If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Regression: Crash when select the bullet icon from compose window




19 years ago
16 years ago


(Reporter: fenella, Assigned: Joe Francis)



Firefox Tracking Flags

(Not tracked)




19 years ago
RE: Win32 and Mac (1999-06-08-08 m7)
1. Run apprunner, open messenger from Task
2. Click on the New Msg button to open a compose window
3. Enter email address in the To: field and enter text in the Subject field, no
3. Click on the bullet icon, crash occurs here.
On Mac, this crashes the system
On Win_nt 4.0, apprunner crashes
Unable to test Linux
Talkback will follow.


19 years ago
Summary: Regression: Crash when select the bullet icon from compose window → Regression: Crash when select the bullet icon from compose window

Comment 1

19 years ago
Fenella, does the regular Editor (from browser window, choose Tasks | Editor)
also have this problem?  If so, pls change the product to Browser and component
to Editor.


19 years ago
Assignee: phil → ducarroz
Target Milestone: M7

Comment 2

19 years ago
Reassign to ducarroz, cc buster. M7 since it's a regression.


19 years ago
Target Milestone: M7

Comment 3

19 years ago
Lisa, when I use the editor to click on the bullet or number icon, it does not
The crash occurs in the compose window only.  It also occurs when I click on the
number icon.  However, if I type some text in the body first, and then click on
the bullet or the number icon, apprunner won't crash.


19 years ago
Component: Back End → XPConnect

Comment 4

19 years ago
I can't reproduce this in either the editor or the mail compose window.

Comment 5

19 years ago
This also occurs on Linux.  Crash is consistently reproducible.
In order for it to crash, you must click on the Bullet icon or the Number List
Item icon first. If you type anything in the Body first, then click on these
icons, it won't crash.

Here is the Linux stack trace:

#0  0x40acc441 in nsRangeList::Extend ()
#1  0x40d34911 in nsAutoSelectionReset::~nsAutoSelectionReset ()
#2  0x40d45cb5 in nsHTMLEditor::InsertList ()
#3  0x40739189 in nsEditorAppCore::InsertList ()
#4  0x4074324d in NS_NewScriptDOMPropsCore ()
#5  0x40350fe2 in js_Invoke ()
#6  0x40356c36 in js_Interpret ()
#7  0x40351030 in js_Invoke ()
#8  0x40356c36 in js_Interpret ()
#9  0x40351030 in js_Invoke ()
#10 0x403511d5 in js_CallFunctionValue ()
#11 0x4033c089 in JS_CallFunctionValue ()
#12 0x402e3128 in nsJSEventListener::HandleEvent ()
#13 0x4098e2c1 in nsEventListenerManager::HandleEvent ()
#14 0x407adfd0 in RDFElementImpl::HandleDOMEvent ()
#15 0x4098fd66 in nsEventStateManager::CheckForAndDispatchClick ()
#16 0x4098f2dc in nsEventStateManager::PostHandleEvent ()
#17 0x409b61c9 in PresShell::HandleEvent ()
#18 0x40c0549d in nsView::HandleEvent ()
#19 0x40c0cd11 in nsViewManager::DispatchEvent ()
#20 0x40c03f4e in _init ()
#21 0x400b4596 in nsWidget::DispatchEvent ()
#22 0x400b44ed in nsWidget::DispatchWindowEvent ()
---Type <return> to continue, or q <return> to quit---
#23 0x400b4613 in nsWidget::DispatchMouseEvent ()
#24 0x400b4c2f in nsWidget::OnButtonReleaseSignal ()
#25 0x400b4eff in nsWidget::ButtonReleaseSignal ()
#26 0x80c39a4 in gtk_window_set_default_size ()
#27 0x809c7ff in gtk_signal_connect_object ()
#28 0x809be86 in gtk_signal_connect_object ()
#29 0x809a5c2 in gtk_selection_data_set ()
#30 0x80bc0ec in gtk_widget_size_request ()
#31 0x8085741 in gtk_get_current_event ()
#32 0x8084ce2 in gtk_main_iteration_do ()
#33 0x80d33b7 in gdk_input_add ()
#34 0x80e633c in g_list_length ()
#35 0x80e67b7 in g_list_length ()
#36 0x80e68d1 in g_main_iteration ()
#37 0x80847f7 in gtk_main ()
#38 0x400aa587 in nsAppShell::Run ()
#39 0x40018fd6 in nsAppShellService::Run ()
#40 0x805156a in main ()

Comment 6

19 years ago
FYI -- Using jun8 build I'm seeing a crash on Linux when using the indent or
text alignment buttons also.

