Closed Bug 82913 Opened 24 years ago Closed 24 years ago

Crash when rerooting an outliner

Categories

(Core :: XUL, defect, P2)

x86
Windows 2000
defect

Tracking

()

VERIFIED DUPLICATE of bug 83739
mozilla0.9.2

People

(Reporter: bugzilla, Assigned: waterson)

Details

(Keywords: crash)

I crash when trying to reroot an outliner dynamically (out-of-bounds access). This worked for trees; how do we safely unroot for outliners? We need this for history outliner rewrite. nsOutlinerRows::Subtree::operator[](int 2) line 124 + 40 bytes nsOutlinerRows::Link::GetRow() line 172 + 24 bytes nsOutlinerRows::iterator::operator*() line 216 + 24 bytes nsXULOutlinerBuilder::GetResourceFor(int 2) line 1294 + 35 bytes nsXULOutlinerBuilder::IsContainer(nsXULOutlinerBuilder * const 0x0379d880, int 2, int * 0x0012b16c) line 458 + 24 bytes XPTC_InvokeByIndex(nsISupports * 0x0379d880, unsigned int 9, unsigned int 2, nsXPTCVariant * 0x0012b15c) line 139 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 1835 + 42 bytes XPC_WN_CallMethod(JSContext * 0x036fac20, JSObject * 0x036459b0, unsigned int 1, long * 0x038c4200, long * 0x0012b390) line 1241 + 11 bytes js_Invoke(JSContext * 0x036fac20, unsigned int 1, unsigned int 0) line 807 + 23 bytes js_Interpret(JSContext * 0x036fac20, long * 0x0012c134) line 2702 + 15 bytes js_Invoke(JSContext * 0x036fac20, unsigned int 1, unsigned int 2) line 824 + 13 bytes js_InternalInvoke(JSContext * 0x036fac20, JSObject * 0x036457c8, long 56908816, unsigned int 0, unsigned int 1, long * 0x0012c30c, long * 0x0012c25c) line 896 + 20 bytes JS_CallFunctionValue(JSContext * 0x036fac20, JSObject * 0x036457c8, long 56908816, unsigned int 1, long * 0x0012c30c, long * 0x0012c25c) line 3320 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x036faba8, void * 0x036457c8, void * 0x03645c10, unsigned int 1, void * 0x0012c30c, int * 0x0012c308, int 0) line 934 + 33 bytes nsJSEventListener::HandleEvent(nsJSEventListener * const 0x0379ce18, nsIDOMEvent * 0x0384587c) line 139 + 57 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x0379cec8, nsIDOMEvent * 0x0384587c, nsIDOMEventTarget * 0x037832a0, unsigned int 8, unsigned int 7) line 1119 + 20 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x03782ec8, nsIPresContext * 0x03728570, nsEvent * 0x0012ccd0, nsIDOMEvent * * 0x0012cc64, nsIDOMEventTarget * 0x037832a0, unsigned int 7, nsEventStatus * 0x0012ccf8) line 1718 + 36 bytes nsXULElement::HandleDOMEvent(nsXULElement * const 0x03783298, nsIPresContext * 0x03728570, nsEvent * 0x0012ccd0, nsIDOMEvent * * 0x0012cc64, unsigned int 1, nsEventStatus * 0x0012ccf8) line 3631 nsOutlinerSelection::FireOnSelectHandler() line 711 nsOutlinerSelection::AdjustSelection(nsOutlinerSelection * const 0x0381fc08, int 0, int 2) line 671 nsOutlinerBodyFrame::RowCountChanged(nsOutlinerBodyFrame * const 0x037f6bf4, int 0, int 2) line 1160 nsOutlinerBoxObject::RowCountChanged(nsOutlinerBoxObject * const 0x0381c218, int 0, int 2) line 345 + 20 bytes nsXULOutlinerBuilder::OpenContainer(int -1, nsIRDFResource * 0x027ed6e0) line 1335 nsXULOutlinerBuilder::Rebuild(nsXULOutlinerBuilder * const 0x0379d788) line 883 nsXULTemplateBuilder::AttributeChanged(nsXULTemplateBuilder * const 0x0379d790, nsIDocument * 0x03709448, nsIContent * 0x03783298, int 0, nsIAtom * 0x00da3f50, int -1) line 331 nsXULDocument::AttributeChanged(nsXULDocument * const 0x03709448, nsIContent * 0x03783298, int 0, nsIAtom * 0x00da3f50, int -1) line 1621 nsXULElement::SetAttribute(nsXULElement * const 0x03783298, nsINodeInfo * 0x0375b6c0, const nsAString & {...}, int 1) line 3056 nsXULElement::SetAttribute(nsXULElement * const 0x0378329c, const nsAString & {...}, const nsAString & {...