb36cdc0}, <No data fields>}, currentTarget = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adb2ffd18}, <No data fields>}, originalTarget = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adb36cdc0}, <No data fields>}}, widget = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adb4aa780}, <No data fields>}, nativeMsg = 0x7f7ad9585710}, isShift = 0, isControl = 1, isAlt = 0, isMeta = 0}, keyCode = 8, charCode = 0, alternativeCharCodes = {<nsTArray_base> = {static sEmptyHdr = {mLength = 0, mCapacity = 0, mIsAutoArray = 0}, mHdr = 0x7f7af6e8cb58}, <No data fields>}, isChar = 0} #33 0x0000000000624d6f in key_press_event_cb (widget=0x7f7adae2c780, event=0x7f7ad9585710) at nsWindow.cpp:5704 window = <value optimized out> focusWindow = {mRawPtr = 0x7f7adb4aa780} #34 0x00007f7af5ec8728 in ?? () from /usr/lib/libgtk-x11-2.0.so.0 No symbol table info available. #35 0x00007f7af44035ae in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #36 0x00007f7af4418983 in ?? () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #37 0x00007f7af4419bcc in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #38 0x00007f7af441a283 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #39 0x00007f7af5fcf71f in ?? () from /usr/lib/libgtk-x11-2.0.so.0 No symbol table info available. #40 0x00007f7af5fe21bb in gtk_window_propagate_key_event () from /usr/lib/libgtk-x11-2.0.so.0 No symbol table info available. #41 0x00007f7af5fe51bb in ?? () from /usr/lib/libgtk-x11-2.0.so.0 No symbol table info available. #42 0x00007f7af5ec8728 in ?? () from /usr/lib/libgtk-x11-2.0.so.0 No symbol table info available. #43 0x00007f7af44035ae in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #44 0x00007f7af441864d in ?? () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #45 0x00007f7af4419bcc in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #46 0x00007f7af441a283 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #47 0x00007f7af5fcf71f in ?? () from /usr/lib/libgtk-x11-2.0.so.0 No symbol table info available. #48 0x00007f7af5ec0da4 in gtk_propagate_event () from /usr/lib/libgtk-x11-2.0.so.0 No symbol table info available. #49 0x00007f7af5ec1ca3 in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0 No symbol table info available. #50 0x00007f7af5236cec in ?? () from /usr/lib/libgdk-x11-2.0.so.0 No symbol table info available. #51 0x00007f7af3f66bce in g_main_context_dispatch () from /lib/libglib-2.0.so.0 No symbol table info available. #52 0x00007f7af3f6a598 in ?? () from /lib/libglib-2.0.so.0 No symbol table info available. #53 0x00007f7af3f6a6c0 in g_main_context_iteration () from /lib/libglib-2.0.so.0 No symbol table info available. #54 0x000000000060a967 in nsBaseAppShell::DoProcessNextNativeEvent (this=0x7f7adb0a1060, mayWait=0) at nsBaseAppShell.cpp:151 prevVal = nsBaseAppShell::eEventloopNone result = -468747552 #55 0x000000000060aac5 in nsBaseAppShell::OnProcessNextEvent (this=0x7f7ae4961a00, thr=0x7f7aeca4e160, mayWait=1, recursionDepth=<value optimized out>) at nsBaseAppShell.cpp:296 start = 4188690775 limit = 20 oldBlockedWait = 0x0 needEvent = 1 #56 0x00007f7af6c3fb9b in nsThread::ProcessNextEvent (this=0x7f7aeca4e160, mayWait=1, result=0x7fffe40f984c) at nsThread.cpp:508 notifyGlobalObserver = 1 obs = {<nsCOMPtr_base> = {mRawPtr = 0x7f7ae4961a08}, <No data fields>} event = {<nsCOMPtr_base> = {mRawPtr = 0x7f7adb17c260}, <No data fields>} rv = 2147549183 #57 0x00007f7af6c14e12 in NS_ProcessNextEvent_P (thread=0x7f7adb0a1060, mayWait=0) at nsThreadUtils.cpp:247 val = 1 #58 0x000000000060abaf in nsBaseAppShell::Run (this=0x7f7ae4961a00) at nsBaseAppShell.cpp:170 thread = 0x7f7aeca4e160 #59 