Closed
Bug 75026
Opened 23 years ago
Closed 23 years ago
Bidi: Selection on US system causes a crash in GKGFXWIN.DLL
Categories
(Core :: Internationalization, defect)
Tracking
()
RESOLVED
FIXED
mozilla0.9.3
People
(Reporter: mrous, Assigned: smontagu)
References
Details
(Keywords: crash, intl, Whiteboard: add bandaid code to turn crash into assertion gracefully.)
Attachments
(5 files)
475 bytes,
text/html
|
Details | |
2.37 KB,
patch
|
Details | Diff | Splinter Review | |
2.56 KB,
patch
|
Details | Diff | Splinter Review | |
3.15 KB,
patch
|
Details | Diff | Splinter Review | |
1.01 KB,
patch
|
Details | Diff | Splinter Review |
When opening an Arabic htm page and trying to make a selection beyond the browser display area, Mozilla crashes in GKGFXWIN.DLL Reproducability: Every time Steps to reproduce: 1. Open file CP1256.htm 2. while on the Arabic text, press the left button of the mous and move up to make a selection 3. move up until you pass the browser area into where the URL name goes to be loaded or to the title bar of the window 4. move back towards the text Actual Results: MOZILLA caused an invalid page fault in module GKGFXWIN.DLL at 015f:00cccbd8. Registers: EAX=0070f164 CS=015f EIP=00cccbd8 EFLGS=00010213 EBX=0000074e SS=0167 ESP=0070ee48 EBP=0070ee74 ECX=00000e9c DS=0167 ESI=0184aca0 FS=2c7f EDX=00000000 ES=0167 EDI=0185ffc0 GS=0000 Bytes at CS:EIP: 66 8b 04 01 8b 4d e8 66 89 45 e4 0f b7 51 0e 8b Stack dump: 00000000 0184aca0 00000000 01858074 00700000 01842020 00000e9c 0000074e 0185ffc0 00000384 00003480 0070f2f0 014f5ba5 0000074c 0070f164 ffffffff Expected Results: You should have a selection from the point you started to the top of the file, not crashing.
Reporter | ||
Comment 1•23 years ago
|
||
Comment 3•23 years ago
|
||
we should fix this in moz0.9. crash is not good.
Target Milestone: --- → mozilla0.9
Updated•23 years ago
|
Target Milestone: mozilla0.9 → mozilla0.9.1
Comment 8•23 years ago
|
||
I cannot reproduce this right now. Either because we have not turn on FULL_ARABIC_SHAPING yet or because the fix I checked in for bug 81078
Target Milestone: --- → mozilla0.9.1
Comment 9•23 years ago
|
||
I am not sure this is the same crash but I got a crash when I select up/down www.hotmail.co.il/login.asp here is the stack trace nsRenderingContextWin::GetWidth(nsRenderingContextWin * const 0x041e45e0, const unsigned short * 0x0012dd10, unsigned int 0xffffffff, int & 0x000000d2, int * 0x00000000) line 1771 + 6 bytes nsTextFrame::PaintUnicodeText(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, nsIStyleContext * 0x03a98a70, nsTextFrame::TextStyle & {...}, int 0x00000000, int 0x00000000) line 2244 + 38 bytes nsTextFrame::Paint(nsTextFrame * const 0x02636a08, nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 1387 nsContainerFrame::PaintChild(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x02636a08, nsFramePaintLayer eFramePaintLayer_Overlay) line 229 nsBlockFrame::PaintChildren(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 5162 nsBlockFrame::Paint(nsBlockFrame * const 0x0263623c, nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 5040 nsContainerFrame::PaintChild(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x0263623c, nsFramePaintLayer eFramePaintLayer_Overlay) line 229 nsContainerFrame::PaintChildren(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 173 nsTableCellFrame::Paint(nsTableCellFrame * const 0x026361e0, nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 447 nsTableRowFrame::PaintChildren(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 547 nsTableRowFrame::Paint(nsTableRowFrame * const 0x02636198, nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 500 nsTableRowGroupFrame::PaintChildren(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 278 nsTableRowGroupFrame::Paint(nsTableRowGroupFrame * const 0x025bde50, nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 232 nsContainerFrame::PaintChild(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x025bde50, nsFramePaintLayer eFramePaintLayer_Overlay) line 229 nsContainerFrame::PaintChildren(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 173 nsTableFrame::Paint(nsTableFrame * const 0x025bdde8, nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 1471 nsContainerFrame::PaintChild(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x025bdde8, nsFramePaintLayer eFramePaintLayer_Overlay) line 229 nsTableOuterFrame::Paint(nsTableOuterFrame * const 0x025bdd9c, nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 368 nsContainerFrame::PaintChild(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x025bdd9c, nsFramePaintLayer eFramePaintLayer_Overlay) line 229 nsBlockFrame::PaintChildren(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 5162 