Closed
Bug 18230
Opened 25 years ago
Closed 25 years ago
[DOGFOOD] Assertion thrown when clicking in the editor.
Categories
(Core :: DOM: Selection, defect, P1)
Core
DOM: Selection
Tracking
()
VERIFIED
FIXED
M11
People
(Reporter: kinmoz, Assigned: kinmoz)
Details
The following assertion is being thrown when I click inside of Gfx textwidgets
like the URL bar, or in the content area of Composer:
NTDLL! 77f76148()
nsDebug::PreCondition(const char * 0x018633cc, const char * 0x018633bc, const
char * 0x01863390, int 536) line 262 + 13 bytes
nsRangeListIterator::Release(nsRangeListIterator * const 0x0340f660) line 536 +
41 bytes
nsCOMPtr<nsIEnumerator>::~nsCOMPtr<nsIEnumerator>() line 408
nsHTMLEditor::GetParentBlockTags(nsHTMLEditor * const 0x03419200, nsStringArray
* 0x0012f5a4, int 0) line 1796 + 25 bytes
nsHTMLEditor::GetParagraphTags(nsHTMLEditor * const 0x03419264, nsStringArray *
0x0012f5a4) line 1808
nsInterfaceState::UpdateParagraphState(const char * 0x030fc9f0, const char *
0x030fc9e8, nsString & {...}) line 187
nsInterfaceState::ForceUpdate(nsInterfaceState * const 0x0341bb30) line 147 + 25
bytes
nsInterfaceState::NotifySelectionChanged(nsInterfaceState * const 0x0341bb30)
line 129
nsRangeList::NotifySelectionListeners() line 1360
nsRangeList::TakeFocus(nsRangeList * const 0x033ece50, nsIContent * 0x033ebd0c,
unsigned int 1, unsigned int 1, int 0, int 0) line 1168 + 8 bytes
nsRangeList::HandleClick(nsRangeList * const 0x033ece50, nsIContent *
0x033ebd0c, unsigned int 1, unsigned int 1, int 0, int 0, int 0) line 1034
nsFrame::HandlePress(nsFrame * const 0x033f9830, nsIPresContext & {...},
nsGUIEvent * 0x0012fbe0, nsEventStatus & nsEventStatus_eIgnore) line 849
nsFrame::HandleEvent(nsFrame * const 0x033f9830, nsIPresContext & {...},
nsGUIEvent * 0x0012fbe0, nsEventStatus & nsEventStatus_eIgnore) line 806
nsBlockFrame::HandleEvent(nsBlockFrame * const 0x033f1090, nsIPresContext &
{...}, nsGUIEvent * 0x0012fbe0, nsEventStatus & nsEventStatus_eIgnore) line 5669
+ 24 bytes
PresShell::HandleEvent(PresShell * const 0x033ecec4, nsIView * 0x03418b60,
nsGUIEvent * 0x0012fbe0, nsEventStatus & nsEventStatus_eIgnore) line 2244 + 38
bytes
nsView::HandleEvent(nsView * const 0x03418b60, nsGUIEvent * 0x0012fbe0, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 834
nsView::HandleEvent(nsView * const 0x03301ac0, nsGUIEvent * 0x0012fbe0, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 819
nsView::HandleEvent(nsView * const 0x03301cc0, nsGUIEvent * 0x0012fbe0, unsigned
int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 819
nsView::HandleEvent(nsView * const 0x033e84d0, nsGUIEvent * 0x0012fbe0, unsigned
int 28, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 819
nsViewManager::DispatchEvent(nsViewManager * const 0x033e89d0, nsGUIEvent *
0x0012fbe0, nsEventStatus & nsEventStatus_eIgnore) line 1743
HandleEvent(nsGUIEvent * 0x0012fbe0) line 63
nsWindow::DispatchEvent(nsWindow * const 0x03300234, nsGUIEvent * 0x0012fbe0,
nsEventStatus & nsEventStatus_eIgnore) line 403 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fbe0) line 424
nsWindow::DispatchMouseEvent(unsigned int 302, nsPoint * 0x00000000) line 3420 +
21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 302, nsPoint * 0x00000000) line
3638
nsWindow::ProcessMessage(unsigned int 513, unsigned int 1, long 10354838, long *
0x0012fdf0) line 2625 + 24 bytes
nsWindow::WindowProc(HWND__ * 0x00050714, unsigned int 513, unsigned int 1, long
10354838) line 581 + 27 bytes
USER32! 77e71250()
After some debugging, it looks like it is due to the fact that
nsDOMSelection::QueryInterface() allocates a new nsRangeListIterator but addrefs
the this pointer instead of the new iterator it creates.
This can lead to selection leaking and or mysterious crashing in code that uses
nsRangeListIterators since the iterator can be released too soon.