0x0000000000b34be8 in nsAppStartup::Run (this=0x7f7ae49c5780) at nsAppStartup.cpp:193 rv = <value optimized out> #60 0x0000000000449bf2 in XRE_main (argc=<value optimized out>, argv=<value optimized out>, aAppData=<value optimized out>) at nsAppRunner.cpp:3321 remoteService = {<nsCOMPtr_base> = {mRawPtr = 0x7f7ae39f8f60}, <No data fields>} appStartup = {<nsCOMPtr_base> = {mRawPtr = 0x7f7ae49c5780}, <No data fields>} shuttingDown = 0 workingDir = {<nsCOMPtr_base> = {mRawPtr = 0x7f7ae4966a40}, <No data fields>} cmdLine = {<nsCOMPtr_base> = {mRawPtr = 0x7f7ae7029540}, <No data fields>} xpcom = {mServiceManager = 0x7f7aead7a168} desktopStartupIDEnv = <value optimized out> profLD = {<nsCOMPtr_base> = {mRawPtr = 0x7f7aead49240}, <No data fields>} dirProvider = {<nsIDirectoryServiceProvider2> = {<nsIDirectoryServiceProvider> = {<nsISupports> = {_vptr.nsISupports = 0xde3550}, <No data fields>}, <No data fields>}, <nsIProfileStartup> = {<nsISupports> = {_vptr.nsISupports = 0xde3598}, <No data fields>}, mAppProvider = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mGREDir = {<nsCOMPtr_base> = {mRawPtr = 0x7f7aeca1d300}, <No data fields>}, mXULAppDir = {<nsCOMPtr_base> = {mRawPtr = 0x7f7aeca1d180}, <No data fields>}, mProfileDir = {<nsCOMPtr_base> = {mRawPtr = 0x7f7aead49180}, <No data fields>}, mProfileLocalDir = {<nsCOMPtr_base> = {mRawPtr = 0x7f7aead49240}, <No data fields>}, mProfileNotified = 1 '\001', mExtensionsLoaded = 1 '\001', mAppBundleDirectories = {<nsCOMArray_base> = {mArray = {mImpl = 0x0}}, <No data fields>}, mExtensionDirectories = {<nsCOMArray_base> = {mArray = {mImpl = 0x0}}, <No data fields>}, mThemeDirectories = {<nsCOMArray_base> = {mArray = {mImpl = 0x0}}, <No data fields>}} desktopStartupIDPtr = <value optimized out> nativeApp = {<nsCOMPtr_base> = {mRawPtr = 0x7f7aecaf3c70}, <No data fields>} startOffline = <value optimized out> profileName = {<nsFixedCString> = {<nsCString> = {<nsACString_internal> = {mData = 0x7f7aead46168 "default", mLength = 7, mFlags = 65541}, <No data fields>}, mFixedCapacity = 63, mFixedBuf = 0x7fffe40f9e20 ""}, mStorage = "\000s\240\354z\177\000\000]U\303\366z\177\000\000\310s\240\354z\177\000\000Ey\303\366z\177\000\000О\017\344\377\177\000\000\345s\240\354z\177\000\000\345s\240\354z\177\000\000ha\303\366z\177\000"} upgraded = -468739072 versionOK = <value optimized out> appInitiatedRestart = <value optimized out> desktopStartupID = {<nsFixedCString> = {<nsCString> = {<nsACString_internal> = {mData = 0x7fffe40f9e80 "", mLength = 0, mFlags = 65553}, <No data fields>}, mFixedCapacity = 63, mFixedBuf = 0x7fffe40f9e80 ""}, mStorage = "\000\000\306\366z\177\000\000\200\000\242\354z\177\000\000(\237\017\344\377\177\000\000Ey\303\366z\177\000\000\300С\354z\177\000\000\200\000\242\354z\177\000\000\200\000\242\354z\177\000\000\206\316D\000\000\000\000"} display_name = <value optimized out> xremotearg = <value optimized out> canRun = 1 profileLock = {<nsCOMPtr_base> = {mRawPtr = 0x7f7aead47330}, <No data fields>} profD = {<nsCOMPtr_base> = {mRawPtr = 0x7f7aead49180}, <No data fields>} version = {<nsFixedCString> = {<nsCString> = {<nsACString_internal> = {mData = 0x7fffe40f9dc0 "3.0.5pre_20100410111856/20100410111856", mLength = 38, mFlags = 65553}, <No data fields>}, mFixedCapacity = 63, mFixedBuf = 0x7fffe40f9dc0 "3.0.5pre_20100410111856/20100410111856"}, mStorage = "3.0.5pre_20100410111856/20100410111856\000\000\233jE", '\000' <repeats 14 times>, "\b\250í\215\062\221"} needsRestart = 0 display = 0x7f7aeca85190 osABI = {<nsCString> = {<nsACString_internal> = {mData = 0xde27ee "Linux_x86_64-gcc3", mLength = 17, mFlags = 1}, <No data fields>}, <No data