As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 694913 - crash nsIMM32Handler::OnMouseEvent
: crash nsIMM32Handler::OnMouseEvent
Status: RESOLVED FIXED
[inbound]
: crash, inputmethod
Product: Core
Classification: Components
Component: Widget: Win32 (show other bugs)
: Trunk
: x86 Windows 7
: -- critical (vote)
: mozilla10
Assigned To: Masayuki Nakano [:masayuki]
:
: Jim Mathies [:jimm]
Mentors:
Depends on:
Blocks: 492233
  Show dependency treegraph
 
Reported: 2011-10-16 23:44 PDT by Alice0775 White
Modified: 2011-10-26 17:11 PDT (History)
3 users (show)
masayuki: in‑testsuite-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Patch (2.31 KB, patch)
2011-10-24 05:02 PDT, Masayuki Nakano [:masayuki]
roc: review+
VYV03354: review+
Details | Diff | Splinter Review

Description User image Alice0775 White 2011-10-16 23:44:23 PDT
This bug was filed from the Socorro interface and is 
report bp-0e7b43a9-b7cb-4334-8f0e-0d22a2111016 .
============================================================= 

When I edit some text in textarea(Additional Comments:) of https://bugzilla.mozilla.org/show_bug.cgi?id=692153 , theb rowser crashes.

I am using http://hg.mozilla.org/releases/mozilla-beta/rev/178cfa4240b3
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0 ID:20111011182523
and ATOK 2006.

Reproducible: I can not reproduce.
Comment 1 User image Alice0775 White 2011-10-16 23:46:30 PDT
s/theb rowser crashes./the browser crashes.
Comment 2 User image Masayuki Nakano [:masayuki] 2011-10-20 19:01:15 PDT
Ah, I'll take this.
Comment 3 User image Masayuki Nakano [:masayuki] 2011-10-24 05:02:20 PDT
Created attachment 569031 [details] [diff] [review]
Patch

The crash is caused by EXCEPTION_INT_DIVIDE_BY_ZERO. It indicates that the width of the character under mouse cursor can be zero. But I failed to find the actual cases.

The crash was reported with MS-IME (Japanese), ATOK (Japanese) and Phenetic IME (Chinese) at least. For Chinese IME, I can guess that the cause could be to query it even when we don't draw composition string ourselves. Therefore, first, we shouldn't query the character when ShouldDrawCOmpositionStringOurselves() returns FALSE (at that time, nsTextFrame doesn't have the composition string).

However, I have no idea for Japanese IMEs. All of Japanese IMEs' composition string is drawn by us. But Japanese people usually doesn't use zero-width character...

This patch passes the mouse event as clicked at right-most of a zero-width character. This prevents the crash forcibly.

Note that the mouse event may be used for setting caret position in composition string or changing selected clause in composition string. The new behavior must not be worse behavior than crash.
Comment 4 User image Masayuki Nakano [:masayuki] 2011-10-25 19:12:29 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/6e3203f7d220
Comment 5 User image Ed Morley [:emorley] 2011-10-26 17:11:34 PDT
https://hg.mozilla.org/mozilla-central/rev/6e3203f7d220

Note You need to log in before you can comment on or make changes to this bug.