Closed
Bug 802995
Opened 12 years ago
Closed 12 years ago
crash in nsTextServicesDocument::DeleteSelection while using spell checker
Categories
(Core :: DOM: Editor, defect)
Tracking
()
VERIFIED
FIXED
mozilla19
People
(Reporter: Usul, Assigned: ayg)
References
Details
(Keywords: crash, regression, Whiteboard: [tbird topcrash][TB16 regression][gs])
Crash Data
Attachments
(1 file)
1.46 KB,
patch
|
ehsan.akhgari
:
review+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is
report bp-bba5f0ee-9249-4daa-b23f-58e7d2121016 .
=============================================================
0 xul.dll nsTextServicesDocument::DeleteSelection editor/txtsvc/src/nsTextServicesDocument.cpp:1387
1 xul.dll nsTextServicesDocument::InsertText editor/txtsvc/src/nsTextServicesDocument.cpp:1737
2 xul.dll mozSpellChecker::Replace extensions/spellcheck/src/mozSpellChecker.cpp:222
3 xul.dll nsEditorSpellCheck::ReplaceWord editor/composer/src/nsEditorSpellCheck.cpp:394
4 xul.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70
5 xul.dll XPCWrappedNative::CallMethod js/xpconnect/src/XPCWrappedNative.cpp:2418
6 xul.dll XPC_WN_CallMethod js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1474
7 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:344
8 mozjs.dll js::Interpret js/src/jsinterp.cpp:2442
9 mozjs.dll js::RunScript js/src/jsinterp.cpp:293
10 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:355
11 mozjs.dll js::Invoke js/src/jsinterp.cpp:387
12 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5604
13 xul.dll nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:1892
14 kernel32.dll SystemTimeToFileTime
15 @0xe1ea05f
Comments found in Crash-stats :
This has now happened 4 times, every time I start the spell checker. I have not tried rebooting yet.
I was spell checking a reply to an e-mail; then it just disapeared
Comment 1•12 years ago
|
||
another regression
vincent, roland, does this correlate to gsfn issue reported by vincent in tb-support-crew? can you hook up the topic URL/tag to this bug
also exists in TB17 bp-8165cfcf-acf3-4731-b889-6610e2121017
Crash Signature: [@ nsTextServicesDocument::DeleteSelection()] → [@ nsTextServicesDocument::DeleteSelection()]
[@ nsTextServicesDocument::DeleteSelection]
tracking-firefox17:
--- → ?
tracking-firefox-esr17:
--- → ?
Keywords: regression
Summary: crash in nsTextServicesDocument::DeleteSelection → crash in nsTextServicesDocument::DeleteSelection while using spell checker
Whiteboard: [tbird topcrash][TB16 regression][gs]
Version: 17 Branch → 16 Branch
Comment 2•12 years ago
|
||
I haven't heard of any crash related to spell check at this time...
Comment 3•12 years ago
|
||
Ehsan - can you help the TB guys out and take a look a this? I know you've done Editor work in the past. Thanks :)
Comment 4•12 years ago
|
||
Sure, I can help. Aryeh, can you please take a look and see if you find out anything?
Thanks!
Assignee: ehsan → ayg
Assignee | ||
Comment 5•12 years ago
|
||
The line of the crash was last changed by bug 763283 part 2, which uses ->AsContent() without a null check. Without digging to see how exactly this could happen, that seems like the obvious reason for the crash. The regression should be in 16 in that case, which seems to be what happened.
Status: NEW → ASSIGNED
Assignee | ||
Comment 6•12 years ago
|
||
The original code before bug 763283 was
if (mIteratorStatus != nsTextServicesDocument::eIsDone)
{
// The old iterator is still pointing to something valid,
// so get its current node so we can restore it after we
// create the new iterator!
curContent = do_QueryInterface(mIterator->GetCurrentNode());
}
so I changed it to better match that. No test, because I have no way to know how to reproduce. Try: https://tbpl.mozilla.org/?tree=Try&rev=6c0b12df1d34
Attachment #675087 -
Flags: review?(ehsan)
Updated•12 years ago
|
Attachment #675087 -
Flags: review?(ehsan) → review+
Comment 7•12 years ago
|
||
Comment 8•12 years ago
|
||
Comment on attachment 675087 [details] [diff] [review]
Add null check
[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 763283
User impact if declined: Thunderbird topcrash
Testing completed (on m-c, etc.): We can't reproduce the crash, but the fix is straightforward
Risk to taking this patch (and alternatives if risky): Minimal
String or UUID changes made by this patch: none.
Attachment #675087 -
Flags: approval-mozilla-beta?
Attachment #675087 -
Flags: approval-mozilla-aurora?
Comment 9•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/9a9ae8ce3b8d
Should this have a test?
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
Assignee | ||
Comment 10•12 years ago
|
||
Yes, if anyone can create one. We only know about the crash from crash reports, and don't have steps to reproduce, so we don't know how to write a test. It would probably take an excessive amount of work to test this.
Comment 11•12 years ago
|
||
Comment on attachment 675087 [details] [diff] [review]
Add null check
Risk is low enough, let's see if this takes down the volume on branches, approving.
Attachment #675087 -
Flags: approval-mozilla-beta?
Attachment #675087 -
Flags: approval-mozilla-beta+
Attachment #675087 -
Flags: approval-mozilla-aurora?
Attachment #675087 -
Flags: approval-mozilla-aurora+
Comment 12•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/005b6a9a807e
https://hg.mozilla.org/releases/mozilla-beta/rev/a2cc1ba86817
status-firefox17:
--- → fixed
status-firefox18:
--- → fixed
Comment 14•12 years ago
|
||
Thanks for the fix.
v.fixed - no crash sigs in TB17.
But there some other sigs - bug 834487, and bug 835314
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•