This bug was filed from the Socorro interface and is
report bp-0e7b43a9-b7cb-4334-8f0e-0d22a2111016 .
When I edit some text in textarea(Additional Comments:) of https://bugzilla.mozilla.org/show_bug.cgi?id=692153 , theb rowser crashes.
I am using http://hg.mozilla.org/releases/mozilla-beta/rev/178cfa4240b3
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0 ID:20111011182523
and ATOK 2006.
Reproducible: I can not reproduce.
s/theb rowser crashes./the browser crashes.
Ah, I'll take this.
Created attachment 569031 [details] [diff] [review]
The crash is caused by EXCEPTION_INT_DIVIDE_BY_ZERO. It indicates that the width of the character under mouse cursor can be zero. But I failed to find the actual cases.
The crash was reported with MS-IME (Japanese), ATOK (Japanese) and Phenetic IME (Chinese) at least. For Chinese IME, I can guess that the cause could be to query it even when we don't draw composition string ourselves. Therefore, first, we shouldn't query the character when ShouldDrawCOmpositionStringOurselves() returns FALSE (at that time, nsTextFrame doesn't have the composition string).
However, I have no idea for Japanese IMEs. All of Japanese IMEs' composition string is drawn by us. But Japanese people usually doesn't use zero-width character...
This patch passes the mouse event as clicked at right-most of a zero-width character. This prevents the crash forcibly.
Note that the mouse event may be used for setting caret position in composition string or changing selected clause in composition string. The new behavior must not be worse behavior than crash.