91447 - highlight a specific irc user's text

Status: ASSIGNED

(Other Applications :: ChatZilla, enhancement)

Description

[Alfonso Martinez]

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.2+) Gecko/20010718
BuildID:    2001071803

After installing chatzilla 0.8.4 (with some problems by the way), now whenever I
close mozilla after being using chatzilla a crash appears

Reproducible: Always
Steps to Reproduce:
1. Install chatzilla 0.8.4 (may need to install it twice to get it working)
2. Open chatzilla and then close it
3. Now when mozilla it's closed a crash will happen

Actual Results:  
MOZILLA provocó un error de página no válida en el 
módulo <desconocido> de 0084:01caa982.
Registros:
EAX=02076af7 CS=015f EIP=01caa982 EFLGS=00010282
EBX=60f60398 SS=0167 ESP=0068fa34 EBP=0068fa78
ECX=01caa980 DS=0167 ESI=020768e0 FS=37ef
EDX=0000003f ES=0167 EDI=00000010 GS=0000
Bytes en CS:EIP:
,02x ,02x ,02x ,02x ,02x ,02x ,02x ,02x ,02x ,02x ,02x ,02x ,02x ,02x ,02x ,02x 
Volcado de pila:
,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x ,08x 

Expected Results:  No crash

talkback IDs related to this:

TB33078837K
TB33078582Q
TB33078393X
TB33062543Q

not sure if this one is related (didn't close any window, just full system crashed):
TB33058278M

and of course, this is s regression, please, don't check in chatzilla 0.8.4 still.

Comment 1

[Samuel Sieb]

It seems to only happen on Win98.  I wonder if it's related to the difficulty
installing chatzilla on Win98.

Comment 2

[Samuel Sieb]

I installed mozilla without chatzilla and then installed it from the hacksrus
page.  It installed fine, but still crashed on exit of mozilla.

Very easy to reproduce:
  Start mozilla
  Open chatzilla
  Close chatzilla
  Close mozilla windows

Result: crash dialog (illegal operation)

This happens even when chatzilla is started from the command line.

In about 15 tries, there have been 2 exceptions: once it exited cleanly, and
once there was no crash dialog, but the mozilla process was stuck in the task list.

Comment 3

[Samuel Sieb]

I see it on Linux as well.

Comment 4

[Samuel Sieb]

Here's a stack trace on Linux:

Program received signal SIGSEGV, Segmentation fault.
#0  0x0000003b in __strtol_internal (nptr=0x85d7d20 "Ю╒Ш@пи]\b\020",
    endptr=0x3, base=-1073745336, group=1074812806) at eval.c:43
#1  0x401057aa in _hashFreeEntry () at eval.c:41
#2  0x401056b7 in PL_HashTableFinalize () at eval.c:41
#3  0x401058e9 in nsHashtable::~nsHashtable () at eval.c:41
#4  0x40e2eb2d in CSSStyleSheetInner::~CSSStyleSheetInner ()
   from /usr/src/temp/mozilla/dist/bin/components/libgkcontent.so
#5  0x40e2ebf5 in CSSStyleSheetInner::RemoveSheet ()
   from /usr/src/temp/mozilla/dist/bin/components/libgkcontent.so
#6  0x40e2f439 in CSSStyleSheetImpl::~CSSStyleSheetImpl ()
   from /usr/src/temp/mozilla/dist/bin/components/libgkcontent.so
#7  0x40e2f696 in CSSStyleSheetImpl::Release ()
   from /usr/src/temp/mozilla/dist/bin/components/libgkcontent.so
#8  0x401069ae in nsSupportsHashtable::ReleaseElement () at eval.c:41
#9  0x401057d7 in _hashEnumerate () at eval.c:41
#10 0x401a3523 in PL_HashTableEnumerateEntries () at eval.c:41
#11 0x40105c23 in nsHashtable::Enumerate () at eval.c:41
#12 0x401069eb in nsSupportsHashtable::~nsSupportsHashtable () at eval.c:41
#13 0x40e89efe in nsXULPrototypeCache::~nsXULPrototypeCache ()
   from /usr/src/temp/mozilla/dist/bin/components/libgkcontent.so
#14 0x40e89f8d in nsXULPrototypeCache::Release ()
   from /usr/src/temp/mozilla/dist/bin/components/libgkcontent.so
#15 0x401397cc in nsServiceManagerImpl::ReleaseService () at eval.c:41
#16 0x40139adf in nsServiceManagerImpl::ReleaseService () at eval.c:41
#17 0x40139d39 in nsServiceManager::ReleaseService () at eval.c:41
#18 0x40ec6f32 in nsXBLService::~nsXBLService ()
   from /usr/src/temp/mozilla/dist/bin/components/libgkcontent.so
#19 0x40ec69b2 in nsXBLService::Release ()
   from /usr/src/temp/mozilla/dist/bin/components/libgkcontent.so
#20 0x4013928c in DeleteEntry () at eval.c:41
#21 0x40105c50 in _hashEnumerateRemove () at eval.c:41
#22 0x401a3523 in PL_HashTableEnumerateEntries () at eval.c:41
#23 0x40105ccd in nsHashtable::Reset () at eval.c:41
#24 0x40106941 in nsObjectHashtable::Reset () at eval.c:41
#25 0x40106849 in nsObjectHashtable::~nsObjectHashtable () at eval.c:41
#26 0x40139371 in nsServiceManagerImpl::~nsServiceManagerImpl () at eval.c:41
#27 0x401393e6 in nsServiceManagerImpl::Release () at eval.c:41
#28 0x40139bae in nsServiceManager::ShutdownGlobalServiceManager ()
    at eval.c:41
#29 0x4010072b in NS_ShutdownXPCOM () at eval.c:41
#30 0x08051c11 in main () at eval.c:41
#31 0x404bbf11 in __libc_start_main (main=0x8051ac0 <main>, argc=2,
    ubp_av=0xbffff8e4, init=0x804b6bc <_init>, fini=0x8053b24 <_fini>,
    rtld_fini=0x4000e214 <_dl_fini>, stack_end=0xbffff8dc)
    at ../sysdeps/generic/libc-start.c:129

Comment 5

[Samuel Sieb]

cc'ing glazman@netscape.com, because it appears that something is getting
corrupted in the stylesheets at exit or getting corrupted during execution and
shows up at exit.

