Closed Bug 774856 Opened 12 years ago Closed 12 years ago

Firefox crashes when our js spellchecker runs and update rich text area.

Categories

(Core :: Spelling checker, defect)

Product:
Core
Component:
Spelling checker
Version:
14 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 722039

People

(Reporter: hokamoto, Unassigned, NeedInfo)

Details

(Keywords: crash)

Crash Data

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Build ID: 20120713134347

Steps to reproduce:

We have our own javascript based spellchecker which accesses to our spellcheck service.  When our spellcheck is done in a editable body,  Firefox crashes.  The crash happens only with specific strings.

For example, if the user types the following 2 lines
------------------
amy 
Cc: amy, amy
------------------
then after running our spellchecker,  then Firefox crashes.



Actual results:

Firefox crashed after our spellchecker completed.
The crash-stat is here - https://crash-stats.mozilla.com/report/index/bp-bdf3716a-f059-49e1-bb19-ff58d2120717

Looks like, after our spellcheck completed, updated the rich text area, and displayed window.alert with complete message,  Firefox's mozInlineSpellChecker started to run,  then Firefox crashed.

Here is the crash thread:
Frame 	Module 	Signature 	Source
0 	xul.dll 	nsRefPtr<mozilla::places::Database>::~nsRefPtr<mozilla::places::Database> 	obj-firefox/dist/include/nsAutoPtr.h:908
1 	xul.dll 	RangeData::`scalar deleting destructor' 	
2 	xul.dll 	nsTArrayElementTraits<RangeData>::Destruct 	obj-firefox/dist/include/nsTArray.h:380
3 	xul.dll 	nsTArray<RangeData,nsTArrayDefaultAllocator>::DestructRange 	obj-firefox/dist/include/nsTArray.h:1243
4 	xul.dll 	nsTArray<RangeData,nsTArrayDefaultAllocator>::RemoveElementsAt 	obj-firefox/dist/include/nsTArray.h:963
5 	xul.dll 	nsTypedSelection::AddItem 	layout/generic/nsSelection.cpp:3783
6 	xul.dll 	nsTypedSelection::addTableCellRange 	layout/generic/nsSelection.cpp:3163
7 	xul.dll 	nsTypedSelection::AddRange 	layout/generic/nsSelection.cpp:4731
8 	xul.dll 	mozInlineSpellChecker::DoSpellCheck 	extensions/spellcheck/src/mozInlineSpellChecker.cpp:1431
9 	xul.dll 	mozInlineSpellChecker::ResumeCheck 	extensions/spellcheck/src/mozInlineSpellChecker.cpp:1522
10 	xul.dll 	mozInlineSpellResume::Run 	extensions/spellcheck/src/mozInlineSpellChecker.cpp:496
11 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:656
12 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
13 	xul.dll 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1554
14 	xul.dll 	xul.dll@0x1a231f 	
15 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:519
16 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:1805
17 	mozjs.dll 	JSScript::makeAnalysis 	js/src/jsinfer.cpp:5372
18 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:475
19 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:535
20 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:567
21 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5429
22 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/xpconnect/src/XPCWrappedJSClass.cpp:1509
23 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/xpconnect/src/XPCWrappedJS.cpp:617
24 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:117
25 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:144
26 	xul.dll 	nsGlobalWindow::Alert 	dom/base/nsGlobalWindow.cpp:4841
27 	xul.dll 	nsGlobalWindow::Alert 	dom/base/nsGlobalWindow.cpp:4776
28 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
29 	xul.dll 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1554
30 	mozjs.dll 	js::types::TypeSet::addType 	js/src/jsinferinlines.h:1128
31 	mozjs.dll 	js::types::TypeMonitorResult 	js/src/jsinfer.cpp:4971
32 	mozjs.dll 	js::types::TypeMonitorResult 	js/src/jsinfer.cpp:4971





Expected results:

Firefox should not have crashed.
How can I reproduce the crash ?
Is a public testcase available ?
Severity: normal → critical
Crash Signature: [@ nsRefPtr<mozilla::places::Database>::~nsRefPtr<mozilla::places::Database>() | RangeData::`scalar deleting destructor''(unsigned int) ]
Component: Untriaged → Spelling checker
Keywords: crash
Product: Firefox → Core
Please comment in bug 722039.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Hiroyuki-san, thank you for the detailed bug report.  I would very much like to
fix this bug for you, but unfortunately we haven't yet found a way to reproduce
the problem in Firefox, which makes the bug hard to analyze and fix.  Would you
to let us (Mozilla) use your spellchecker for the purpose of fixing this crash?

Also, does the problem still occur in the latest version of Firefox?
Flags: needinfo?(hokamoto)
You need to log in before you can comment on or make changes to this bug.