Closed Bug 9870 Opened 25 years ago Closed 25 years ago

crash in range list with null "tempnode"

Categories

(Core :: DOM: Editor, defect, P1)

Product:
Core
Component:
DOM: Editor
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: buster, Assigned: mozeditor)

References

(
URL
)

Details

the basic problem seems to be that tempnode in nsRangeList::FixupSelectionPoints
is null, and the code isn't ready to handle this case.

bring up blank editor page
type in some words
double click a word, make it underlined using the toolbar button
click somewhere else
double click the underlined word
click underline again
crash.

stack:
nsDebug::NotReached(char * 0x02065280, char * 0x02065254, int 0x00000378) line
186 + 13 bytes
GetTag(nsIDOMNode * 0x00000000) line 888 + 21 bytes
nsRangeList::FixupSelectionPoints(nsRangeList * const 0x025a06f0, nsIDOMRange *
0x02cc21b0, nsDirection * 0x0012de6c, int * 0x0012de7c) line 1737 + 18 bytes
nsRangeList::Extend(nsRangeList * const 0x025a06f4, nsIDOMNode * 0x02cc3c40, int
0x00000000) line 1977 + 33 bytes
nsTextEditor::SetTextPropertiesForNodeWithDifferentParents(nsTextEditor * const
0x02a97d30, nsIDOMRange * 0x02cc39b0, nsIDOMNode * 0x02cc2e50, int 0x00000005,
nsIDOMNode * 0x02cc3c40, int 0x00000000, nsIDOMNode * 0x02a95a40, nsIAtom *
0x0135be90, const nsString * 0x0012e2a4, const nsString * 0x0012e264) line 2318
+ 48 bytes
nsTextEditor::SetTextProperty(nsTextEditor * const 0x02a97d74, nsIAtom *
0x0135be90, const nsString * 0x0012e2a4, const nsString * 0x0012e264) line 481 +
93 bytes
nsHTMLEditor::SetTextProperty(nsHTMLEditor * const 0x02a97d74, nsIAtom *
0x0135be90, const nsString * 0x0012e2a4, const nsString * 0x0012e264) line 141
nsEditorShell::SetTextProperty(nsEditorShell * const 0x02ba4dd0, unsigned short
* 0x02595940, unsigned short * 0x014f54e0, unsigned short * 0x014f54e0) line 449
+ 47 bytes
XPTC_InvokeByIndex(nsISupports * 0x02ba4dd0, unsigned int 0x00000036, unsigned
int 0x00000003, nsXPTCVariant * 0x0012e3dc) line 135
nsXPCWrappedNativeClass::CallWrappedMethod(JSContext * 0x0243e760,
nsXPCWrappedNative * 0x02ba5d40, const XPCNativeMemberDescriptor * 0x0184b310,
nsXPCWrappedNativeClass::CallMode CALL_METHOD, unsigned int 0x00000003, long *
0x017f1f38, long * 0x0012e5e4) line 511 + 44 bytes
WrappedNative_CallMethod(JSContext * 0x0243e760, JSObject * 0x026a42d0, unsigned
int 0x00000003, long * 0x017f1f38, long * 0x0012e5e4) line 128
js_Invoke(JSContext * 0x0243e760, unsigned int 0x00000003, int 0x00000000) line
655 + 26 bytes
js_Interpret(JSContext * 0x0243e760, long * 0x0012ee10) line 2217 + 15 bytes
js_Invoke(JSContext * 0x0243e760, unsigned int 0x00000001, int 0x00000000) line
671 + 13 bytes
js_Interpret(JSContext * 0x0243e760, long * 0x0012f5f8) line 2217 + 15 bytes
js_Invoke(JSContext * 0x0243e760, unsigned int 0x00000001, int 0x00000000) line
671 + 13 bytes
js_InternalCall(JSContext * 0x0243e760, JSObject * 0x02629808, long 0x02629810,
unsigned int 0x00000001, long * 0x0012f73c, long * 0x0012f744) line 749 + 15
bytes
JS_CallFunctionValue(JSContext * 0x0243e760, JSObject * 0x02629808, long
0x02629810, unsigned int 0x00000001, long * 0x0012f73c, long * 0x0012f744) line
2643 + 29 bytes
nsJSEventListener::HandleEvent(nsIDOMEvent * 0x02cc1960) line 97 + 34 bytes
nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent *
0x0012f928, nsIDOMEvent * * 0x0012f8e4, unsigned int 0x00000003, nsEventStatus &
nsEventStatus_eIgnore) line 586 + 21 bytes
RDFElementImpl::HandleDOMEvent(RDFElementImpl * const 0x02594960, nsIPresContext
& {...}, nsEvent * 0x0012f928, nsIDOMEvent * * 0x0012f8e4, unsigned int
0x00000001, nsEventStatus & nsEventStatus_eIgnore) line 2351
nsEventStateManager::CheckForAndDispatchClick(nsEventStateManager * const
0x025862a0, nsIPresContext & {...}, nsMouseEvent * 0x0012fba0, nsEventStatus &
nsEventStatus_eIgnore) line 671 + 31 bytes
nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x025862a0,
nsIPresContext & {...}, nsGUIEvent * 0x0012fba0, nsIFrame * 0x0259b580,
nsEventStatus & nsEventStatus_eIgnore, nsIView * 0x0246d720) line 194 + 24 bytes
PresShell::HandleEvent(PresShell * const 0x0246d5a4, nsIView * 0x0246d720,
nsGUIEvent * 0x0012fba0, nsEventStatus & nsEventStatus_eIgnore) line 2087 + 43
bytes
nsView::HandleEvent(nsView * const 0x0246d720, nsGUIEvent * 0x0012fba0, unsigned
int 0x0000001c, nsEventStatus & nsEventStatus_eIgnore, int & 0x00000000) line
833
nsViewManager::DispatchEvent(nsViewManager * const 0x0246dee0, nsGUIEvent *
0x0012fba0, nsEventStatus & nsEventStatus_eIgnore) line 1736
HandleEvent(nsGUIEvent * 0x0012fba0) line 67
nsWindow::DispatchEvent(nsWindow * const 0x0246d854, nsGUIEvent * 0x0012fba0,
nsEventStatus & nsEventStatus_eIgnore) line 489 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fba0) line 514
nsWindow::DispatchMouseEvent(unsigned int 0x0000012d, nsPoint * 0x00000000) line
3195 + 15 bytes
ChildWindow::DispatchMouseEvent(unsigned int 0x0000012d, nsPoint * 0x00000000)
line 3348
nsWindow::ProcessMessage(unsigned int 0x00000202, unsigned int 0x00000000, long
0x0041012f, long * 0x0012fdb4) line 2466 + 24 bytes
Severity: normal → critical
Priority: P3 → P1
Assignee: mjudge → jfrancis
reproduced crash and it is crashing inside the nsRange Common Parent code. I
will send this one to Joe.
Status: NEW → ASSIGNED
uuhhh, ok.  That's not what the stack crawl says - I guess mike is seeing a
different crash.  I'll look into it.
Target Milestone: M10
Target Milestone: M10 → M11
As they say in Tap: These go to 11.
mike: i think i fixed this, but i'm not sure what crash you saw (you didnt supply
details).  can you try this out again and see if it's gone?
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
fixed
Status: RESOLVED → VERIFIED
verified in 9/15 build...
*** Bug 123704 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.