Closed Bug 291176 Opened 20 years ago Closed 20 years ago

view-source crashes on URL [@ nsTextFrame::PrepareUnicodeText]

Categories

(Core :: Layout: Text and Fonts, defect)

x86
Windows 98
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: hhschwab, Assigned: rbs)

References

()

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(3 files)

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b2) Gecko/20050420 Mnenhy/0.7 URL from Bug 291102 Steps to repeat: 1. Load http://www.okaz.com.sa/ 2. view source from Menu or CTRL+U BuildId 2005041706 working, BuildId 2005041805 crashing Talkbacks: TB5230375X, TB5230370Y, TB5231675Z checkins in that timeframe: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=SeaMonkeyAll&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-04-17+00%3A00&maxdate=2005-04-18+05%3A00&cvsroot=%2Fcvsroot
Keywords: crash
OS: other → Windows 98
I tried this in my own Mozilla 1.8b2 build (2005042007) and I can confirm the crash. Build platform target i686-pc-linux-gnu Build tools Compiler Version Compiler flags gcc gcc version 3.4.3 20050227 (Red Hat 3.4.3-22.fc3) -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe c++ gcc version 3.4.3 20050227 (Red Hat 3.4.3-22.fc3) -fno-rtti -fno-exceptions -Wall -Wconversion -Wpointer-arith -Wcast-align -Woverloaded-virtual -Wsynth -Wno-ctor-dtor-privacy -Wno-non-virtual-dtor -Wno-long-long -pedantic -fshort-wchar -pthread -pipe -I/usr/X11R6/include Configure arguments --enable-application=suite --enable-crypto --disable-debug --disable-tests --enable-optimize=-O2 --enable-default-toolkit=gtk2 --enable-xft --disable-freetype2
Attached file testcase
<META HTTP-EQUIV="Content-Type" content="text/html; charset=windows-1256"> </HEAD> <BODY TOPMARGIN=0 LEFTMARGIN=0 dir=rtl bgcolor="white"> <Script> window.self.focus() Browser_ver=navigator.appVersion ind=Browser_ver.indexOf("MSIE") index=Browser_ver.indexOf(";",ind) Ver=Browser_ver.substring(ind+4,index) numObj=new Number(Ver) val=numObj.valueOf() if( val < 5 ) var act=window.confirm("ÇáãæÞÚ íÍÊÇÌ áäÓÎÉ ãÊÞÏãÉ ãä ÇáãÊÕÝÍ ááÚãá ÈßÝÇÁÉ\n åá ÊÑíÏ ÊÍãíá äÓÎÉ ãÊÞÏãÉ ãä ÇáãÊÕÝÍ ¿") if(act) window.open("http://www.microsoft.com/ie") </Script>
Link to testcase: https://bugzilla.mozilla.org/attachment.cgi?id=181316 Link to crash: view-source:https://bugzilla.mozilla.org/attachment.cgi?id=181316 I disabled JS, loaded the testcase, and crashed. If I replace the arabic text in the following line by western characters, all is well. If I just the arabic text of that line as comment into the body, all is well. var act=window.confirm("ÇáãæÞÚ íÍÊÇÌ áäÓÎÉ ãÊÞÏãÉ ãä ÇáãÊÕÝÍ ááÚãá ÈßÝÇÁÉ\n åá ÊÑíÏ ÊÍãíá äÓÎÉ ãÊÞÏãÉ ãä ÇáãÊÕÝÍ ¿") replace with: var act=window.confirm("confirm") and the crash is gone.
Keywords: testcase
Stacktrace: nsTextFrame::PrepareUnicodeText(nsTextFrame * const 0x000000e6, nsTextTransformer & {...}, nsAutoIndexBuffer * 0x0012ee70, nsAutoTextBuffer * 0x00000074, int * 0x0012f198, int 0x00000000, int * 0x00000000) line 1771 + 20 bytes nsTextFrame::PaintUnicodeText(nsTextFrame * const 0x000000e6, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, nsStyleContext * 0x09f22be8, nsTextFrame::TextPaintStyle & {...}, int 0x00000000, int 0x00000000) line 2423 nsTextFrame::Paint(nsTextFrame * const 0x00000010, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer 0x07655640, unsigned int 0x00000000) line 1526 nsContainerFrame::PaintChild(nsContainerFrame * const 0x000000e6, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x41000000, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000) line 304 nsBlockFrame::PaintChild(nsBlockFrame * const 0x000000e6, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x076c4c00, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000) line 287 nsBlockFrame::PaintChildren(nsBlockFrame * const 0x000000e6, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000) line 6320 + 57 bytes nsHTMLContainerFrame::PaintDecorationsAndChildren(nsHTMLContainerFrame * const 0x000000e6, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, int 0x00000001, unsigned int 0x00000000) line 137 nsBlockFrame::Paint(nsBlockFrame * const 0x00000000, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000) line 6168 nsContainerFrame::PaintChild(nsContainerFrame * const 0x000000e6, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x41000000, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000) line 304 nsBlockFrame::PaintChild(nsBlockFrame * const 0x000000e6, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x09f22b98, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000) line 287 nsBlockFrame::PaintChildren(nsBlockFrame * const 0x000000e6, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000) line 6341 + 67 bytes nsHTMLContainerFrame::PaintDecorationsAndChildren(nsHTMLContainerFrame * const 0x000000e6, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, int 0x00000001, unsigned int 0x00000000) line 137 nsBlockFrame::Paint(nsBlockFrame * const 0x00000000, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000) line 6168 nsContainerFrame::PaintChild(nsContainerFrame * const 0x000000e6, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x00000000, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000) line 304 nsBlockFrame::PaintChild(nsBlockFrame * const 0x000000e6, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x09f223dc, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000) line 287 nsBlockFrame::PaintChildren(nsBlockFrame * const 0x000000e6, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000) line 6341 + 67 bytes nsHTMLContainerFrame::PaintDecorationsAndChildren(nsHTMLContainerFrame * const 0x000000e6, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, int 0x00000001, unsigned int 0x00000000) line 137 nsBlockFrame::Paint(nsBlockFrame * const 0x00000000, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000) line 6168 nsContainerFrame::PaintChild(nsContainerFrame * const 0x000000e6, nsPresContext * 0x06b1b118, nsIRenderingContext & {...}, const nsRect & {...}, nsIFrame * 0x00000000, nsFramePaintLayer eFramePaintLayer_Overlay, unsigned int 0x00000000) line 304
Summary: view-source crashes on URL → view-source crashes on URL [@ nsTextFrame::PrepareUnicodeText]
two talkbacks using the testcase, JS disabled: TB5233411X, TB5233210K I can´t get connected to http://talkback-public.mozilla.org/talkback/fastfind.jsp
rbs: Possible regression from Bug 96423 or Bug 93168 (judging from bonsai and stacktrace)?
Assignee: mrbkap → nobody
Component: ViewSource → Layout: Fonts and Text
Product: Mozilla Application Suite → Core
QA Contact: doronr → layout.fonts-and-text
Either of the fixes I suggest in bug 291188 comment 3 fixes this crash also.
Depends on: 291188
Attached patch fixSplinter Review
Fix does what simon suggested. I wonder why bidi is transforming beyond its need. There is little reason why the length of the transformed test should be bounded by the length of the original content (apart from ::first-letter which is clear). The text should be allowed to expand, no? Or the transformed length should be computed properly rather than being clamped here. The |if| is necessary otherwise we regress the other bug 286923.
Assignee: nobody → rbs
Status: NEW → ASSIGNED
Attachment #181360 - Flags: superreview?(bzbarsky)
Attachment #181360 - Flags: review?(smontagu)
Comment on attachment 181360 [details] [diff] [review] fix r=me. Bidi can't allow the transformed text to expand from a left-to-right run to a right-to-left run or vice versa, because these have to be rendered in separate calls to gfx.
Attachment #181360 - Flags: review?(smontagu) → review+
Since the BIDI logic permeates deeply into the transformer (unlike ::first-letter), you might perhaps consider setting the length of the transformed text accordingly there.
Attachment #181360 - Flags: superreview?(bzbarsky) → superreview+
Comment on attachment 181360 [details] [diff] [review] fix Asking approval for 1.8b2 for this simple patch to fix a crash in bidi text.
Attachment #181360 - Flags: approval1.8b2?
Reversing dependencies
Blocks: 291188
No longer depends on: 291188
Attachment #181360 - Flags: approval1.8b2? → approval1.8b2+
Checked in.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Verified FIXED with build 2005-04-23-05 on Windows XP Seamonkey trunk.
Status: RESOLVED → VERIFIED
Can we get this checked in on the branch?
*** Bug 310274 has been marked as a duplicate of this bug. ***
Ignore me, this is from before we branched
Blocks: 310274
Crash Signature: [@ nsTextFrame::PrepareUnicodeText]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: