384527 - Crash [@ nsTextFrameUtils::TransformText] with inline-table, floating first-letter and direction: rtl

Status: RESOLVED FIXED

(Core :: Layout, defect)

Description

[Martijn Wargers (dead)]

Attachment: testcase

The textframe build of 2007-06-14 crashes on this html:

<html><head style="display: inline-table;">
<style style="display: block; direction: rtl;">
style::first-letter {float: right;}
</style>
</head>
<body>
</body>
</html>

Comment 1

[Martijn Wargers (dead)]

I tried to come up with a more sane testcase (moving stuff out of the head, etc), but it only seems to crash in this weird combination.

Comment 2

[Martijn Wargers (dead)]

Worksforme, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a6pre) Gecko/20070620 Minefield/3.0a6pre

Comment 3

[Martijn Wargers (dead)]

Oh, it's crashing for me again, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a6pre) Gecko/20070626 Minefield/3.0a6pre

I guess I was too hasty by closing it.
It might be the same as bug 385751, though, not sure.

Comment 4

[Martijn Wargers (dead)]

Often, the breakpad agent doesn't come up at all.
http://crash-stats.mozilla.com/report/index/a45b88ee-50cd-11dc-92e7-001a4bd43e5c
0  	nsTextFrameUtils::TransformText(unsigned char const*, unsigned int, unsigned char*, int, unsigned char*, gfxSkipCharsBuilder*, unsigned int*)  	 nsTextFrameUtils.cpp:3.8:210
1 	BuildTextRunsScanner::BuildTextRunForFrames(void*) 	nsTextFrameThebes.cpp:3.71:1635
2 	BuildTextRunsScanner::FlushFrames(int) 	nsTextFrameThebes.cpp:3.71:1267
3 	@0x13e0200 	
(this is with current trunk build)

Comment 5

[Jesse Ruderman]

Despite being on a different platform (I'm on Mac while Martijn is on Windows), I see the same thing: a crash [@ nsTextFrameUtils::TransformText] with the same next two frames and a similar cutoff of stack information.  On Mac, the crash is consistently an attempt to dereference 0xc0000000.

Mac OS X Crash Reporter frequently gets confused and often dumps the log for this crash into files like "dniw).crash.log" rather than the correct log file "firefox-bin.crash.log".  I've never seen that happen with other crashes.

Comment 6

[Robert O'Callahan (:roc) (email my personal email if necessary)]

crashes involving floating first-letters and RTL are probably all related; the bidi resolver currently doesn't handle floating first-letters at all.

Comment 7

[Simon Montagu :smontagu]

I have a patch which prevents the crash here and in bug 385751, but there seems to be a separate bug that first-letter style is not applied to rtl elements if there is white space before the first letter.

Comment 8

[Simon Montagu :smontagu]

More correctly, first-letter style is not applied to a first letter with a different directionality from the base directionality (i.e. rtl letter in an ltr paragraph or ltr letter in an rtl paragraph) if there is white space before the first letter.

Comment 9

[Simon Montagu :smontagu]

Attachment: Patch

Comment 10

[Robert O'Callahan (:roc) (email my personal email if necessary)]

bug 393923 seems to cover the underlying styling issue (it's probably mine)

Comment 11

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Comment on attachment 278544 [details] [diff] [review]
Patch

I don't really understand this code, but rubber-stamp=me

Comment 12

[Simon Montagu :smontagu]

Checked in with a typo corrected: s/H/h/ in |#include "nsPlaceHolderframe.h"|

Comment 13

[(no longer active)]

Mass-assigning the new rtl keyword to RTL-related (see bug 349193).