Closed
Bug 291176
Opened 20 years ago
Closed 20 years ago
view-source crashes on URL [@ nsTextFrame::PrepareUnicodeText]
Categories
(Core :: Layout: Text and Fonts, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: hhschwab, Assigned: rbs)
References
()
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(3 files)
622 bytes,
text/html
|
Details | |
43.64 KB,
text/html
|
Details | |
781 bytes,
patch
|
smontagu
:
review+
bzbarsky
:
superreview+
asa
:
approval1.8b2+
|
Details | Diff | Splinter Review |
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b2) Gecko/20050420 Mnenhy/0.7
URL from Bug 291102
Steps to repeat:
1. Load http://www.okaz.com.sa/
2. view source from Menu or CTRL+U
BuildId 2005041706 working, BuildId 2005041805 crashing
Talkbacks:
TB5230375X, TB5230370Y, TB5231675Z
checkins in that timeframe:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=SeaMonkeyAll&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-04-17+00%3A00&maxdate=2005-04-18+05%3A00&cvsroot=%2Fcvsroot
Comment 1•20 years ago
|
||
I tried this in my own Mozilla 1.8b2 build (2005042007) and I can confirm the crash.
Build platform target i686-pc-linux-gnu
Build tools
Compiler Version Compiler flags
gcc gcc version 3.4.3 20050227 (Red Hat 3.4.3-22.fc3) -Wall -W -Wno-unused
-Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe
c++ gcc version 3.4.3 20050227 (Red Hat 3.4.3-22.fc3) -fno-rtti
-fno-exceptions -Wall -Wconversion -Wpointer-arith -Wcast-align
-Woverloaded-virtual -Wsynth -Wno-ctor-dtor-privacy -Wno-non-virtual-dtor
-Wno-long-long -pedantic -fshort-wchar -pthread -pipe -I/usr/X11R6/include
Configure arguments
--enable-application=suite --enable-crypto --disable-debug --disable-tests
--enable-optimize=-O2 --enable-default-toolkit=gtk2 --enable-xft
--disable-freetype2
Reporter | ||
Comment 2•20 years ago
|
||
<META HTTP-EQUIV="Content-Type" content="text/html; charset=windows-1256">
</HEAD>
<BODY TOPMARGIN=0 LEFTMARGIN=0 dir=rtl bgcolor="white">
<Script>
window.self.focus()
Browser_ver=navigator.appVersion
ind=Browser_ver.indexOf("MSIE")
index=Browser_ver.indexOf(";",ind)
Ver=Browser_ver.substring(ind+4,index)
numObj=new Number(Ver)
val=numObj.valueOf()
if( val < 5 )
var act=window.confirm("ÇáãæÞÚ íÍÊÇÌ áäÓÎÉ ãÊÞÏãÉ ãä ÇáãÊÕÝÍ ááÚãá
ÈßÝÇÁÉ\n åá ÊÑíÏ ÊÍãíá äÓÎÉ ãÊÞÏãÉ ãä ÇáãÊÕÝÍ ¿")
if(act)
window.open("http://www.microsoft.com/ie")
</Script>
Reporter | ||
Comment 3•20 years ago
|
||
Link to testcase: https://bugzilla.mozilla.org/attachment.cgi?id=181316
Link to crash: view-source:https://bugzilla.mozilla.org/attachment.cgi?id=181316
I disabled JS, loaded the testcase, and crashed.
If I replace the arabic text in the following line by western characters, all is
well. If I just the arabic text of that line as comment into the body, all is well.
var act=window.confirm("ÇáãæÞÚ íÍÊÇÌ áäÓÎÉ ãÊÞÏãÉ ãä ÇáãÊÕÝÍ ááÚãá ÈßÝÇÁÉ\n åá
ÊÑíÏ ÊÍãíá äÓÎÉ ãÊÞÏãÉ ãä ÇáãÊÕÝÍ ¿")
replace with:
var act=window.confirm("confirm") and the crash is gone.
