Closed Bug 604843 Opened 15 years ago Closed 15 years ago

"ASSERTION: No text for IsSpace" with wrapping inside table cell

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla2.0b7
Tracking Flags:
Tracking Status
blocking2.0 --- final+
blocking1.9.2 --- .13+
status1.9.2 --- .13-fixed
blocking1.9.1 --- .16+
status1.9.1 --- .16-fixed

People

(Reporter: jruderman, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [sg:critical?])

Attachments

(4 files, 3 obsolete files)

testcase
702 bytes, text/html
Details
stack traces
25.77 KB, text/plain
Details
Trace results
38.67 KB, text/html
Details
Patch rev. 4
7.97 KB, patch
roc
: review+
roc
: approval2.0+
Details | Diff | Splinter Review
Attached file testcase
###!!! ASSERTION: No text for IsSpace!: 'aPos < aFrag->GetLength()', file layout/generic/nsTextFrameThebes.cpp, line 627 ###!!! ASSERTION: bad index: 'PRUint32(aIndex) < mState.mLength', file nsTextFragment.h, line 204
Attached file stack traces
This is a regression from bug 571995.
Blocks: 571995
blocking2.0: --- → ?
Component: Layout: Tables → Layout
Keywords: regression
OS: Mac OS X → All
QA Contact: layout.tables → layout
Hardware: x86 → All
Attached file Trace results
We have a text run (0x7fffdfd943e0 in red) that spans multiple frames, then we call AssignTextRun for a frame (0x7fffdfdc5c48 green) in the middle of that continuation chain, this is the case were we keep the old text run for the prev-continuations (per bug 571995) and assign the new text run to the tail of continuations. The problem is that old text run still has an unmodified 'mCharacterCount' which leads to the assertions here. The old text run has 'mCharacterCount' = 80, the new (aTextRun) is 41. (so there's an overlap after AssignTextRun)
Assignee: nobody → matspal
Attached patch wip1 (obsolete) — Splinter Review
We have a text run (0x7fffdfd943e0 in red) that spans multiple frames, then we call AssignTextRun for a frame (0x7fffdfdc5c48 green) in the middle of that continuation chain, this is the case were we keep the old text run for the prev-continuations (per bug 571995) and assign the new text run to the tail of continuations. The problem is that old text run still has an unmodified 'mCharacterCount' which leads to the assertions here. The old text run has 'mCharacterCount' = 80, the new (aTextRun) is 41. Introducing a brute force gfxTextRun::SetLength() to set the old text run length to 39 fixes the assertions, but leads to a new one: ASSERTION: Textrun was not completely removed from the cache!: 'aTextRun->mCachedWords == 0', gfxTextRunWordCache.cpp, line 869 so I added "gfxTextRunWordCache::RemoveTextRun(oldTextRun)" which removes ALL cached words for the old text run. (fwiw, the patch passed TryServer unit tests) It fixes the assertion above, but it doesn't feel right, we should try to keep the words for 0..38 I think. The problem is that the key for the hash table includes the string length in the hash, so if I keep the [0..38] words and then try to find them later with a different text run length I won't find the last word since it now is shorter than when we put it into the table so we'll use the wrong key. So, for a text run [0..N] that is "split" at M, for the words 0..M we should keep them as is, except the last one which should be re-entered with length M instead of N. Words M..N should be removed (since they belong to aTextRun). Does that sound right? is it necessary? (or is this word cache data re-created as needed?) Do we have other data structures that will fail if I shorten the text run length? (I'll take a stab at fixing the word cache and see what falls out)
correction: the length itself isn't part of the hash key, but length characters from the text is.
Attached patch wip2 (obsolete) — Splinter Review
Here's a patch that updates the word cache per comment 4.
(In reply to comment #4) > Created attachment 483973 [details] [diff] [review] > wip1 > > We have a text run (0x7fffdfd943e0 in red) that spans multiple frames, > then we call AssignTextRun for a frame (0x7fffdfdc5c48 green) in the > middle of that continuation chain, this is the case were we keep the > old text run for the prev-continuations (per bug 571995) and assign > the new text run to the tail of continuations. Hmm, I must have got the previous reviews wrong. I thought we were only going to keep the old textrun when the frame continuations from the assignment point forward were all empty. I don't want to start chopping textruns up like this.
Attached patch Patch rev. 3 (obsolete) — Splinter Review
Ok, point taken. So, this looks at continuations from the assignment point forward while they refer to the same text run, stopping at the first frame where GetContentLength() != 0, and if so destroys the old text run. Is there an easier way to check this? Perhaps in the multi flow case it's enough to check TextRunMappedFlow.mContentLength != 0 and avoid looking at each frame?
Attachment #483973 - Attachment is obsolete: true
Attachment #484041 - Attachment is obsolete: true
Attachment #484348 - Flags: review?(roc)
Blocks: 605340
Actually I think all you need to do is get the content-offset of f, map it into the textrun text offsets using gfxSkipCharsIterator, and check that the resulting offset is at the end of the textrun!
Guys, can we get a security rating for this?
Attached patch Patch rev. 4Splinter Review
Simplify the emptiness check. Also, I found that ~98% of the checks can be optimized away by first checking if f == firstFrame, in which case 'ClearTextRun' will remove all references and destroy the text run anyway. (FindFlowForContent was just moved earlier in the file, it's not changed in any way)
Attachment #484348 - Attachment is obsolete: true
Attachment #484790 - Flags: review?(roc)
Attachment #484348 - Flags: review?(roc)
Attachment #484790 - Flags: approval2.0?
http://hg.mozilla.org/mozilla-central/rev/4c01c008b5c7 http://hg.mozilla.org/mozilla-central/rev/847ed2b55fe0
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b8
Target Milestone: mozilla2.0b8 → mozilla2.0b7
Marking this regression a branch blocker for qa verification because bug 571995 is a blocker.
blocking1.9.1: --- → .16+
blocking1.9.2: --- → .13+
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Whiteboard: [sg:critical?]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: