Closed Bug 3758 Opened 26 years ago Closed 26 years ago

Drag selecting entire content, then deleting, causes crash

Categories

(Core :: DOM: Selection, defect, P1)

defect

Tracking

()

VERIFIED FIXED

People

(Reporter: kinmoz, Assigned: kinmoz)

Details

To reproduce: 1. Start apprunner -editor 2. Drag select all the text on the page. 3. Hit the backspace key We crash with the following stack trace: TextFrame::GetWidth(nsIRenderingContext & {...}, TextFrame::TextStyle & {...}, unsigned short * 0x00131000, int 20384564, int & 0) line 1220 + 3 bytes TextFrame::GetPointFromOffset(TextFrame * const 0x013f23c0, nsIPresContext * 0x01373bd0, nsIRenderingContext * 0x01421250, int 0, nsPoint * 0x0012f520) line 1899 nsCaret::DrawCaret() line 340 nsCaret::StartBlinking() line 234 nsCaret::NotifySelectionChanged(nsCaret * const 0x013ad994) line 184 nsRangeList::NotifySelectionListeners() line 1128 + 23 bytes nsRangeList::EndBatchChanges(nsRangeList * const 0x013ad864) line 1089 nsEditor::Do(nsEditor * const 0x01368fb0, nsITransaction * 0x014206d0) line 668 nsEditor::DeleteSelection(nsEditor * const 0x01368fb0, nsIEditor::Direction eRTL) line 1280 + 16 bytes nsTextEditor::DeleteSelection(nsTextEditor * const 0x01368fb0, nsIEditor::Direction eRTL) line 412 + 13 bytes nsHTMLEditor::DeleteSelection(nsHTMLEditor * const 0x01368fb0, nsIEditor::Direction eRTL) line 117 nsTextEditorKeyListener::KeyDown(nsIDOMEvent * 0x01420650) line 140 nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent * 0x0012fa74, nsIDOMEvent * * 0x0012f7a8, nsEventStatus & nsEventStatus_eIgnore) line 379 + 17 bytes nsDocument::HandleDOMEvent(nsDocument * const 0x013724c0, nsIPresContext & {...}, nsEvent * 0x0012fa74, nsIDOMEvent * * 0x0012f7a8, unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 1751 nsHTMLHtmlElement::HandleDOMEvent(nsHTMLHtmlElement * const 0x0137327c, nsIPresContext & {...}, nsEvent * 0x0012fa74, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 173 + 41 bytes PresShell::HandleEvent(PresShell * const 0x013ad794, nsIView * 0x013f0b20, nsGUIEvent * 0x0012fa74, nsEventStatus & nsEventStatus_eIgnore) line 1930 + 34 bytes nsView::HandleEvent(nsView * const 0x013f0b20, nsGUIEvent * 0x0012fa74, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore) line 825 nsView::HandleEvent(nsView * const 0x013f01f0, nsGUIEvent * 0x0012fa74, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore) line 808 nsView::HandleEvent(nsView * const 0x013f0120, nsGUIEvent * 0x0012fa74, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore) line 808 nsScrollingView::HandleEvent(nsScrollingView * const 0x013f0120, nsGUIEvent * 0x0012fa74, unsigned int 8, nsEventStatus & nsEventStatus_eIgnore) line 875 nsView::HandleEvent(nsView * const 0x013ad3a0, nsGUIEvent * 0x0012fa74, unsigned int 28, nsEventStatus & nsEventStatus_eIgnore) line 808 nsViewManager::DispatchEvent(nsViewManager * const 0x013adc70, nsGUIEvent * 0x0012fa74, nsEventStatus & nsEventStatus_eIgnore) line 1709 HandleEvent(nsGUIEvent * 0x0012fa74) line 64 nsWindow::DispatchEvent(nsWindow * const 0x013f02d0, nsGUIEvent * 0x0012fa74, nsEventStatus & nsEventStatus_eIgnore) line 399 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fa74) line 415 nsWindow::OnKey(unsigned int 133, unsigned int 8, unsigned int 1, unsigned int 14) line 1362 + 24 bytes nsWindow::ProcessMessage(unsigned int 256, unsigned int 8, long 917505, long * 0x0012fe64) line 1774 + 55 bytes nsWindow::WindowProc(void * 0x003204b2, unsigned int 256, unsigned int 8, long 917505) line 458 + 27 bytes USER32! 77e71250() This crash is caused by some code that was added to TextFrame::GetPointFromOffset() (nsTextFrame.cpp revision numbers 1.93 and 1.94). The code does not take into account that mContentLength might be zero.
Priority: P3 → P1
Target Milestone: M3
Marking P1 milestone M3.
Assignee: mjudge → kin
Status: NEW → ASSIGNED
Reassigning bug to kin@netscape.com.
I have a fix for this, just waiting for chofmann@netscape.com approval to checkin.
Status: ASSIGNED → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
Fix checked in. Index: nsTextFrame.cpp =================================================================== RCS file: /cvsroot/mozilla/layout/html/base/src/nsTextFrame.cpp,v retrieving revision 1.95 diff -c -r1.95 nsTextFrame.cpp *** nsTextFrame.cpp 1999/03/16 19:36:49 1.95 --- nsTextFrame.cpp 1999/03/16 22:50:52 *************** *** 1854,1861 **** NS_IMETHODIMP TextFrame::GetPointFromOffset(nsIPresContext* inPresContext, nsIRenderingContext* inRendContext, PRInt32 inOffset, nsPoint* outPoint) { ! if (!inPresContext || !inRendContext) return NS_ERROR_NULL_POINTER; inOffset-=mContentOffset; if (inOffset < 0){ NS_ASSERTION(0,"offset less than this frame has in GetPointFromOffset"); --- 1854,1868 ---- NS_IMETHODIMP TextFrame::GetPointFromOffset(nsIPresContext* inPresContext, nsIRenderingContext* inRendContext, PRInt32 inOffset, nsPoint* outPoint) { ! if (!inPresContext || !inRendContext || !outPoint) return NS_ERROR_NULL_POINTER; + + if (mContentLength <= 0) { + outPoint->x = 0; + outPoint->y = 0; + return NS_OK; + } + inOffset-=mContentOffset; if (inOffset < 0){ NS_ASSERTION(0,"offset less than this frame has in GetPointFromOffset");
Status: RESOLVED → VERIFIED
verified fixed with Mar18 build
Per a request from Selection and Search component eng (mjudge) and qa (elig), moving all "Selection and Search" bugs to new "Selection" component. Original "Selection and Search" component will be retired.
You need to log in before you can comment on or make changes to this bug.