176201 – Thunderbird Compose DeleteNode crash

Bug 176201 - Thunderbird Compose DeleteNode crash

Summary: Thunderbird Compose DeleteNode crash

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	thunderbird
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Christopher Aillon
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	176227 (view as bug list)
Depends On:
Blocks:	FC5Target
TreeView+	depends on / blocked

Reported:	2005-12-20 04:55 UTC by Warren Togami
Modified:	2007-11-30 22:11 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-01-12 20:56:48 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Warren Togami 2005-12-20 04:55:00 UTC

This crash is pretty easy to reproduce in the thunderbird composer by doing a
procedure like this:
1) Compose
2) Paste a URL
3) Highlight select it
4) Hit ENTER a few times
Sometimes it doesn't work until the 3rd or 4th try, but it seems easy to
reproduce for me.

(gdb) bt
#0  0x01877cc4 in nsTextServicesDocument::DeleteNode (this=0xa5f1de8,
aChild=0xa8e3570) at nsTextServicesDocument.cpp:2532
#1  0x0187c765 in nsTSDNotifier::DidDeleteNode (this=0xa67b4a0,
aChild=0xa8e3570, aResult=0) at nsTSDNotifier.cpp:118
#2  0x018954d7 in nsEditor::DeleteNode (this=0xa56a680, aElement=0xa8e3570) at
nsEditor.cpp:1538
#3  0x018275f1 in nsHTMLEditor::DeleteNode (this=0xa56a680, aNode=0xa8e3570) at
nsHTMLEditor.cpp:3888
#4  0x0188567b in nsTextEditRules::DidDeleteSelection (this=0xa64b0e4,
aSelection=0xa63a448, aCollapsedAction=0, aResult=0)
    at nsTextEditRules.cpp:998
#5  0x01844296 in nsHTMLEditRules::DidDeleteSelection (this=0xa64b0e0,
aSelection=0xa63a448, aDir=0, aResult=0)
    at nsHTMLEditRules.cpp:2858
#6  0x0185a470 in nsHTMLEditRules::DidDoAction (this=0xa64b0e0,
aSelection=0xa63a448, aInfo=0xbfe20f30, aResult=0)
    at nsHTMLEditRules.cpp:641
#7  0x018830a6 in nsPlaintextEditor::DeleteSelection (this=0xa56a680, aAction=0)
at nsPlaintextEditor.cpp:754
#8  0x01857f1a in nsHTMLEditRules::WillInsertBreak (this=0xa64b0e0,
aSelection=0xa63a448, aCancel=0xbfe210f8,
    aHandled=0xbfe210f4) at nsHTMLEditRules.cpp:1522
#9  0x0185a329 in nsHTMLEditRules::WillDoAction (this=0xa64b0e0,
aSelection=0xa63a448, aInfo=0xbfe21090,
    aCancel=0xbfe210f8, aHandled=0xbfe210f4) at nsHTMLEditRules.cpp:599
#10 0x018818f9 in nsPlaintextEditor::InsertLineBreak (this=0xa56a680) at
nsPlaintextEditor.cpp:819
#11 0x0187fcc0 in nsPlaintextEditor::TypedText (this=0xa56a680,
aString=@0xbfe21238, aAction=2) at nsPlaintextEditor.cpp:430
#12 0x01829e88 in nsHTMLEditor::TypedText (this=0xa56a680, aString=@0xbfe21238,
aAction=2) at nsHTMLEditor.cpp:1356
#13 0x01828b8c in nsHTMLEditor::HandleKeyPress (this=0xa56a680,
aKeyEvent=0xa8f2580) at nsHTMLEditor.cpp:1317
#14 0x0188987e in nsTextEditorKeyListener::KeyPress (this=0xa657cc0,
aKeyEvent=0xa8f2590) at nsEditorEventListeners.cpp:242
#15 0x0134c49a in nsEventListenerManager::HandleEvent (this=0xa639748,
aPresContext=0xa5e4898, aEvent=0xbfe21848,
    aDOMEvent=0xbfe214ac, aCurrentTarget=0xa635348, aFlags=514,
aEventStatus=0xbfe216b4) at nsEventListenerManager.cpp:141
#16 0x0130e3c2 in nsDocument::HandleDOMEvent (this=0xa635298,
aPresContext=0xa5e4898, aEvent=0xbfe21848,
    aDOMEvent=0xbfe214ac, aFlags=514, aEventStatus=0xbfe216b4) at
nsDocument.cpp:4002
#17 0x01324a04 in nsGenericElement::HandleDOMEvent (this=0xa635798,
aPresContext=0xa5e4898, aEvent=0xbfe21848,
    aDOMEvent=0xbfe214ac, aFlags=519, aEventStatus=0xbfe216b4) at
nsGenericElement.cpp:2206
#18 0x011bfb72 in PresShell::HandleEventInternal (this=0xa631a38,
aEvent=0xbfe21848, aView=0xa5e4db0, aFlags=513,
    aStatus=0xbfe216b4) at nsPresShell.cpp:6420
#19 0x011c5cd1 in PresShell::HandleEvent (this=0xa631a38, aView=0xa5e4db0,
aEvent=0xbfe21848, aEventStatus=0xbfe216b4,
    aForceHandle=1, aHandled=@0xbfe216b0) at nsPresShell.cpp:6203
#20 0x01415fc3 in nsViewManager::HandleEvent (this=0xa5e4d38, aView=0xa5e4db0,
aEvent=0xbfe21848, aCaptured=0)