Keywords: testcase
Comment 4•20 years ago
|
||
Stacktrace:
nsTextFrame::PrepareUnicodeText(nsTextFrame * const 0x000000e6,
nsTextTransformer & {...}, nsAutoIndexBuffer * 0x0012ee70, nsAutoTextBuffer *
0x00000074, int * 0x0012f198, int 0x00000000, int * 0x00000000) line 1771 + 20 bytes
nsTextFrame::PaintUnicodeText(nsTextFrame * const 0x000000e6, nsPresContext *
0x06b1b118, nsIRenderingContext & {...}, nsStyleContext * 0x09f22be8,
nsTextFrame::TextPaintStyle & {...}, int 0x00000000, int 0x00000000) line 2423
nsTextFrame::Paint(nsTextFrame * const 0x00000010, nsPresContext * 0x06b1b118,
nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer 0x07655640,
unsigned int 0x00000000) line 1526
nsContainerFrame::PaintChild(nsContainerFrame * const 0x000000e6, nsPresContext
* 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame *
0x41000000, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000)
line 304
nsBlockFrame::PaintChild(nsBlockFrame * const 0x000000e6, nsPresContext *
0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame *
0x076c4c00, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000)
line 287
nsBlockFrame::PaintChildren(nsBlockFrame * const 0x000000e6, nsPresContext *
0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Overlay, unsigned int 0x00000000) line 6320 + 57 bytes
nsHTMLContainerFrame::PaintDecorationsAndChildren(nsHTMLContainerFrame * const
0x000000e6, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const
nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, int 0x00000001,
unsigned int 0x00000000) line 137
nsBlockFrame::Paint(nsBlockFrame * const 0x00000000, nsPresContext * 0x06b1b118,
nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Overlay, unsigned int 0x00000000) line 6168
nsContainerFrame::PaintChild(nsContainerFrame * const 0x000000e6, nsPresContext
* 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame *
0x41000000, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000)
line 304
nsBlockFrame::PaintChild(nsBlockFrame * const 0x000000e6, nsPresContext *
0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame *
0x09f22b98, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000)
line 287
nsBlockFrame::PaintChildren(nsBlockFrame * const 0x000000e6, nsPresContext *
0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Overlay, unsigned int 0x00000000) line 6341 + 67 bytes
nsHTMLContainerFrame::PaintDecorationsAndChildren(nsHTMLContainerFrame * const
0x000000e6, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const
nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, int 0x00000001,
unsigned int 0x00000000) line 137
nsBlockFrame::Paint(nsBlockFrame * const 0x00000000, nsPresContext * 0x06b1b118,
nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Overlay, unsigned int 0x00000000) line 6168
nsContainerFrame::PaintChild(nsContainerFrame * const 0x000000e6, nsPresContext
* 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame *
0x00000000, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000)
line 304
nsBlockFrame::PaintChild(nsBlockFrame * const 0x000000e6, nsPresContext *
0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame *
0x09f223dc, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000)
line 287
nsBlockFrame::PaintChildren(nsBlockFrame * const 0x000000e6, nsPresContext *
0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Overlay, unsigned int 0x00000000) line 6341 + 67 bytes
nsHTMLContainerFrame::PaintDecorationsAndChildren(nsHTMLContainerFrame * const
0x000000e6, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const
nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, int 0x00000001,
unsigned int 0x00000000) line 137
nsBlockFrame::Paint(nsBlockFrame * const 0x00000000, nsPresContext * 0x06b1b118,
nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer
eFramePaintLayer_Overlay, unsigned int 0x00000000) line 6168
nsContainerFrame::PaintChild(nsContainerFrame * const 0x000000e6, nsPresContext
* 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame *
0x00000000, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000)
line 304
Summary: view-source crashes on URL → view-source crashes on URL [@ nsTextFrame::PrepareUnicodeText]
Reporter | ||
Comment 5•20 years ago
|
||
two talkbacks using the testcase, JS disabled: TB5233411X, TB5233210K
I can´t get connected to http://talkback-public.mozilla.org/talkback/fastfind.jsp
Comment 6•20 years ago
|
||
Assignee: mrbkap → nobody
Component: ViewSource → Layout: Fonts and Text
Product: Mozilla Application Suite → Core
QA Contact: doronr → layout.fonts-and-text
Reporter | ||
Comment 7•20 years ago
|
||
Comment 8•20 years ago
|
||
Either of the fixes I suggest in bug 291188 comment 3 fixes this crash also.
Depends on: 291188
Fix does what simon suggested. I wonder why bidi is transforming beyond its
need. There is little reason why the length of the transformed test should be
bounded by the length of the original content (apart from ::first-letter which
is clear). The text should be allowed to expand, no? Or the transformed length
should be computed properly rather than being clamped here. The |if| is
necessary otherwise we regress the other bug 286923.
Assignee: nobody → rbs
Status: NEW → ASSIGNED
Attachment #181360 -
Flags: superreview?(bzbarsky)
Attachment #181360 -
Flags: review?(smontagu)
Comment 10•20 years ago
|
||
Comment on attachment 181360 [details] [diff] [review]
fix
r=me. Bidi can't allow the transformed text to expand from a left-to-right run
to a right-to-left run or vice versa, because these have to be rendered in
separate calls to gfx.
Attachment #181360 -
Flags: review?(smontagu) → review+
Assignee | ||
Comment 11•20 years ago
|
||
Since the BIDI logic permeates deeply into the transformer (unlike
::first-letter), you might perhaps consider setting the length of the
transformed text accordingly there.
Updated•20 years ago
|
Attachment #181360 -
Flags: superreview?(bzbarsky) → superreview+
Assignee | ||
Comment 12•20 years ago
|
||
Comment on attachment 181360 [details] [diff] [review]
fix
Asking approval for 1.8b2 for this simple patch to fix a crash in bidi text.
Attachment #181360 -
Flags: approval1.8b2?
Comment 13•20 years ago
|
||
Reversing dependencies
Comment 14•20 years ago
|
||
Comment on attachment 181360 [details] [diff] [review]
fix
a=asa
Attachment #181360 -
Flags: approval1.8b2? → approval1.8b2+
Assignee | ||
Comment 15•20 years ago
|
||
Checked in.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Verified FIXED with build 2005-04-23-05 on Windows XP Seamonkey trunk.
Status: RESOLVED → VERIFIED
Can we get this checked in on the branch?
*** Bug 310274 has been marked as a duplicate of this bug. ***
Ignore me, this is from before we branched
Updated•13 years ago
|
Crash Signature: [@ nsTextFrame::PrepareUnicodeText]
You need to log in
before you can comment on or make changes to this bug.
Description
•