"ASSERTION: No text for IsSpace" with wrapping inside table cell

RESOLVED FIXED in mozilla2.0b7

Status

()

Core
Layout
RESOLVED FIXED
7 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Assigned: mats)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla2.0b7
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(blocking2.0 final+, blocking1.9.2 .13+, status1.9.2 .13-fixed, blocking1.9.1 .16+, status1.9.1 .16-fixed)

Details

(Whiteboard: [sg:critical?])

Attachments

(4 attachments, 3 obsolete attachments)

(Reporter)

Description

7 years ago
Created attachment 483694 [details]
testcase

###!!! ASSERTION: No text for IsSpace!: 'aPos < aFrag->GetLength()', 
file layout/generic/nsTextFrameThebes.cpp, line 627

###!!! ASSERTION: bad index: 'PRUint32(aIndex) < mState.mLength', 
file nsTextFragment.h, line 204
(Reporter)

Comment 1

7 years ago
Created attachment 483695 [details]
stack traces
(Assignee)

Comment 2

7 years ago
This is a regression from bug 571995.
Blocks: 571995
blocking2.0: --- → ?
Component: Layout: Tables → Layout
Keywords: regression
OS: Mac OS X → All
QA Contact: layout.tables → layout
Hardware: x86 → All
(Assignee)

Comment 3

7 years ago
Created attachment 483967 [details]
Trace results

We have a text run (0x7fffdfd943e0 in red) that spans multiple frames,
then we call AssignTextRun for a frame (0x7fffdfdc5c48 green) in the
middle of that continuation chain, this is the case were we keep the
old text run for the prev-continuations (per bug 571995) and assign
the new text run to the tail of continuations.

The problem is that old text run still has an unmodified
'mCharacterCount' which leads to the assertions here.
The old text run has 'mCharacterCount' = 80, the new (aTextRun) is 41.
(so there's an overlap after AssignTextRun)
Assignee: nobody → matspal
(Assignee)

Comment 4

7 years ago
Created attachment 483973 [details] [diff] [review]
wip1

We have a text run (0x7fffdfd943e0 in red) that spans multiple frames,
then we call AssignTextRun for a frame (0x7fffdfdc5c48 green) in the
middle of that continuation chain, this is the case were we keep the
old text run for the prev-continuations (per bug 571995) and assign
the new text run to the tail of continuations.

The problem is that old text run still has an unmodified
'mCharacterCount' which leads to the assertions here.
The old text run has 'mCharacterCount' = 80, the new (aTextRun) is 41.

Introducing a brute force gfxTextRun::SetLength() to set the old
text run length to 39 fixes the assertions, but leads to a new one:
  ASSERTION: Textrun was not completely removed from the cache!:
    'aTextRun->mCachedWords == 0', gfxTextRunWordCache.cpp, line 869
so I added "gfxTextRunWordCache::RemoveTextRun(oldTextRun)" which
removes ALL cached words for the old text run.
(fwiw, the patch passed TryServer unit tests)

It fixes the assertion above, but it doesn't feel right, we should
try to keep the words for 0..38 I think.  The problem is that the key
for the hash table includes the string length in the hash, so if I keep
the [0..38] words and then try to find them later with a different
text run length I won't find the last word since it now is shorter
than when we put it into the table so we'll use the wrong key.

So, for a text run [0..N] that is "split" at M, for the words 0..M
we should keep them as is, except the last one which should be
re-entered with length M instead of N. Words M..N should be removed
(since they belong to aTextRun).

Does that sound right? is it necessary? (or is this word cache data
re-created as needed?)  Do we have other data structures that will
fail if I shorten the text run length?

(I'll take a stab at fixing the word cache and see what falls out)
(Assignee)

Comment 5

7 years ago
correction: the length itself isn't part of the hash key,
but length characters from the text is.
(Assignee)

Comment 6

7 years ago
Created attachment 484041 [details] [diff] [review]
wip2

Here's a patch that updates the word cache per comment 4.
(In reply to comment #4)
> Created attachment 483973 [details] [diff] [review]
> wip1
> 
> We have a text run (0x7fffdfd943e0 in red) that spans multiple frames,
> then we call AssignTextRun for a frame (0x7fffdfdc5c48 green) in the
> middle of that continuation chain, this is the case were we keep the
> old text run for the prev-continuations (per bug 571995) and assign
> the new text run to the tail of continuations.

Hmm, I must have got the previous reviews wrong. I thought we were only going to keep the old textrun when the frame continuations from the assignment point forward were all empty. I don't want to start chopping textruns up like this.
(Assignee)

Comment 8

7 years ago
Created attachment 484348 [details] [diff] [review]
Patch rev. 3

Ok, point taken.  So, this looks at continuations from the assignment point
forward while they refer to the same text run, stopping at the first frame
where GetContentLength() != 0, and if so destroys the old text run.
Is there an easier way to check this?  Perhaps in the multi flow
case it's enough to check TextRunMappedFlow.mContentLength != 0
and avoid looking at each frame?
Attachment #483973 - Attachment is obsolete: true
Attachment #484041 - Attachment is obsolete: true
Attachment #484348 - Flags: review?(roc)
(Assignee)

Updated

7 years ago
Blocks: 605340
Actually I think all you need to do is get the content-offset of f, map it into the textrun text offsets using gfxSkipCharsIterator, and check that the resulting offset is at the end of the textrun!
Guys, can we get a security rating for this?
critical I guess.
(Assignee)

Comment 12

7 years ago
Created attachment 484790 [details] [diff] [review]
Patch rev. 4

Simplify the emptiness check.  Also, I found that ~98% of the checks
can be optimized away by first checking if f == firstFrame, in which
case 'ClearTextRun' will remove all references and destroy the text
run anyway.  (FindFlowForContent was just moved earlier in the file,
it's not changed in any way)
Attachment #484348 - Attachment is obsolete: true
Attachment #484790 - Flags: review?(roc)
Attachment #484348 - Flags: review?(roc)
Attachment #484790 - Flags: review?(roc) → review+
(Assignee)

Updated

7 years ago
Attachment #484790 - Flags: approval2.0?
blocking2.0: ? → final+
Attachment #484790 - Flags: approval2.0? → approval2.0+
(Assignee)

Comment 13

7 years ago
http://hg.mozilla.org/mozilla-central/rev/4c01c008b5c7
http://hg.mozilla.org/mozilla-central/rev/847ed2b55fe0
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b8
Target Milestone: mozilla2.0b8 → mozilla2.0b7
Marking this regression a branch blocker for qa verification because bug 571995 is a blocker.
blocking1.9.1: --- → .16+
blocking1.9.2: --- → .13+
status1.9.1: --- → wanted
status1.9.2: --- → wanted
(Assignee)

Comment 15

7 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/650e7b0d6d34
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/bd03fbc2b2fc
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/19e3f097936a
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/91bf1ee0a8ac
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/5cb35072f373
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/6444dcb39b02

http://hg.mozilla.org/releases/mozilla-1.9.2/rev/64e803656a1f
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/ee365bf30311
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/0ac503e14b53
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/1d2fa8e53cc3
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/57ce1356af46
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/3956db8d0373
status1.9.1: wanted → .16-fixed
status1.9.2: wanted → .13-fixed
Whiteboard: [sg:critical?]
Group: core-security
You need to log in before you can comment on or make changes to this bug.