    at nsViewManager.cpp:2512
#21 0x01418ec0 in nsViewManager::DispatchEvent (this=0xa5e4d38,
aEvent=0xbfe21848, aStatus=0xbfe217c8)
    at nsViewManager.cpp:2246
#22 0x0140f96e in HandleEvent (aEvent=0xbfe21848) at nsView.cpp:171
#23 0x076a4f20 in nsCommonWidget::DispatchEvent (this=0xa5e4e08,
aEvent=0xbfe21848, aStatus=@0xbfe218e0)
    at nsCommonWidget.cpp:219
#24 0x0769e10a in nsWindow::OnKeyPressEvent (this=0xa5e4e08, aWidget=0x92ed448,
aEvent=0x925f7f0) at nsWindow.cpp:1783
#25 0x0769e16b in key_press_event_cb (widget=0x92ed448, event=0x925f7f0) at
nsWindow.cpp:3873
#26 0x03c3a2f3 in _gtk_marshal_BOOLEAN__BOXED (closure=0xa2fbce0,
return_value=0xbfe21a64, n_param_values=2,
    param_values=0xbfe21b70, invocation_hint=0xbfe21a50, marshal_data=0x769e11a)
at gtkmarshalers.c:83
#27 0x05ff2c9a in IA__g_closure_invoke (closure=0xa2fbce0,
return_value=0xbfe21a64, n_param_values=2,
    param_values=0xbfe21b70, invocation_hint=0xbfe21a50) at gclosure.c:490
#28 0x06003bb8 in signal_emit_unlocked_R (node=0x9323e48, detail=0,
instance=0x92ed448, emission_return=0xbfe21cf0,
    instance_and_params=0xbfe21b70) at gsignal.c:2449
#29 0x06004ee3 in IA__g_signal_emit_valist (instance=0x92ed448, signal_id=43,
detail=0,
    var_args=0xbfe21d74
"\214\035\uffff\uffff\uffff\uffff%\tH\uffff.\t\200\uffff\uffff\003H\uffff.\t(\0352\t")
at gsignal.c:2218
#30 0x060052d7 in IA__g_signal_emit (instance=0x92ed448, signal_id=43, detail=0)
at gsignal.c:2252
#31 0x03d17430 in gtk_widget_event_internal (widget=0x92ed448, event=0x925f7f0)
at gtkwidget.c:3735
#32 0x03d259a6 in IA__gtk_window_propagate_key_event (window=0x93480b0,
event=0x925f7f0) at gtkwindow.c:4517
#33 0x03d284f5 in gtk_window_key_press_event (widget=0x93480b0, event=0x925f7f0)
at gtkwindow.c:4547
#34 0x03c3a2f3 in _gtk_marshal_BOOLEAN__BOXED (closure=0x9323bd0,
return_value=0xbfe21f74, n_param_values=2,
    param_values=0xbfe22080, invocation_hint=0xbfe21f60, marshal_data=0x3d284b7)
at gtkmarshalers.c:83
#35 0x05ff1585 in g_type_class_meta_marshal (closure=0x9323bd0,
return_value=0xbfe21f74, n_param_values=2,
    param_values=0xbfe22080, invocation_hint=0xbfe21f60, marshal_data=0xcc) at
gclosure.c:567
#36 0x05ff2c9a in IA__g_closure_invoke (closure=0x9323bd0,
return_value=0xbfe21f74, n_param_values=2,
    param_values=0xbfe22080, invocation_hint=0xbfe21f60) at gclosure.c:490
#37 0x060041f1 in signal_emit_unlocked_R (node=0x9323e48, detail=0,
instance=0x93480b0, emission_return=0xbfe22200,
    instance_and_params=0xbfe22080) at gsignal.c:2487
#38 0x06004ee3 in IA__g_signal_emit_valist (instance=0x93480b0, signal_id=43,
detail=0,
    var_args=0xbfe22284
"\234\"\uffff\uffff\uffff\uffff%\t\uffff\2004\t\200\uffff\uffff\003\uffff\2004\t(\0352\t")
at gsignal.c:2218
#39 0x060052d7 in IA__g_signal_emit (instance=0x93480b0, signal_id=43, detail=0)
at gsignal.c:2252
#40 0x03d17430 in gtk_widget_event_internal (widget=0x93480b0, event=0x925f7f0)
at gtkwidget.c:3735
#41 0x03c348d4 in IA__gtk_propagate_event (widget=0x93480b0, event=0x925f7f0) at
gtkmain.c:2149
#42 0x03c358e5 in IA__gtk_main_do_event (event=0x925f7f0) at gtkmain.c:1412
#43 0x03e5e203 in gdk_event_dispatch (source=0x9264dc0, callback=0,
user_data=0x0) at gdkevents-x11.c:2291
#44 0x0029c943 in IA__g_main_context_dispatch (context=0x9264e08) at gmain.c:1913
#45 0x0029f893 in g_main_context_iterate (context=0x9264e08, block=1,
dispatch=1, self=0x9304fd8) at gmain.c:2544
#46 0x0029fc3c in IA__g_main_loop_run (loop=0x952d070) at gmain.c:2748
#47 0x03c35d3c in IA__gtk_main () at gtkmain.c:991
#48 0x076a3ab6 in nsAppShell::Run (this=0x934e0a8) at nsAppShell.cpp:139
#49 0x0722cc86 in nsAppStartup::Run (this=0x934e068) at nsAppStartup.cpp:150
#50 0x0804fb71 in XRE_main (argc=1, argv=0xbfe228d4, aAppData=0x8067020) at
nsAppRunner.cpp:2313
#51 0x0804b045 in main (argc=1, argv=0xbfe228d4) at nsMailApp.cpp:62
#52 0x0044562f in __libc_start_main () from /lib/libc.so.6
#53 0x0804afa1 in _start ()

