This crash is pretty easy to reproduce in the thunderbird composer by doing a procedure like this: 1) Compose 2) Paste a URL 3) Highlight select it 4) Hit ENTER a few times Sometimes it doesn't work until the 3rd or 4th try, but it seems easy to reproduce for me. (gdb) bt #0 0x01877cc4 in nsTextServicesDocument::DeleteNode (this=0xa5f1de8, aChild=0xa8e3570) at nsTextServicesDocument.cpp:2532 #1 0x0187c765 in nsTSDNotifier::DidDeleteNode (this=0xa67b4a0, aChild=0xa8e3570, aResult=0) at nsTSDNotifier.cpp:118 #2 0x018954d7 in nsEditor::DeleteNode (this=0xa56a680, aElement=0xa8e3570) at nsEditor.cpp:1538 #3 0x018275f1 in nsHTMLEditor::DeleteNode (this=0xa56a680, aNode=0xa8e3570) at nsHTMLEditor.cpp:3888 #4 0x0188567b in nsTextEditRules::DidDeleteSelection (this=0xa64b0e4, aSelection=0xa63a448, aCollapsedAction=0, aResult=0) at nsTextEditRules.cpp:998 #5 0x01844296 in nsHTMLEditRules::DidDeleteSelection (this=0xa64b0e0, aSelection=0xa63a448, aDir=0, aResult=0) at nsHTMLEditRules.cpp:2858 #6 0x0185a470 in nsHTMLEditRules::DidDoAction (this=0xa64b0e0, aSelection=0xa63a448, aInfo=0xbfe20f30, aResult=0) at nsHTMLEditRules.cpp:641 #7 0x018830a6 in nsPlaintextEditor::DeleteSelection (this=0xa56a680, aAction=0) at nsPlaintextEditor.cpp:754 #8 0x01857f1a in nsHTMLEditRules::WillInsertBreak (this=0xa64b0e0, aSelection=0xa63a448, aCancel=0xbfe210f8, aHandled=0xbfe210f4) at nsHTMLEditRules.cpp:1522 #9 0x0185a329 in nsHTMLEditRules::WillDoAction (this=0xa64b0e0, aSelection=0xa63a448, aInfo=0xbfe21090, aCancel=0xbfe210f8, aHandled=0xbfe210f4) at nsHTMLEditRules.cpp:599 #10 0x018818f9 in nsPlaintextEditor::InsertLineBreak (this=0xa56a680) at nsPlaintextEditor.cpp:819 #11 0x0187fcc0 in nsPlaintextEditor::TypedText (this=0xa56a680, aString=@0xbfe21238, aAction=2) at nsPlaintextEditor.cpp:430 #12 0x01829e88 in nsHTMLEditor::TypedText (this=0xa56a680, aString=@0xbfe21238, aAction=2) at nsHTMLEditor.cpp:1356 #13 0x01828b8c in nsHTMLEditor::HandleKeyPress (this=0xa56a680, aKeyEvent=0xa8f2580) at nsHTMLEditor.cpp:1317 #14 0x0188987e in nsTextEditorKeyListener::KeyPress (this=0xa657cc0, aKeyEvent=0xa8f2590) at nsEditorEventListeners.cpp:242 #15 0x0134c49a in nsEventListenerManager::HandleEvent (this=0xa639748, aPresContext=0xa5e4898, aEvent=0xbfe21848, aDOMEvent=0xbfe214ac, aCurrentTarget=0xa635348, aFlags=514, aEventStatus=0xbfe216b4) at nsEventListenerManager.cpp:141 #16 0x0130e3c2 in nsDocument::HandleDOMEvent (this=0xa635298, aPresContext=0xa5e4898, aEvent=0xbfe21848, aDOMEvent=0xbfe214ac, aFlags=514, aEventStatus=0xbfe216b4) at nsDocument.cpp:4002 #17 0x01324a04 in nsGenericElement::HandleDOMEvent (this=0xa635798, aPresContext=0xa5e4898, aEvent=0xbfe21848, aDOMEvent=0xbfe214ac, aFlags=519, aEventStatus=0xbfe216b4) at nsGenericElement.cpp:2206 #18 0x011bfb72 in PresShell::HandleEventInternal (this=0xa631a38, aEvent=0xbfe21848, aView=0xa5e4db0, aFlags=513, aStatus=0xbfe216b4) at nsPresShell.cpp:6420 #19 0x011c5cd1 in PresShell::HandleEvent (this=0xa631a38, aView=0xa5e4db0, aEvent=0xbfe21848, aEventStatus=0xbfe216b4, aForceHandle=1, aHandled=@0xbfe216b0) at nsPresShell.cpp:6203 #20 0x01415fc3 in nsViewManager::HandleEvent (this=0xa5e4d38, aView=0xa5e4db0, aEvent=0xbfe21848, aCaptured=0) at nsViewManager.cpp:2512 #21 0x01418ec0 in nsViewManager::DispatchEvent (this=0xa5e4d38, aEvent=0xbfe21848, aStatus=0xbfe217c8) at nsViewManager.cpp:2246 #22 0x0140f96e in HandleEvent (aEvent=0xbfe21848) at nsView.cpp:171 #23 0x076a4f20 in nsCommonWidget::DispatchEvent (this=0xa5e4e08, aEvent=0xbfe21848, aStatus=@0xbfe218e0) at nsCommonWidget.cpp:219 #24 0x0769e10a in nsWindow::OnKeyPressEvent (this=0xa5e4e08, aWidget=0x92ed448, aEvent=0x925f7f0) at nsWindow.cpp:1783 #25 0x0769e16b in key_press_event_cb (widget=0x92ed448, event=0x925f7f0) at nsWindow.cpp:3873 #26 0x03c3a2f3 in _gtk_marshal_BOOLEAN__BOXED (closure=0xa2fbce0, return_value=0xbfe21a64, n_param_values=2, param_values=0xbfe21b70, invocation_hint=0xbfe21a50, marshal_data=0x769e11a) at gtkmarshalers.c:83 #27 0x05ff2c9a in IA__g_closure_invoke (closure=0xa2fbce0, return_value=0xbfe21a64, n_param_values=2, param_values=0xbfe21b70, invocation_hint=0xbfe21a50) at gclosure.c:490 #28 0x06003bb8 in signal_emit_unlocked_R (node=0x9323e48, detail=0, instance=0x92ed448, emission_return=0xbfe21cf0, instance_and_params=0xbfe21b70) at gsignal.c:2449 #29 0x06004ee3 in IA__g_signal_emit_valist (instance=0x92ed448, signal_id=43, detail=0, var_args=0xbfe21d74 "\214\035\uffff\uffff\uffff\uffff%\tH\uffff.