fields>} rv = 0 gtkModules = <value optimized out> appData = {<nsXREAppData> = {size = 112, directory = 0x7f7aeca1d180, vendor = 0x0, name = 0x7f7aeca1c0f0 "Thunderbird", version = 0x7f7aeca1c100 "3.0.5pre", buildID = 0x7f7aeca1c110 "20100410111856", ID = 0x7f7aeca09250 "{3550f703-e582-4d05-9a08-453d09bdfdc6}", copyright = 0x7f7aeca09280 "Copyright (c) 1998-2010 mozilla.org", flags = 6, xreDirectory = 0x7f7aeca1d300, minVersion = 0x7f7aeca1c120 "1.9.1.10pre", maxVersion = 0x7f7aeca1c130 "1.9.1.10pre", crashReporterURL = 0x7f7aeca092b0 "https://crash-reports.mozilla.com/submit", profile = 0x0}, <No data fields>} localIniFile = {<nsCOMPtr_base> = {mRawPtr = 0x7f7aeca1d240}, <No data fields>} parser = {mSections = {<nsBaseHashtable<nsDepCharHashKey, nsAutoPtr<nsINIParser_internal::INIValue>, nsINIParser_internal::INIValue*>> = {<nsTHashtable<nsBaseHashtableET<nsDepCharHashKey, nsAutoPtr<nsINIParser_internal::INIValue> > >> = {mTable = {ops = 0x7f7af6e8c5c0, data = 0x0, hashShift = 28, maxAlphaFrac = 192 '\300', minAlphaFrac = 64 '@', entrySize = 24, entryCount = 1, removedCount = 0, generation = 0, entryStore = 0x7f7aeca22300 ""}}, <No data fields>}, <No data fields>}, mFileContents = {mRawPtr = 0x7f7aeca07480 "[Build"}} ar = <value optimized out> override = 0x0 iniFile = {<nsCOMPtr_base> = {mRawPtr = 0x7f7aeca1d240}, <No data fields>} i = <value optimized out> #61 0x0000000000445610 in main (argc=2, argv=0x7fffe40fa048) at nsMailApp.cpp:103 rv = 3826219744 appData = 0x7f7aeca20080 appini = {<nsCOMPtr_base> = {mRawPtr = 0x7f7aeca1d0c0}, <No data fields>} result = <value optimized out>
Component: Message Compose Window → Editor
Product: Thunderbird → Core
QA Contact: message-compose → editor
Summary: Holding Ctrl-Backspace from the middle of a sentence causes a crash. → Holding Ctrl-Backspace from the middle of a sentence causes a crash. [@ nsEditor::CreateTxnForDeleteCharacter]
Version: 3.0 → 1.9.1 Branch
Whiteboard: [tbird crash]
WFM on Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.3a6pre) Gecko/20100614 Shredder/3.2a1pre.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
I don't think it is valid to close this bug just because it works in 3.2. The stable branch is still 3.0, and I still get the crash on: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.11pre) Gecko/20100531 Shredder/3.0.6pre
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
Can you submit a breakpad ID please?
I actually do not get any crash dump :( I'm using a ubuntu-mozilla-daily ppa for Ubuntu 9.10. I think that's the official Mozilla respositiory. I'm really not sure why it does not have breakpad enabled. But, I did attach a call stack above.
(In reply to comment #6) > I actually do not get any crash dump :( > > I'm using a ubuntu-mozilla-daily ppa for Ubuntu 9.10. I think that's > the official Mozilla respositiory. I'm really not sure why it does not because it's not and breakpad is disabled there. http://ftp.mozilla.org/pub/mozilla.org/thunderbird/nightly/latest-comm-1.9.1/ will have breakpad enabled.
Tried the download above. It's a 32-bit binary, which causes some compatibility issues with system libraries. However, it does not crash. Are there 64-bit nightlies with Breakpad?
(In reply to comment #8) > Tried the download above. It's a 32-bit binary, which causes some compatibility > issues with system libraries. However, it does not crash. Are there 64-bit > nightlies with Breakpad? No. However, judging from the backtrace that you have included, this is a logic error, not a 64-bit specific error. You should be able to run a stock 32-bit build on any distro which comes with 32-bit libraries.