Comment 1 Warren Togami 2006-01-06 02:49:43 UTC

I have reproduced this with both i386 and x86_64 thunderbird in rawhide.  Other
people in #fedora-devel have reported being able to reproduce it, while others
report they are unable to reproduce it.

Comment 2 Ray Strode [halfline] 2006-01-11 15:46:33 UTC

So, caillon and I played around with this a little bit today.  We got it to
crash once, but it's not really readily reproducable.  It took quite a bit of
toying.

Because it doesn't happen frequently, we're moving to Target.

Comment 3 Warren Togami 2006-01-11 16:54:13 UTC

It is very reproducible and it does happen frequently.

Comment 4 Warren Togami 2006-01-11 22:58:27 UTC

100% reproducible instructions:
1. Compose new
2. a
3. ENTER
4. SHIFT+Up to highlight two lines

Cool!  caillon narrowed it down to the spell checker.  It wont crash if you
disable "Spell As You Type"

Comment 5 Christopher Aillon 2006-01-12 02:26:49 UTC

*** Bug 176227 has been marked as a duplicate of this bug. ***

Comment 6 Christopher Aillon 2006-01-12 20:56:48 UTC

Fixed in 1.5-0.5.6.rc1 and later (1.5-1 also has the fix)

Note You need to log in before you can comment on or make changes to this bug.