nsBlockFrame::Paint(nsBlockFrame * const 0x025bdd10, nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 5040 nsContainerFrame::PaintChild(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x025bdd10, nsFramePaintLayer eFramePaintLayer_Overlay) line 229 nsContainerFrame::PaintChildren(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 173 nsTableCellFrame::Paint(nsTableCellFrame * const 0x025bdcb4, nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 447 nsTableRowFrame::PaintChildren(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 547 nsTableRowFrame::Paint(nsTableRowFrame * const 0x02571e88, nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 500 nsTableRowGroupFrame::PaintChildren(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 278 nsTableRowGroupFrame::Paint(nsTableRowGroupFrame * const 0x025db094, nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 232 nsContainerFrame::PaintChild(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x025db094, nsFramePaintLayer eFramePaintLayer_Overlay) line 229 nsContainerFrame::PaintChildren(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 173 nsTableFrame::Paint(nsTableFrame * const 0x025db02c, nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 1471 nsContainerFrame::PaintChild(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x025db02c, nsFramePaintLayer eFramePaintLayer_Overlay) line 229 nsTableOuterFrame::Paint(nsTableOuterFrame * const 0x025dafe0, nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 368 nsContainerFrame::PaintChild(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x025dafe0, nsFramePaintLayer eFramePaintLayer_Overlay) line 229 nsBlockFrame::PaintChildren(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 5162 nsBlockFrame::Paint(nsBlockFrame * const 0x025daf04, nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 5040 nsContainerFrame::PaintChild(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x025daf04, nsFramePaintLayer eFramePaintLayer_Overlay) line 229 nsBlockFrame::PaintChildren(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 5162 nsBlockFrame::Paint(nsBlockFrame * const 0x025dae78, nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 5040 nsContainerFrame::PaintChild(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x025dae78, nsFramePaintLayer eFramePaintLayer_Overlay) line 229 nsContainerFrame::PaintChildren(nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 173 nsHTMLContainerFrame::Paint(nsHTMLContainerFrame * const 0x025da10c, nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 122 CanvasFrame::Paint(CanvasFrame * const 0x025da10c, nsIPresContext * 0x041cf8a0, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay) line 238 PresShell::Paint(PresShell * const 0x041a26b4, nsIView * 0x04c24370, nsIRenderingContext & {...}, const nsRect & {...}) line 5241 + 34 bytes nsView::Paint(nsView * const 0x04c24370, nsIRenderingContext & {...}, const nsRect & {...}, unsigned int 0x00000080, int & 0x100283d5) line 275 nsViewManager::RenderDisplayListElement(DisplayListElement2 * 0x041e4390, nsIRenderingContext & {...}) line 1443 nsViewManager::RenderViews(nsIView * 0x04c63800, nsIRenderingContext & {...}, const nsRect & {...}, int & 0x00000000) line 1368 nsViewManager::Refresh(nsIView * 0x04c63800, nsIRenderingContext * 0x041e45e0, const nsRect * 0x0012f654, unsigned int 0x00000001) line 900 nsViewManager::DispatchEvent(nsViewManager * const 0x041a09b0, nsGUIEvent * 0x0012f794, nsEventStatus * 0x0012f698) line 1962 HandleEvent(nsGUIEvent * 0x0012f794) line 68 nsWindow::DispatchEvent(nsWindow * const 0x04c67d04, nsGUIEvent * 0x0012f794, nsEventStatus & nsEventStatus_eIgnore) line 702 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f794, nsEventStatus & nsEventStatus_eIgnore) line 728 nsWindow::OnPaint() line 3847 + 28 bytes nsWindow::ProcessMessage(unsigned int 0x0000000f, unsigned int 0x00000000, long 0x00000000, long * 0x0012fbac) line 2852 + 17 bytes nsWindow::WindowProc(HWND__ * 0x16230660, unsigned int 0x0000000f, unsigned int 0x00000000, long 0x00000000) line 957 + 27 bytes USER32! 77e42137() USER32! 77e42183() NTDLL! 77f663b3() The aLength in PaintUnicodeText is 0xfffffff
Comment 10•23 years ago
|
||
and the following is the iter - iter {...} + mUniStr 0x0012dd10 " 00????????" + mCStr 0x0012dd10 " " mLength 0x00000001 mCurrentIdx 0x00000000 mCurrentLength 0xffffffff + mOldStyle {...} + mDetails 0x04369ad0 mDone 0x00000000 + mTypes 0x00000000 "" mInit 0x00000001 mSelectionStatus 0x0002 mDisabledColor 0xffb0b0b0 what is mCurrentLength ? what is the difference between mCurrentLength and mLength ?
Comment 11•23 years ago
|
||
another selection crash
Updated•23 years ago
|
Whiteboard: crash
Comment 12•23 years ago
|
||
I think the problem is we use the right length here.