The build runs, but has some issues linking to some GNOME libraries. Regardless, the stock build does not crash. If this is not a 64-bit bug, I think it might be good for the PPA maintainers to look at this. I'm e-mailing this bug ID to one of them, Fabien Tassin.
So, I have a scenario on why the crash is happening. This is artificial, but I'm fairly positive about most of it. The crash itself is array bounds checking 101. It happens here: <http://mxr.mozilla.org/mozilla1.9.1/source/editor/libeditor/base/nsEditor.cpp#4916> because aOffset is 0, so segOffset will be -1, and we'll be trying to a access the -1'th array item... But what causes this to not happen for every case where you try to press ctrl+backspace at the beginning of a text area is this code: <http://mxr.mozilla.org/mozilla1.9.1/source/editor/libeditor/text/nsTextEditRules.cpp#945> which in the normal cases should leave the selection as is, and set aCollapsedAction to eNone, which causes the crashing code to never be called. So, something is probably failing which causes ExtendCharacterForDelete not to be called, which causes the code in question to be called and crash us. I think this code should be fixed anyways. It's clearly accessing mmeory in an unsafe way, and it will some day bite us anyway.
(In reply to comment #10) > The build runs, but has some issues linking to some GNOME libraries. > Regardless, the stock build does not crash. > > If this is not a 64-bit bug, I think it might be good for the PPA maintainers > to look at this. I'm e-mailing this bug ID to one of them, Fabien Tassin. That's probably a good choice. Even though I'm going to attach a patch here, this might just be a bug in their patches which they apply on top of their repository.
Attached patch Patch (v1)Splinter Review
Assignee: nobody → ehsan
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #451433 - Flags: review?(roc)
Status: ASSIGNED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a6
Attachment #451433 - Flags: approval1.9.2.6?
Attachment #451433 - Flags: approval1.9.1.11?
Comment on attachment 451433 [details] [diff] [review] Patch (v1) Approved for 1.9.2.6 and 1.9.1.11, a=dveditz for release-drivers
Attachment #451433 - Flags: approval1.9.2.6?
Attachment #451433 - Flags: approval1.9.2.6+
Attachment #451433 - Flags: approval1.9.1.11?
Attachment #451433 - Flags: approval1.9.1.11+
Do we have a functioning STR for this bug? From Ehsan's comments, it isn't limited to 64-bit builds, right?
Whiteboard: [tbird crash] → [tbird crash] [qa-examined-191] [qa-needs-STR]
(In reply to comment #18) > Do we have a functioning STR for this bug? From Ehsan's comments, it isn't > limited to 64-bit builds, right? It shouldn't be. Comment 0 includes a set of STRs, but I never managed to get a crash using them. If you intend to use those, please make sure that you can get a build without these patches to crash, otherwise the STRs not crashing on the latest builds doesn't mean much.
I always verify the crash before I verify a fix, Ehsan. It's just part of best practices. Of course, if I can't repro the crash, it is more problematic.
(In reply to comment #20) > I always verify the crash before I verify a fix, Ehsan. It's just part of best > practices. Sorry if I sounded to teach the obvious to you. That wasn't definitely my intention. :-) > Of course, if I can't repro the crash, it is more problematic. Agreed. I'm afraid I don't have a good answer for this, though... :(
My plan for testing this is to wait for the patch to land in the Ubuntu tree that was crashing, and verify that the crash stops. Unfortunately, I have not yet heard anything from the tree maintainer. Is it true that the fix was checked into the 1.9.1.11 branch as of June 21st or so? If so, I think I should easily be able to verify fixed in 2-3 weeks at most.
Is it possible for you to try it on a nightly 1.9.1 build from http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-1.9.1/ in the next few days? We're going to code freeze on Friday for the 1.9.1.11 release.
or the nightly 1.9.2 builds as well since it is fixed in 1.9.1 and 1.9.2. I realized that this is Thunderbird specific though. http://ftp.mozilla.org/pub/mozilla.org/thunderbird/nightly/latest-comm-1.9.1/ and http://ftp.mozilla.org/pub/mozilla.org/thunderbird/nightly/latest-comm-1.9.2/
Depends on: 641466
Depends on: 646194
Crash Signature: [@ nsEditor::CreateTxnForDeleteCharacter]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: