Closed Bug 384527 Opened 17 years ago Closed 17 years ago

Crash [@ nsTextFrameUtils::TransformText] with inline-table, floating first-letter and direction: rtl

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: martijn.martijn, Assigned: smontagu)

References

Details

(Keywords: crash, rtl, testcase, Whiteboard: [sg:critical?] post 1.8-branch)

Crash Data

Attachments

(2 files)

testcase
176 bytes, text/html
Details
Patch
6.19 KB, patch
roc
: review+
roc
: superreview+
Details | Diff | Splinter Review
Attached file testcase 
The textframe build of 2007-06-14 crashes on this html:

<html><head style="display: inline-table;">
<style style="display: block; direction: rtl;">
style::first-letter {float: right;}
</style>
</head>
<body>
</body>
</html>
I tried to come up with a more sane testcase (moving stuff out of the head, etc), but it only seems to crash in this weird combination.
Blocks: 384441
No longer blocks: 384441
Worksforme, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a6pre) Gecko/20070620 Minefield/3.0a6pre
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WORKSFORME
Flags: in-testsuite?
Oh, it's crashing for me again, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a6pre) Gecko/20070626 Minefield/3.0a6pre

I guess I was too hasty by closing it.
It might be the same as bug 385751, though, not sure.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Flags: blocking1.9?
Often, the breakpad agent doesn't come up at all.
http://crash-stats.mozilla.com/report/index/a45b88ee-50cd-11dc-92e7-001a4bd43e5c
0  	nsTextFrameUtils::TransformText(unsigned char const*, unsigned int, unsigned char*, int, unsigned char*, gfxSkipCharsBuilder*, unsigned int*)  	 nsTextFrameUtils.cpp:3.8:210
1 	BuildTextRunsScanner::BuildTextRunForFrames(void*) 	nsTextFrameThebes.cpp:3.71:1635
2 	BuildTextRunsScanner::FlushFrames(int) 	nsTextFrameThebes.cpp:3.71:1267
3 	@0x13e0200 	
(this is with current trunk build)
Summary: Crash with inline-table, floating first-letter and direction: rtl (new textrame) → Crash [@ nsTextFrameUtils::TransformText] with inline-table, floating first-letter and direction: rtl
Blocks: 385751
Despite being on a different platform (I'm on Mac while Martijn is on Windows), I see the same thing: a crash [@ nsTextFrameUtils::TransformText] with the same next two frames and a similar cutoff of stack information.  On Mac, the crash is consistently an attempt to dereference 0xc0000000.

Mac OS X Crash Reporter frequently gets confused and often dumps the log for this crash into files like "dniw).crash.log" rather than the correct log file "firefox-bin.crash.log".  I've never seen that happen with other crashes.
OS: Windows XP → All
Hardware: PC → All
Whiteboard: [sg:critical?]
crashes involving floating first-letters and RTL are probably all related; the bidi resolver currently doesn't handle floating first-letters at all.
I have a patch which prevents the crash here and in bug 385751, but there seems to be a separate bug that first-letter style is not applied to rtl elements if there is white space before the first letter.
More correctly, first-letter style is not applied to a first letter with a different directionality from the base directionality (i.e. rtl letter in an ltr paragraph or ltr letter in an rtl paragraph) if there is white space before the first letter.
Attached patch PatchSplinter Review 
Assignee: nobody → smontagu
Status: REOPENED → ASSIGNED

        Attachment #278544 -
        Flags: superreview?(roc)

        Attachment #278544 -
        Flags: review?(roc)
Flags: blocking1.9? → blocking1.9+

    
    

    
  
bug 393923 seems to cover the underlying styling issue (it's probably mine)

    
    

    
  
Comment on attachment 278544 [details] [diff] [review]
Patch

I don't really understand this code, but rubber-stamp=me

        Attachment #278544 -
        Flags: superreview?(roc)

        Attachment #278544 -
        Flags: superreview+

        Attachment #278544 -
        Flags: review?(roc)

        Attachment #278544 -
        Flags: review+

    
    

    
  
Checked in with a typo corrected: s/H/h/ in |#include "nsPlaceHolderframe.h"|
Status: ASSIGNED → RESOLVED
Closed: 17 years ago17 years ago
Resolution: --- → FIXED

    
  
Flags: in-testsuite? → in-testsuite+
Flags: wanted1.8.1.x-
Whiteboard: [sg:critical?] → [sg:critical?] post 1.8-branch

    
    

    
  
Mass-assigning the new rtl keyword to RTL-related (see bug 349193).
Keywords: rtl
Crash Signature: [@ nsTextFrameUtils::TransformText]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: