Last Comment Bug 694913 - crash nsIMM32Handler::OnMouseEvent
: crash nsIMM32Handler::OnMouseEvent
: crash, inputmethod
Product: Core
Classification: Components
Component: Widget: Win32 (show other bugs)
: Trunk
: x86 Windows 7
-- critical (vote)
: mozilla10
Assigned To: Masayuki Nakano [:masayuki]
: Jim Mathies [:jimm]
Depends on:
Blocks: 492233
  Show dependency treegraph
Reported: 2011-10-16 23:44 PDT by Alice0775 White
Modified: 2011-10-26 17:11 PDT (History)
3 users (show)
masayuki: in‑testsuite-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Patch (2.31 KB, patch)
2011-10-24 05:02 PDT, Masayuki Nakano [:masayuki]
roc: review+
VYV03354: review+
Details | Diff | Splinter Review

Description User image Alice0775 White 2011-10-16 23:44:23 PDT
This bug was filed from the Socorro interface and is 
report bp-0e7b43a9-b7cb-4334-8f0e-0d22a2111016 .

When I edit some text in textarea(Additional Comments:) of , theb rowser crashes.

I am using
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0 ID:20111011182523
and ATOK 2006.

Reproducible: I can not reproduce.
Comment 1 User image Alice0775 White 2011-10-16 23:46:30 PDT
s/theb rowser crashes./the browser crashes.
Comment 2 User image Masayuki Nakano [:masayuki] 2011-10-20 19:01:15 PDT
Ah, I'll take this.
Comment 3 User image Masayuki Nakano [:masayuki] 2011-10-24 05:02:20 PDT
Created attachment 569031 [details] [diff] [review]

The crash is caused by EXCEPTION_INT_DIVIDE_BY_ZERO. It indicates that the width of the character under mouse cursor can be zero. But I failed to find the actual cases.

The crash was reported with MS-IME (Japanese), ATOK (Japanese) and Phenetic IME (Chinese) at least. For Chinese IME, I can guess that the cause could be to query it even when we don't draw composition string ourselves. Therefore, first, we shouldn't query the character when ShouldDrawCOmpositionStringOurselves() returns FALSE (at that time, nsTextFrame doesn't have the composition string).

However, I have no idea for Japanese IMEs. All of Japanese IMEs' composition string is drawn by us. But Japanese people usually doesn't use zero-width character...

This patch passes the mouse event as clicked at right-most of a zero-width character. This prevents the crash forcibly.

Note that the mouse event may be used for setting caret position in composition string or changing selected clause in composition string. The new behavior must not be worse behavior than crash.
Comment 4 User image Masayuki Nakano [:masayuki] 2011-10-25 19:12:29 PDT
Comment 5 User image Ed Morley [:emorley] 2011-10-26 17:11:34 PDT

Note You need to log in before you can comment on or make changes to this bug.