291176 - view-source crashes on URL [@ nsTextFrame::PrepareUnicodeText]

Status: VERIFIED FIXED

(Core :: Layout: Text and Fonts, defect)

Description

[Hermann Schwab]

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b2) Gecko/20050420 Mnenhy/0.7

URL from Bug 291102

Steps to repeat:
1. Load http://www.okaz.com.sa/
2. view source from Menu or CTRL+U

BuildId 2005041706 working, BuildId 2005041805 crashing
Talkbacks:
TB5230375X, TB5230370Y, TB5231675Z

checkins in that timeframe:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=SeaMonkeyAll&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-04-17+00%3A00&maxdate=2005-04-18+05%3A00&cvsroot=%2Fcvsroot

Comment 1

[Bengt-Erik Soderstrom]

I tried this in my own Mozilla 1.8b2 build (2005042007) and I can confirm the crash.

Build platform target i686-pc-linux-gnu

Build tools
Compiler 	Version 	Compiler flags
gcc 	gcc version 3.4.3 20050227 (Red Hat 3.4.3-22.fc3) 	-Wall -W -Wno-unused
-Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe
c++ 	gcc version 3.4.3 20050227 (Red Hat 3.4.3-22.fc3) 	-fno-rtti
-fno-exceptions -Wall -Wconversion -Wpointer-arith -Wcast-align
-Woverloaded-virtual -Wsynth -Wno-ctor-dtor-privacy -Wno-non-virtual-dtor
-Wno-long-long -pedantic -fshort-wchar -pthread -pipe -I/usr/X11R6/include

Configure arguments
--enable-application=suite --enable-crypto --disable-debug --disable-tests
--enable-optimize=-O2 --enable-default-toolkit=gtk2 --enable-xft
--disable-freetype2 

Comment 2

[Hermann Schwab]

Attachment: testcase

<META HTTP-EQUIV="Content-Type" content="text/html; charset=windows-1256">
</HEAD>
<BODY TOPMARGIN=0 LEFTMARGIN=0 dir=rtl bgcolor="white">
<Script>
window.self.focus()
Browser_ver=navigator.appVersion
ind=Browser_ver.indexOf("MSIE")
index=Browser_ver.indexOf(";",ind)
Ver=Browser_ver.substring(ind+4,index)
numObj=new Number(Ver)
val=numObj.valueOf()
if( val < 5 )
	var act=window.confirm("ÇáãæÞÚ íÍÊÇÌ áäÓÎÉ ãÊÞÏãÉ ãä ÇáãÊÕÝÍ ááÚãá
ÈßÝÇÁÉ\n åá ÊÑíÏ ÊÍãíá äÓÎÉ ãÊÞÏãÉ ãä ÇáãÊÕÝÍ ¿")
	if(act)
		window.open("http://www.microsoft.com/ie")
</Script>

Comment 3

[Hermann Schwab]

Link to testcase: https://bugzilla.mozilla.org/attachment.cgi?id=181316
Link to crash: view-source:https://bugzilla.mozilla.org/attachment.cgi?id=181316

I disabled JS, loaded the testcase, and crashed.
If I replace the arabic text in the following line by western characters, all is
well. If I just the arabic text of that line as comment into the body, all is well.

	var act=window.confirm("ÇáãæÞÚ íÍÊÇÌ áäÓÎÉ ãÊÞÏãÉ ãä ÇáãÊÕÝÍ ááÚãá ÈßÝÇÁÉ\n åá
ÊÑíÏ ÊÍãíá äÓÎÉ ãÊÞÏãÉ ãä ÇáãÊÕÝÍ ¿")


replace with:
var act=window.confirm("confirm") and the crash is gone.

Comment 4

[Frank Wein [:mcsmurf]]

Stacktrace:
nsTextFrame::PrepareUnicodeText(nsTextFrame * const 0x000000e6,
nsTextTransformer & {...}, nsAutoIndexBuffer * 0x0012ee70, nsAutoTextBuffer *
0x00000074, int * 0x0012f198, int 0x00000000, int * 0x00000000) line 1771 + 20 bytes
nsTextFrame::PaintUnicodeText(nsTextFrame * const 0x000000e6, nsPresContext *
0x06b1b118, nsIRenderingContext & {...}, nsStyleContext * 0x09f22be8,
nsTextFrame::TextPaintStyle & {...}, int 0x00000000, int 0x00000000) line 2423
nsTextFrame::Paint(nsTextFrame * const 0x00000010, nsPresContext * 0x06b1b118,
nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer 0x07655640,
unsigned int 0x00000000) line 1526
nsContainerFrame::PaintChild(nsContainerFrame * const 0x000000e6, nsPresContext
* 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame *
0x41000000, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000)
line 304
nsBlockFrame::PaintChild(nsBlockFrame * const 0x000000e6, nsPresContext *
0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame *
0x076c4c00, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000)
line 287
nsBlockFrame::PaintChildren(nsBlockFrame * const 0x000000e6, nsPresContext *
0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Overlay, unsigned int 0x00000000) line 6320 + 57 bytes
nsHTMLContainerFrame::PaintDecorationsAndChildren(nsHTMLContainerFrame * const
0x000000e6, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const
nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, int 0x00000001,
unsigned int 0x00000000) line 137
nsBlockFrame::Paint(nsBlockFrame * const 0x00000000, nsPresContext * 0x06b1b118,
nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Overlay, unsigned int 0x00000000) line 6168
nsContainerFrame::PaintChild(nsContainerFrame * const 0x000000e6, nsPresContext
* 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame *
0x41000000, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000)
line 304
nsBlockFrame::PaintChild(nsBlockFrame * const 0x000000e6, nsPresContext *
0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame *
0x09f22b98, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000)
line 287
nsBlockFrame::PaintChildren(nsBlockFrame * const 0x000000e6, nsPresContext *
0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Overlay, unsigned int 0x00000000) line 6341 + 67 bytes
nsHTMLContainerFrame::PaintDecorationsAndChildren(nsHTMLContainerFrame * const
0x000000e6, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const
nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, int 0x00000001,
unsigned int 0x00000000) line 137
nsBlockFrame::Paint(nsBlockFrame * const 0x00000000, nsPresContext * 0x06b1b118,
nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Overlay, unsigned int 0x00000000) line 6168
nsContainerFrame::PaintChild(nsContainerFrame * const 0x000000e6, nsPresContext
* 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame *
0x00000000, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000)
line 304
nsBlockFrame::PaintChild(nsBlockFrame * const 0x000000e6, nsPresContext *
0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame *
0x09f223dc, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000)
line 287
nsBlockFrame::PaintChildren(nsBlockFrame * const 0x000000e6, nsPresContext *
0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Overlay, unsigned int 0x00000000) line 6341 + 67 bytes
nsHTMLContainerFrame::PaintDecorationsAndChildren(nsHTMLContainerFrame * const
0x000000e6, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const
nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, int 0x00000001,
unsigned int 0x00000000) line 137
nsBlockFrame::Paint(nsBlockFrame * const 0x00000000, nsPresContext * 0x06b1b118,
nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Overlay, unsigned int 0x00000000) line 6168
nsContainerFrame::PaintChild(nsContainerFrame * const 0x000000e6, nsPresContext
* 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame *
0x00000000, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000)
line 304

Comment 5

[Hermann Schwab]

two talkbacks using the testcase, JS disabled: TB5233411X, TB5233210K
I can´t get connected to http://talkback-public.mozilla.org/talkback/fastfind.jsp

Comment 6

[Frank Wein [:mcsmurf]]

rbs: Possible regression from Bug 96423 or Bug 93168 (judging from bonsai and
stacktrace)?

Comment 7

[Hermann Schwab]

Attachment: Talkback report with links to source

Comment 8

[Simon Montagu :smontagu]

Either of the fixes I suggest in bug 291188 comment 3 fixes this crash also.

Comment 9

[rbs]

Attachment: fix

Fix does what simon suggested. I wonder why bidi is transforming beyond its
need. There is little reason why the length of the transformed test should be
bounded by the length of the original content (apart from ::first-letter which
is clear). The text should be allowed to expand, no? Or the transformed length
should be computed properly rather than being clamped here. The |if| is
necessary otherwise we regress the other bug 286923.

Comment 10

[Simon Montagu :smontagu]

Comment on attachment 181360 [details] [diff] [review]
fix

r=me. Bidi can't allow the transformed text to expand from a left-to-right run
to a right-to-left run or vice versa, because these have to be rendered in
separate calls to gfx.

Comment 11

[rbs]

Since the BIDI logic permeates deeply into the transformer (unlike
::first-letter), you might perhaps consider setting the length of the
transformed  text accordingly there.

Comment 12

[rbs]

Comment on attachment 181360 [details] [diff] [review]
fix

Asking approval for 1.8b2 for this simple patch to fix a crash in bidi text.

Comment 13

[Simon Montagu :smontagu]

Reversing dependencies

Comment 14

[Asa Dotzler [:asa]]

Comment on attachment 181360 [details] [diff] [review]
fix

a=asa

Comment 15

[rbs]

Checked in.

Comment 16

[Stephen Donner [:stephend] Not actively reading bugmail]

Verified FIXED with build 2005-04-23-05 on Windows XP Seamonkey trunk.

Comment 17

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

Can we get this checked in on the branch?

Comment 18

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

*** Bug 310274 has been marked as a duplicate of this bug. ***

Comment 19

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

Ignore me, this is from before we branched