Look ma! I just triggered a segfault in nsTypeAheadFind.cpp

Jonathan Protzenko jonathan.protzenko at gmail.com
Tue Dec 27 22:37:02 UTC 2011


*tl;dr:* by moving the location of the FindToolbar DOM node in 
Thunderbird, I managed to make the entire program crash in 
nsTypeAheadFind.cpp:990

I'm trying to make Ctrl-F work with Thunderbird Conversations. I need to 
move the FindBar to make it visible even when the Conversation View is 
shown. Here's the DOM hierarchy:

<vbox>
<browser id="multimessage" /><!-- this is where the conversation view 
lives -->
*<vbox>*
<hbox />
<hbox />
<deck />
<hbox>
<browser /><!-- this is where messages are usually displayed -->
</hbox>
<splitter />
<vbox />
*<findbar />*
</vbox>
</vbox>

When the conversation view is shown, the vbox in bold is hidden. Thus, 
the findbar is hidden too. I decided to move the find bar as so, using 
the DOM inspector.

<vbox>
<browser id="multimessage" /><!-- this is where the conversation view 
lives -->
*<vbox>*
<hbox />
<hbox />
<deck />
<hbox>
<browser /><!-- this is where messages are usually displayed -->
</hbox>
<splitter />
<vbox />
</vbox>
*<findbar />*
</vbox>

I then change the findbar's browserid attribute to "multimessage", 
summon the error console and run:

top.opener.document.getElementById("FindToolbar").onFindCommand()

As soon as I start typing something into the find bar, Thunderbird 
segfaults brutally. I tried to read the code, and I think I should call 
nsITypeAheadFind::SetDocShell somehow, but I can't seem to find the 
nsITypeAheadFind instance associated to the <findbar>. Moreover, I 
thought that changing the browserid attribute would do the trick since 
it's what Thunderbird is doing already.

Even *without* changing the browserid attribute, it still segfaults.

I'm a little bit puzzled as to why changing the mere location of a DOM 
node should make Thunderbird crash so badly. I'm really puzzled to any 
help would be highly appreciated!

Thanks :),

jonathan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20111227/71a980ee/attachment.html>


More information about the tb-planning mailing list