Closed Bug 18230 Opened 25 years ago Closed 25 years ago

[DOGFOOD] Assertion thrown when clicking in the editor.

Categories

(Core :: DOM: Selection, defect, P1)

defect

Tracking

()

VERIFIED FIXED

People

(Reporter: kinmoz, Assigned: kinmoz)

Details

The following assertion is being thrown when I click inside of Gfx textwidgets like the URL bar, or in the content area of Composer: NTDLL! 77f76148() nsDebug::PreCondition(const char * 0x018633cc, const char * 0x018633bc, const char * 0x01863390, int 536) line 262 + 13 bytes nsRangeListIterator::Release(nsRangeListIterator * const 0x0340f660) line 536 + 41 bytes nsCOMPtr<nsIEnumerator>::~nsCOMPtr<nsIEnumerator>() line 408 nsHTMLEditor::GetParentBlockTags(nsHTMLEditor * const 0x03419200, nsStringArray * 0x0012f5a4, int 0) line 1796 + 25 bytes nsHTMLEditor::GetParagraphTags(nsHTMLEditor * const 0x03419264, nsStringArray * 0x0012f5a4) line 1808 nsInterfaceState::UpdateParagraphState(const char * 0x030fc9f0, const char * 0x030fc9e8, nsString & {...}) line 187 nsInterfaceState::ForceUpdate(nsInterfaceState * const 0x0341bb30) line 147 + 25 bytes nsInterfaceState::NotifySelectionChanged(nsInterfaceState * const 0x0341bb30) line 129 nsRangeList::NotifySelectionListeners() line 1360 nsRangeList::TakeFocus(nsRangeList * const 0x033ece50, nsIContent * 0x033ebd0c, unsigned int 1, unsigned int 1, int 0, int 0) line 1168 + 8 bytes nsRangeList::HandleClick(nsRangeList * const 0x033ece50, nsIContent * 0x033ebd0c, unsigned int 1, unsigned int 1, int 0, int 0, int 0) line 1034 nsFrame::HandlePress(nsFrame * const 0x033f9830, nsIPresContext & {...}, nsGUIEvent * 0x0012fbe0, nsEventStatus & nsEventStatus_eIgnore) line 849 nsFrame::HandleEvent(nsFrame * const 0x033f9830, nsIPresContext & {...}, nsGUIEvent * 0x0012fbe0, nsEventStatus & nsEventStatus_eIgnore) line 806 nsBlockFrame::HandleEvent(nsBlockFrame * const 0x033f1090, nsIPresContext & {...}, nsGUIEvent * 0x0012fbe0, nsEventStatus & nsEventStatus_eIgnore) line 5669 + 24 bytes PresShell::HandleEvent(PresShell * const 0x033ecec4, nsIView * 0x03418b60, nsGUIEvent * 0x0012fbe0, nsEventStatus & nsEventStatus_eIgnore) line 2244 + 38 bytes nsView::HandleEvent(nsView * const 0x03418b60, nsGUIEvent * 0x0012fbe0, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 834 nsView::HandleEvent(nsView * const 0x03301ac0, nsGUIEvent * 0x0012fbe0, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 819 nsView::HandleEvent(nsView * const 0x03301cc0, nsGUIEvent * 0x0012fbe0, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 819 nsView::HandleEvent(nsView * const 0x033e84d0, nsGUIEvent * 0x0012fbe0, unsigned int 28, nsEventStatus & nsEventStatus_eIgnore, int & 0) line 819 nsViewManager::DispatchEvent(nsViewManager * const 0x033e89d0, nsGUIEvent * 0x0012fbe0, nsEventStatus & nsEventStatus_eIgnore) line 1743 HandleEvent(nsGUIEvent * 0x0012fbe0) line 63 nsWindow::DispatchEvent(nsWindow * const 0x03300234, nsGUIEvent * 0x0012fbe0, nsEventStatus & nsEventStatus_eIgnore) line 403 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fbe0) line 424 nsWindow::DispatchMouseEvent(unsigned int 302, nsPoint * 0x00000000) line 3420 + 21 bytes ChildWindow::DispatchMouseEvent(unsigned int 302, nsPoint * 0x00000000) line 3638 nsWindow::ProcessMessage(unsigned int 513, unsigned int 1, long 10354838, long * 0x0012fdf0) line 2625 + 24 bytes nsWindow::WindowProc(HWND__ * 0x00050714, unsigned int 513, unsigned int 1, long 10354838) line 581 + 27 bytes USER32! 77e71250() After some debugging, it looks like it is due to the fact that nsDOMSelection::QueryInterface() allocates a new nsRangeListIterator but addrefs the this pointer instead of the new iterator it creates. This can lead to selection leaking and or mysterious crashing in code that uses nsRangeListIterators since the iterator can be released too soon.