This may be due to the use of dynamic stylesheet rules (modified at runtime).

Comment 6

[Samuel Sieb]

The CSSStyleSheetInner object contains a hashtable called mRelevantAttributes. 
Somehow this hashtable is getting corrupted and when the CSSStyleSheetInner
object gets destroyed, the hashtable gets destroyed, but the hashtable
destructor dies when trying to delete one of the keys.

Comment 7

[Robert Ginda]

glazou: any comments?

Comment 8

[Samuel Sieb]

The line that sets up the crash to happen looks something like this:
var rule = frames[0].document.styleSheets[0].cssRules.item(0)

Comment 9

[Robert Ginda]

I'm commenting the offending code out of chatzilla 0.8.4 so we can land.

Comment 10

[Daniel Glazman (:glazou) (not active in Mozilla any more)]

styleSheet member of rule is only available if rule.type is a CSSImportRule
see 
http://lxr.mozilla.org/mozilla/source/extensions/irc/xul/content/static.js#757

Comment 11

[Robert Ginda]

Attachment: patch to put the highlight menu back in chatzilla

Comment 12

[Robert Ginda]

this patch puts the highlight menu back in chatzilla.  please apply it an see if
the crash returns.

Comment 13

[Daniel Glazman (:glazou) (not active in Mozilla any more)]

You should (a) test rules if null or not (b) not rely on selectorText to check
the rule's type. Please
prefer the following piece of code; r=glazman with this change made.

    function processStyleRules(rules)
    {
        if (rules)
          for (var i = 0; i < rules.length; ++i)
          {
            var rule = rules.item(i);
            if (rule.type == 1)
            {
              ary = rule.selectorText.
                      match(/\.chatzilla-highlight\[name=\"?([^\"]+)\"?\]/i);
              if (ary)
              {
                menuitem = document.createElement("menuitem");
                menuitem.setAttribute ("class", "highlight-menu-item");
                menuitem.setAttribute ("label", ary[1]);
                menuitem.setAttribute ("oncommand", "onPopupHighlight('" + 
                                        rule.style.cssText + "');");
                menuitem.setAttribute ("style", rule.style.cssText);
                menu.appendChild(menuitem);
              }
            }
            else if (rule.type == 3)
            {
              processStyleRules(rule.styleSheet.rules);
            }
        }
    }

Comment 14

[Samuel Sieb]

Changing the summary since this code didn't actually go into 0.8.4.

Comment 15

[Robert Ginda]

The css code to iterate rules seems to write to memory it doesn't own.  When we
enable the hightlight menu, people start to see strange things.  I promised to
write bz a testcase, but havn't had the chance.  Perhaps someone could try under
Purify?

The highlight menu can be enabled by pulling the CHATZILLA_0_8_5_BRANCH in
extensions/irc, and uncommenting the <menupopup id="highlightMenu"> in
popups.xul, and the //XXXcreateHighlightMenu(); in static.js.

Comment 16

[Christopher Whitt]

In bug 127726 Samuel Sieb speculated that this bug may be related to 127726
because of a similar crash stack.  127726 and others went away shortly after a
patch for bug 129620 was checked in.  I guess everybody's busy with 1.0, but if
this was the same crash as 127726, maybe somebody could check the highlight menu
again once things settle down.

Comment 17

[Samuel Sieb]

I checked out the highlight menu again and no crash on exit.

Comment 18

[Robert Ginda]

coooool.  We should spin a 0.8.6-pre xpi for this, to test better for a
potential 1.0 check-in.

Comment 19

[Robert Ginda]

I just posted a 0.8.7-pre1 xpi at <http://www.hacksrus.com/~ginda/chatzilla/>. 
Please test it and give feedback here.

Comment 20

[Robert Ginda]

Attachment: patch to enable the highlight menu again

I had to account for the fact that the stylesheet might not be loaded when
setClientOutput() is called.  Also, xul menus don't seem to be styleable
anymore.  Not sure why.  I've commented out the code that attempted to do so,
for now.

output-default.css redefined a few highlights that are already present in
output-base.css.

Comment 21

[nnooiissee]

TB4480689G. No go. Crash on exit. Chatzilla 0.8.7-pre1 [Mozilla/5.0 (Macintosh;
U; PPC; en-US; rv:0.9.9+) Gecko/20020325].

Also, as to functionality, clicking on a person's comment nick, rather than
comment text does not seem to work, and I can't highlight my own comments.

Comment 22

[Robert Ginda]

Attachment: talkback report for TB4480689G

Not being able to highlight your own messages is a known limitation, we'll have
to work that out later.

Comment 23

[Robert Ginda]

Attachment: another talkback

I just crashed closing the chatzilla window.  Here's the talkback.

Comment 24

[Samuel Sieb]

talkback on Win98 - TB4516008H

Comment 25

[Robert Ginda]

ssieb's talkback just says...
0x021dba87
0x00610aa6