Severity: normal → critical
Status: NEW → ASSIGNED
Priority: P3 → P1
Summary: Assertion thrown when clicking in the editor. → [DOGFOOD] Assertion thrown when clicking in the editor.
Target Milestone: M12
The nsRangeListIterator throwing the assertion above was allocated during a
QueryInterface() call in nsDOMSelection::GetEnumerator(). It also looks like we
are leaking the iterator we create inside of GetEnumerator.
Changing milestone to M11.
Here's my fix, reviewed by buster@netscape.com:
Index: nsRangeList.cpp
===================================================================
RCS file: /cvsroot/mozilla/layout/base/src/nsRangeList.cpp,v
retrieving revision 1.159
diff -c -r1.159 nsRangeList.cpp
*** nsRangeList.cpp 1999/11/08 11:43:08 1.159
--- nsRangeList.cpp 1999/11/08 17:55:26
***************
*** 569,574 ****
--- 569,587 ----
NS_IMETHODIMP
nsRangeListIterator::QueryInterface(REFNSIID aIID, void** aInstancePtr)
{
+ if (nsnull == aInstancePtr) {
+ return NS_ERROR_NULL_POINTER;
+ }
+ if (aIID.Equals(nsIEnumerator::GetIID())) {
+ *aInstancePtr = (void*) (nsIEnumerator *) this;
+ NS_ADDREF_THIS();
+ return NS_OK;
+ }
+ if (aIID.Equals(nsIBidirectionalEnumerator::GetIID())) {
+ *aInstancePtr = (void*) (nsIBidirectionalEnumerator *) this;
+ NS_ADDREF_THIS();
+ return NS_OK;
+ }
return mDomSelection->QueryInterface(aIID, aInstancePtr);
}
***************
*** 655,661 ****
NS_IMETHODIMP
nsRangeList::QueryInterface(REFNSIID aIID, void** aInstancePtr)
{
! if (NULL == aInstancePtr) {
return NS_ERROR_NULL_POINTER;
}
if (aIID.Equals(nsIFrameSelection::GetIID())) {
--- 668,674 ----
NS_IMETHODIMP
nsRangeList::QueryInterface(REFNSIID aIID, void** aInstancePtr)
{
! if (nsnull == aInstancePtr) {
return NS_ERROR_NULL_POINTER;
}
if (aIID.Equals(nsIFrameSelection::GetIID())) {
***************
*** 1458,1464 ****
NS_IMETHODIMP
nsDOMSelection::QueryInterface(REFNSIID aIID, void** aInstancePtr)
{
! if (NULL == aInstancePtr) {
return NS_ERROR_NULL_POINTER;
}
if (aIID.Equals(nsCOMTypeInfo<nsISupports>::GetIID())) {
--- 1471,1477 ----
NS_IMETHODIMP
nsDOMSelection::QueryInterface(REFNSIID aIID, void** aInstancePtr)
{
! if (nsnull == aInstancePtr) {
return NS_ERROR_NULL_POINTER;
}
if (aIID.Equals(nsCOMTypeInfo<nsISupports>::GetIID())) {
***************
*** 1477,1483 ****
if (!iter)
return NS_ERROR_OUT_OF_MEMORY;
*aInstancePtr = (void*) (nsIEnumerator *) iter;
! NS_ADDREF_THIS();
return NS_OK;
}
if (aIID.Equals(nsIBidirectionalEnumerator::GetIID())) {
--- 1490,1496 ----
if (!iter)
return NS_ERROR_OUT_OF_MEMORY;
*aInstancePtr = (void*) (nsIEnumerator *) iter;
! NS_ADDREF(iter);
return NS_OK;
}
if (aIID.Equals(nsIBidirectionalEnumerator::GetIID())) {
***************
*** 1485,1491 ****
if (!iter)
return NS_ERROR_OUT_OF_MEMORY;
*aInstancePtr = (void*) (nsIBidirectionalEnumerator *) iter;
! NS_ADDREF_THIS();
return NS_OK;
}
if (aIID.Equals(nsIScriptObjectOwner::GetIID())) {
--- 1498,1504 ----
if (!iter)
return NS_ERROR_OUT_OF_MEMORY;
*aInstancePtr = (void*) (nsIBidirectionalEnumerator *) iter;
! NS_ADDREF(iter);
return NS_OK;
}
if (aIID.Equals(nsIScriptObjectOwner::GetIID())) {
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Fix checked into tip:
mozilla/layout/base/src/nsRangeList.cpp revision 1.160
Updated•25 years ago
|
QA Contact: elig → sujay
Comment 5•25 years ago
|
||
This looks like more of an Ender issue than a browser issue; QA assigning to
sujay for expert verification.
You need to log in
before you can comment on or make changes to this bug.
Description
•