}) line 1408 + 31 bytes XPTC_InvokeByIndex(nsISupports * 0x0378329c, unsigned int 30, unsigned int 2, nsXPTCVariant * 0x0012d698) line 139 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 1835 + 42 bytes XPC_WN_CallMethod(JSContext * 0x036fac20, JSObject * 0x036457c8, unsigned int 2, long * 0x038c40d8, long * 0x0012d8cc) line 1241 + 11 bytes js_Invoke(JSContext * 0x036fac20, unsigned int 2, unsigned int 0) line 807 + 23 bytes js_Interpret(JSContext * 0x036fac20, long * 0x0012e670) line 2702 + 15 bytes js_Invoke(JSContext * 0x036fac20, unsigned int 1, unsigned int 2) line 824 + 13 bytes js_InternalInvoke(JSContext * 0x036fac20, JSObject * 0x03646408, long 56911568, unsigned int 0, unsigned int 1, long * 0x0012e848, long * 0x0012e798) line 896 + 20 bytes JS_CallFunctionValue(JSContext * 0x036fac20, JSObject * 0x03646408, long 56911568, unsigned int 1, long * 0x0012e848, long * 0x0012e798) line 3320 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x036faba8, void * 0x03646408, void * 0x036466d0, unsigned int 1, void * 0x0012e848, int * 0x0012e844, int 0) line 934 + 33 bytes nsJSEventListener::HandleEvent(nsJSEventListener * const 0x0372c7d8, nsIDOMEvent * 0x0262085c) line 139 + 57 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x0374c028, nsIDOMEvent * 0x0262085c, nsIDOMEventTarget * 0x0372c6e0, unsigned int 8, unsigned int 7) line 1119 + 20 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x0372c760, nsIPresContext * 0x03728570, nsEvent * 0x0012f2f4, nsIDOMEvent * * 0x0012f1a0, nsIDOMEventTarget * 0x0372c6e0, unsigned int 7, nsEventStatus * 0x0012f340) line 2087 + 36 bytes nsXULElement::HandleDOMEvent(nsXULElement * const 0x0372c6d8, nsIPresContext * 0x03728570, nsEvent * 0x0012f2f4, nsIDOMEvent * * 0x0012f1a0, unsigned int 1, nsEventStatus * 0x0012f340) line 3631 PresShell::HandleDOMEventWithTarget(PresShell * const 0x03724638, nsIContent * 0x0372c6d8, nsEvent * 0x0012f2f4, nsEventStatus * 0x0012f340) line 5559 + 39 bytes nsMenuFrame::Execute() line 1423 nsMenuFrame::HandleEvent(nsMenuFrame * const 0x038a7a68, nsIPresContext * 0x03728570, nsGUIEvent * 0x0012f798, nsEventStatus * 0x0012f68c) line 399 PresShell::HandleEventInternal(nsEvent * 0x0012f798, nsIView * 0x038a3ed0, unsigned int 1, nsEventStatus * 0x0012f68c) line 5527 + 41 bytes PresShell::HandleEvent(PresShell * const 0x0372463c, nsIView * 0x038a3ed0, nsGUIEvent * 0x0012f798, nsEventStatus * 0x0012f68c, int 0, int & 1) line 5439 + 25 bytes nsView::HandleEvent(nsView * const 0x038a3ed0, nsGUIEvent * 0x0012f798, unsigned int 8, nsEventStatus * 0x0012f68c, int 0, int & 1) line 377 nsView::HandleEvent(nsView * const 0x038a3a78, nsGUIEvent * 0x0012f798, unsigned int 8, nsEventStatus * 0x0012f68c, int 0, int & 1) line 350 nsView::HandleEvent(nsView * const 0x038a1f08, nsGUIEvent * 0x0012f798, unsigned int 8, nsEventStatus * 0x0012f68c, int 0, int & 1) line 350 nsView::HandleEvent(nsView * const 0x03724150, nsGUIEvent * 0x0012f798, unsigned int 28, nsEventStatus * 0x0012f68c, int 1, int & 1) line 350 nsViewManager::DispatchEvent(nsViewManager * const 0x03728ee8, nsGUIEvent * 0x0012f798, nsEventStatus * 0x0012f68c) line 2056 HandleEvent(nsGUIEvent * 0x0012f798) line 68 nsWindow::DispatchEvent(nsWindow * const 0x038a3b44, nsGUIEvent * 0x0012f798, nsEventStatus & nsEventStatus_eIgnore) line 702 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f798) line 723 nsWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line 4051 + 21 bytes ChildWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line 4298 nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 2228233, long * 0x0012fba4) line 3021 + 24 bytes nsWindow::WindowProc(HWND__ * 0x00390298, unsigned int 514, unsigned int 0, long 2228233) line 957 + 27 bytes USER32! 77e13eb0() USER32! 77e1401a() USER32! 77e192da() nsAppShellService::Run(nsAppShellService * const 0x00ce1ad0) line 418 main1(int 1, char * * 0x00358908, nsISupports * 0x00000000) line 1128 + 32 bytes main(int 1, char * * 0x00358908) line 1426 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e87903()
I'll be posting patches to bug 73857 soon if you need a testcase.
Keywords: crash, mozilla0.9.2
Status: NEW → ASSIGNED
Priority: -- → P2
Target Milestone: --- → mozilla0.9.2
The patch in bug 83739 might fix this. Give it a shot, blakester.
The fix for 83739 fixes this as well.
Depends on: 83739
Dup'ing to bug 83739, which hewitt has in the bag. *** This bug has been marked as a duplicate of 83739 ***
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
No longer depends on: 83739
Resolution: --- → DUPLICATE
verify duplicate, per smart people above.
Status: RESOLVED → VERIFIED
Component: XP Toolkit/Widgets: Trees → XUL
QA Contact: jrgmorrison → xptoolkit.widgets
You need to log in before you can comment on or make changes to this bug.