Comment 7

19 years ago
I forgot to mention the build for Linux's crash (1999-06-08-08 M7)
On win_nt, here is the Incident ID for the crash
Talkback stack trace as follows:

   raptorhtml.dll + 0xc0ff (0x016ec0ff)
   ender.dll + 0x5e9c (0x02635e9c)
   appcores.dll + 0xddd5 (0x0167ddd5)
   appcores.dll + 0x10114 (0x01680114)
   js3250.dll + 0x1333d (0x0032333d)
   js3250.dll + 0x16d08 (0x00326d08)
   js3250.dll + 0x1337a (0x0032337a)
   js3250.dll + 0x16d08 (0x00326d08)
   js3250.dll + 0x1337a (0x0032337a)
   js3250.dll + 0x134aa (0x003234aa)
   js3250.dll + 0x384a (0x0031384a)
   jsdom.dll + 0x12fb8 (0x013b2fb8)
   raptorhtml.dll + 0x819cd (0x017619cd)
   rdf.dll + 0x1b7e7 (0x016bb7e7)
   raptorhtml.dll + 0x825e6 (0x017625e6)
   raptorhtml.dll + 0x820a0 (0x017620a0)
   raptorhtml.dll + 0x23bae (0x01703bae)
   raptorview.dll + 0x1d4b (0x018f1d4b)
   raptorview.dll + 0x63b7 (0x018f63b7)
   raptorview.dll + 0x23fa (0x018f23fa)
   raptorwidget.dll + 0x4617 (0x01454617)
   raptorwidget.dll + 0x68ec (0x014568ec)
   raptorwidget.dll + 0x6b18 (0x01456b18)
   raptorwidget.dll + 0x46e7 (0x014546e7)
   USER32.dll + 0x13ed (0x77e713ed)

When I do a search of raptorhtml.dll+++0xc0ff+(0x016ec0ff)+bc302c57 on
Http://lxr.mozilla.org, I got this message.  Hope this helps.

       ** Fatal: /raptorhtml.dll+++0xc0ff+(0x016ec0ff)+bc302c57/: nested *?+ in
regexp at /opt/webtools/lxr.mozilla.org/find line 60, chunk 1.


19 years ago
Target Milestone: M7


19 years ago
Assignee: ducarroz → sfraser
I can reproduce the crash with Editor as well, just open the editor and right
away when the page is full loaded and drawn, select the bullet icon.

Before the crash , I get the following assert message:

preCondition: "You can't dereference a NULL nsCOMPtr with operator->()."
(mRawPtr != 0) at file nsCOMPtr.h line 477

the stack is (on Mac):

Comment 9

19 years ago
A bug for Joe.
Assignee: sfraser → jfrancis


19 years ago
Product: MailNews → Browser
Target Milestone: M7 → M8

Comment 10

19 years ago
change product to browser; move to M8 per 6/15/99 meeting


19 years ago
Component: XPConnect → Editor

Comment 11

19 years ago
change component to editor

Comment 12

19 years ago
<Will update verah to add to M7 release notes>

Comment 13

19 years ago
I see this, too, on Linux (bring up editor and click on the unordered list
icon).  Stack trace is:
#0  0x40f33a35 in nsRangeList::Extend (this=0x81767b8, aParentNode=0x0,
    aOffset=1074230926) at nsRangeList.cpp:1841
#1  0x40929ca4 in nsAutoSelectionReset::~nsAutoSelectionReset (
    this=0xbfffde94, __in_chrg=2) at nsEditor.cpp:4050
#2  0x4094a991 in nsHTMLEditor::InsertList (this=0x8251740,
    aListType=@0xbfffdf80) at nsHTMLEditor.cpp:1741
#3  0x4095f010 in nsEditorShell::InsertList (this=0x82b9698,
    listType=0x822b628) at nsEditorShell.cpp:1653
Note that aParentNode is null.

Joe says that using the nsAutoSelectionReset probably isn't appropriate in
InsertList anyway.  I'm investigating.

Comment 14

19 years ago
For M7, I've checked in a fix for the crash (solution: don't use
nsAutoSelectionReset in InsertList).  Leaving the bug open since we need to
investigate alternate ways of setting the selection at the end of InsertList.
It also gives an ugly JS error if there's no selection; I assume that's covered
by other bugs on the focus handling issues.


19 years ago
Last Resolved: 19 years ago
Resolution: --- → FIXED

Comment 15

19 years ago
InsertList has been reworked and no longer has this bug.  Marking fixed.

Comment 16

19 years ago
Is your fix for M7 or M8 (which this bug is marked for target milestone)?

Comment 17

19 years ago
Mac and Win32 (1999-06-17-08 m7)
Selecting the bullet icon no longer crashes.
Unable to verify on Linux, today's build is broken


19 years ago

Comment 18

19 years ago
Verify that the problem has been fixed on Linux (1999-06-18-09 m7)
You need to log in before you can comment on or make changes to this bug.