Last Comment Bug 694913 - crash nsIMM32Handler::OnMouseEvent
: crash nsIMM32Handler::OnMouseEvent
Status: RESOLVED FIXED
[inbound]
: crash, inputmethod
Product: Core
Classification: Components
Component: Widget: Win32 (show other bugs)
: Trunk
: x86 Windows 7
: -- critical (vote)
: mozilla10
Assigned To: Masayuki Nakano [:masayuki] (Mozilla Japan)
:
Mentors:
Depends on:
Blocks: 492233
  Show dependency treegraph
 
Reported: 2011-10-16 23:44 PDT by Alice0775 White
Modified: 2011-10-26 17:11 PDT (History)
3 users (show)
masayuki: in‑testsuite-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Patch (2.31 KB, patch)
2011-10-24 05:02 PDT, Masayuki Nakano [:masayuki] (Mozilla Japan)
roc: review+
VYV03354: review+
Details | Diff | Splinter Review

Description Alice0775 White 2011-10-16 23:44:23 PDT
This bug was filed from the Socorro interface and is 
report bp-0e7b43a9-b7cb-4334-8f0e-0d22a2111016 .
============================================================= 

When I edit some text in textarea(Additional Comments:) of https://bugzilla.mozilla.org/show_bug.cgi?id=692153 , theb rowser crashes.

I am using http://hg.mozilla.org/releases/mozilla-beta/rev/178cfa4240b3
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0 ID:20111011182523
and ATOK 2006.

Reproducible: I can not reproduce.
Comment 1 Alice0775 White 2011-10-16 23:46:30 PDT
s/theb rowser crashes./the browser crashes.
Comment 2 Masayuki Nakano [:masayuki] (Mozilla Japan) 2011-10-20 19:01:15 PDT
Ah, I'll take this.
Comment 3 Masayuki Nakano [:masayuki] (Mozilla Japan) 2011-10-24 05:02:20 PDT
Created attachment 569031 [details] [diff] [review]
Patch

The crash is caused by EXCEPTION_INT_DIVIDE_BY_ZERO. It indicates that the width of the character under mouse cursor can be zero. But I failed to find the actual cases.

The crash was reported with MS-IME (Japanese), ATOK (Japanese) and Phenetic IME (Chinese) at least. For Chinese IME, I can guess that the cause could be to query it even when we don't draw composition string ourselves. Therefore, first, we shouldn't query the character when ShouldDrawCOmpositionStringOurselves() returns FALSE (at that time, nsTextFrame doesn't have the composition string).

However, I have no idea for Japanese IMEs. All of Japanese IMEs' composition string is drawn by us. But Japanese people usually doesn't use zero-width character...

This patch passes the mouse event as clicked at right-most of a zero-width character. This prevents the crash forcibly.

Note that the mouse event may be used for setting caret position in composition string or changing selected clause in composition string. The new behavior must not be worse behavior than crash.
Comment 4 Masayuki Nakano [:masayuki] (Mozilla Japan) 2011-10-25 19:12:29 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/6e3203f7d220
Comment 5 Ed Morley [:emorley] 2011-10-26 17:11:34 PDT
https://hg.mozilla.org/mozilla-central/rev/6e3203f7d220

Note You need to log in before you can comment on or make changes to this bug.