\t\200\uffff\uffff\003H\uffff.\t(\0352\t") at gsignal.c:2218 #30 0x060052d7 in IA__g_signal_emit (instance=0x92ed448, signal_id=43, detail=0) at gsignal.c:2252 #31 0x03d17430 in gtk_widget_event_internal (widget=0x92ed448, event=0x925f7f0) at gtkwidget.c:3735 #32 0x03d259a6 in IA__gtk_window_propagate_key_event (window=0x93480b0, event=0x925f7f0) at gtkwindow.c:4517 #33 0x03d284f5 in gtk_window_key_press_event (widget=0x93480b0, event=0x925f7f0) at gtkwindow.c:4547 #34 0x03c3a2f3 in _gtk_marshal_BOOLEAN__BOXED (closure=0x9323bd0, return_value=0xbfe21f74, n_param_values=2, param_values=0xbfe22080, invocation_hint=0xbfe21f60, marshal_data=0x3d284b7) at gtkmarshalers.c:83 #35 0x05ff1585 in g_type_class_meta_marshal (closure=0x9323bd0, return_value=0xbfe21f74, n_param_values=2, param_values=0xbfe22080, invocation_hint=0xbfe21f60, marshal_data=0xcc) at gclosure.c:567 #36 0x05ff2c9a in IA__g_closure_invoke (closure=0x9323bd0, return_value=0xbfe21f74, n_param_values=2, param_values=0xbfe22080, invocation_hint=0xbfe21f60) at gclosure.c:490 #37 0x060041f1 in signal_emit_unlocked_R (node=0x9323e48, detail=0, instance=0x93480b0, emission_return=0xbfe22200, instance_and_params=0xbfe22080) at gsignal.c:2487 #38 0x06004ee3 in IA__g_signal_emit_valist (instance=0x93480b0, signal_id=43, detail=0, var_args=0xbfe22284 "\234\"\uffff\uffff\uffff\uffff%\t\uffff\2004\t\200\uffff\uffff\003\uffff\2004\t(\0352\t") at gsignal.c:2218 #39 0x060052d7 in IA__g_signal_emit (instance=0x93480b0, signal_id=43, detail=0) at gsignal.c:2252 #40 0x03d17430 in gtk_widget_event_internal (widget=0x93480b0, event=0x925f7f0) at gtkwidget.c:3735 #41 0x03c348d4 in IA__gtk_propagate_event (widget=0x93480b0, event=0x925f7f0) at gtkmain.c:2149 #42 0x03c358e5 in IA__gtk_main_do_event (event=0x925f7f0) at gtkmain.c:1412 #43 0x03e5e203 in gdk_event_dispatch (source=0x9264dc0, callback=0, user_data=0x0) at gdkevents-x11.c:2291 #44 0x0029c943 in IA__g_main_context_dispatch (context=0x9264e08) at gmain.c:1913 #45 0x0029f893 in g_main_context_iterate (context=0x9264e08, block=1, dispatch=1, self=0x9304fd8) at gmain.c:2544 #46 0x0029fc3c in IA__g_main_loop_run (loop=0x952d070) at gmain.c:2748 #47 0x03c35d3c in IA__gtk_main () at gtkmain.c:991 #48 0x076a3ab6 in nsAppShell::Run (this=0x934e0a8) at nsAppShell.cpp:139 #49 0x0722cc86 in nsAppStartup::Run (this=0x934e068) at nsAppStartup.cpp:150 #50 0x0804fb71 in XRE_main (argc=1, argv=0xbfe228d4, aAppData=0x8067020) at nsAppRunner.cpp:2313 #51 0x0804b045 in main (argc=1, argv=0xbfe228d4) at nsMailApp.cpp:62 #52 0x0044562f in __libc_start_main () from /lib/libc.so.6 #53 0x0804afa1 in _start ()
I have reproduced this with both i386 and x86_64 thunderbird in rawhide. Other people in #fedora-devel have reported being able to reproduce it, while others report they are unable to reproduce it.
So, caillon and I played around with this a little bit today. We got it to crash once, but it's not really readily reproducable. It took quite a bit of toying. Because it doesn't happen frequently, we're moving to Target.
It is very reproducible and it does happen frequently.
100% reproducible instructions: 1. Compose new 2. a 3. ENTER 4. SHIFT+Up to highlight two lines Cool! caillon narrowed it down to the spell checker. It wont crash if you disable "Spell As You Type"
*** Bug 176227 has been marked as a duplicate of this bug. ***
Fixed in 1.5-0.5.6.rc1 and later (1.5-1 also has the fix)