Severity: normal → critical
Status: NEW → ASSIGNED
Priority: P3 → P1
Summary: Assertion thrown when clicking in the editor. → [DOGFOOD] Assertion thrown when clicking in the editor.
Target Milestone: M12
Accepting bug, marking M12.
The nsRangeListIterator throwing the assertion above was allocated during a QueryInterface() call in nsDOMSelection::GetEnumerator(). It also looks like we are leaking the iterator we create inside of GetEnumerator.
Target Milestone: M12 → M11
Changing milestone to M11. Here's my fix, reviewed by buster@netscape.com: Index: nsRangeList.cpp =================================================================== RCS file: /cvsroot/mozilla/layout/base/src/nsRangeList.cpp,v retrieving revision 1.159 diff -c -r1.159 nsRangeList.cpp *** nsRangeList.cpp 1999/11/08 11:43:08 1.159 --- nsRangeList.cpp 1999/11/08 17:55:26 *************** *** 569,574 **** --- 569,587 ---- NS_IMETHODIMP nsRangeListIterator::QueryInterface(REFNSIID aIID, void** aInstancePtr) { + if (nsnull == aInstancePtr) { + return NS_ERROR_NULL_POINTER; + } + if (aIID.Equals(nsIEnumerator::GetIID())) { + *aInstancePtr = (void*) (nsIEnumerator *) this; + NS_ADDREF_THIS(); + return NS_OK; + } + if (aIID.Equals(nsIBidirectionalEnumerator::GetIID())) { + *aInstancePtr = (void*) (nsIBidirectionalEnumerator *) this; + NS_ADDREF_THIS(); + return NS_OK; + } return mDomSelection->QueryInterface(aIID, aInstancePtr); } *************** *** 655,661 **** NS_IMETHODIMP nsRangeList::QueryInterface(REFNSIID aIID, void** aInstancePtr) { ! if (NULL == aInstancePtr) { return NS_ERROR_NULL_POINTER; } if (aIID.Equals(nsIFrameSelection::GetIID())) { --- 668,674 ---- NS_IMETHODIMP nsRangeList::QueryInterface(REFNSIID aIID, void** aInstancePtr) { ! if (nsnull == aInstancePtr) { return NS_ERROR_NULL_POINTER; } if (aIID.Equals(nsIFrameSelection::GetIID())) { *************** *** 1458,1464 **** NS_IMETHODIMP nsDOMSelection::QueryInterface(REFNSIID aIID, void** aInstancePtr) { ! if (NULL == aInstancePtr) { return NS_ERROR_NULL_POINTER; } if (aIID.Equals(nsCOMTypeInfo<nsISupports>::GetIID())) { --- 1471,1477 ---- NS_IMETHODIMP nsDOMSelection::QueryInterface(REFNSIID aIID, void** aInstancePtr) { ! if (nsnull == aInstancePtr) { return NS_ERROR_NULL_POINTER; } if (aIID.Equals(nsCOMTypeInfo<nsISupports>::GetIID())) { *************** *** 1477,1483 **** if (!iter) return NS_ERROR_OUT_OF_MEMORY; *aInstancePtr = (void*) (nsIEnumerator *) iter; ! NS_ADDREF_THIS(); return NS_OK; } if (aIID.Equals(nsIBidirectionalEnumerator::GetIID())) { --- 1490,1496 ---- if (!iter) return NS_ERROR_OUT_OF_MEMORY; *aInstancePtr = (void*) (nsIEnumerator *) iter; ! NS_ADDREF(iter); return NS_OK; } if (aIID.Equals(nsIBidirectionalEnumerator::GetIID())) { *************** *** 1485,1491 **** if (!iter) return NS_ERROR_OUT_OF_MEMORY; *aInstancePtr = (void*) (nsIBidirectionalEnumerator *) iter; ! NS_ADDREF_THIS(); return NS_OK; } if (aIID.Equals(nsIScriptObjectOwner::GetIID())) { --- 1498,1504 ---- if (!iter) return NS_ERROR_OUT_OF_MEMORY; *aInstancePtr = (void*) (nsIBidirectionalEnumerator *) iter; ! NS_ADDREF(iter); return NS_OK; } if (aIID.Equals(nsIScriptObjectOwner::GetIID())) {
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Fix checked into tip: mozilla/layout/base/src/nsRangeList.cpp revision 1.160
QA Contact: elig → sujay
This looks like more of an Ender issue than a browser issue; QA assigning to sujay for expert verification.
Status: RESOLVED → VERIFIED
verified in 12/7 build.
You need to log in before you can comment on or make changes to this bug.