Comment 13•23 years ago
|
||
easier test procedure 1. open http://www.hotmail.co.il/login.asp 2. click into the mid of "Microsoft" 3. drag mouse around to select text 4. it will crash,
Comment 14•23 years ago
|
||
I think the problem is we use the wrong "length" to do BIDI swaping code. textLength is not from the result of nsTextTransform and it will change depend on many thing- such as whitespace compression and text-transform. I believe the mDetails->mStart/mEnd are from the content code so we should minus with mContentLength instead. Here is my patch, it include some ASSERTION code also,
Comment 15•23 years ago
|
||
Comment 16•23 years ago
|
||
I think the code in question: while (sdptr){ sdptr->mStart = ip[sdptr->mStart] - mContentOffset; sdptr->mEnd = ip[sdptr->mEnd] - mContentOffset; #ifdef IBMBIDI // Simon - display substrings RTL in RTL frame on non-Bidi platfo rm if ((level & 1) && !(isRightToLeftOnBidiPlatform)) { PRInt32 swap = sdptr->mStart; sdptr->mStart = textLength - sdptr->mEnd; sdptr->mEnd = textLength - swap; } #endif sdptr = sdptr->mNext; } is mapping all the detail offsets to the range within the compressed string, so using textLength is the right thing to do ... that said, the BIDI code is making mStart >= mEnd, so there's a problem since I think the selection iterator code expects mStart <= mEnd.
Comment 17•23 years ago
|
||
Ok, I must've been on drugs when I first looked at this ... I take it back, the BIDI code is not making mStart >= mEnd ... it's still generating mStart <= mEnd which should be ok.
Comment 18•23 years ago
|
||
Comment 19•23 years ago
|
||
Comment 20•23 years ago
|
||
Ok, here's what I'm seeing in the debugger, using ftang's URL at Microsoft/hotmail. If I click right before the 't' in Microsoft, and then shift-click in the middle of the '2000' next to it, we will run across a call to PaintUnicodeText() where textLength == 2 ... when bidiUtils->FormatUnicodeText() is called, it modifies textLength so that it is now 1, probaby because the 2nd character in the string is a space (char 32) ... so when we get to the "while(sdptr)" loop in question, the ip[] array is now out of sync with the text[] array and textLength variable. In this particular case sdptr->mStart == 0 and sdptr->mEnd == 2 ... so after executing the BIDI code in that loop we get sdptr->mStart = -1 and sdptr->mEnd = 1 ... so we crash. If the BIDI code is going to resize the text array and adjust the textLength variable, it needs to regenerate the ip array to match!!
Comment 21•23 years ago
|
||
kin- you are right, my patch didn't do that. simon- do you have a better fix?
Comment 22•23 years ago
|
||
kin is right, my attempt is wrong.
Comment 23•23 years ago
|
||
Comment 24•23 years ago
|
||
OK, here is a temp fix. It does not really fix the problem but at least it will stop the bleeding untill simon produce a right fix.
Comment 25•23 years ago
|
||
sr=sfraser the last patch, as long as the comment is enhanced to reference this bug, and say why the values can become negative (whitespace compression).
Comment 26•23 years ago
|
||
check in temp fix and reassign to simon@softel.co.il to produce real fix. Since we no longer crash, take out the moz0.9.1 milestone. and crash keyword.
Assignee: ftang → simon
Status: ASSIGNED → NEW
Keywords: crash
Whiteboard: crash → add bandaid code to turn crash into assertion gracefully.
Target Milestone: mozilla0.9.1 → ---
Assignee | ||
Updated•23 years ago
|
Target Milestone: mozilla0.9.2 → mozilla0.9.3
Comment 28•23 years ago
|
||
Ftang - This is now marked as M0.9.3; should we place a nsBranch keyword on this one. I think this is stop ship crashed in my book.
Assignee | ||
Comment 29•23 years ago
|
||
Does anybody still see the assertions here? I haven't had any luck in reproducing this and suspect that it has been fixed by another checkin
Comment 30•23 years ago
|
||
I Tried it again on US NT with build of 28/06/2001, still got the same problem. note that Arabic shaping was disabled for that build, so it has nothing to do with the crash. I'm downloading the installable version to test on 98 US.
Comment 31•23 years ago
|
||
I have tried the same scenario with 98 US with 28/06 build, I still get the same crash. Simon, are you trying this on Win2k with US locale as default? because with this case for Arabic, if I have one of the Arabic locales installed - even if it is not the default - Mozilla still detects the system as a bidi one !!! so I can't recreate the problem there.
Assignee | ||
Comment 32•23 years ago
|
||
There are two distinct crash cases being discussed here. Maha's original testcase was duped by bug 85813, and is fixed by attachment 41263 [details] [diff] [review]. The hotmail.co.il login page is another case, which I will now start working on.
Updated•23 years ago
|
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Comment 33•23 years ago
|
||
Tested with the build of 6 Jul, it is fixed.
Comment 34•23 years ago
|
||
This problem is related to the Arabic Shaping. Resulting buffer from shaping is smaller in size than the original, which causes mEnd > textLength, and the crash. This is fixed in the patch submitted for bug 92797. added zero width space to cover for the shrinkage. we get the same assertion when we have RLM & LRM in the HTML, then NSBIDI_REMOVE_BIDI_CONTROLS is set and the buffer size coming out from FormatUnicodeText is less than the original.
You need to log in
before you can comment on or make changes to this bug.
Description
•