Closed Bug 770710 Opened 12 years ago Closed 12 years ago

Crash serializing range when <math:mo> contains a space

Categories

(Core :: MathML, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla18

People

(Reporter: jruderman, Assigned: ehsan.akhgari)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(4 files)

Attached file testcase
This might be related to MathML's weird behavior of changing the DOM when a <mo> contains leading/trailing whitespace.
Attached file stack trace
Nightly: bp-9468a162-f725-4319-9675-97a142120703
Crash Signature: [@ LossyConvertEncoding8to16::write_sse2 ]
On Windows 7: bp-557eedc1-5ceb-4458-a1f3-2ee462120704.
Crash Signature: [@ LossyConvertEncoding8to16::write_sse2 ] → [@ LossyConvertEncoding8to16::write_sse2 ] [@ LossyConvertEncoding8to16::write_sse2(char const*, unsigned int) ]
OS: Mac OS X → All
Hardware: x86_64 → All
getSelection().toString() runs FlushPendingNotifications, and nsMathMLTokenFrame::Init calls nsIContent->SetText("", aNotify = false)
but it seems that nsNodeUtils::CharacterDataChanged() is required to update
the range and that is only called when aNotify is set.

I wonder whether nsIContentSerializer::AppendText() (implemented in
nsPlainTextSerializer) should sanity-check its arguments, even though the core
problem is layout changing the DOM during frame construction.
Attached patch wallpaperSplinter Review
Wallpapering nsIContentSerializer::AppendText() to sanity check arguments gets us as far as trying to repaint the selection.

Assertion failure: startOffset <= startParent->Length() && endOffset <= endParent->Length(), at /home/karl/moz/dev/content/base/src/nsContentIterator.cpp:1203

#5  0x00007f8b8af00651 in nsContentSubtreeIterator::Init (this=0x4532cc0, aRange=0x3d1a380) at /home/karl/moz/dev/content/base/src/nsContentIterator.cpp:1202
#6  0x00007f8b8ad062d2 in mozilla::Selection::selectFrames (this=0x39b72a0, aPresContext=0x3018c20, aRange=0x3d1a380, aSelect=true) at /home/karl/moz/dev/layout/generic/nsSelection.cpp:4026
#7  0x00007f8b8ad06cbe in mozilla::Selection::Repaint (this=0x39b72a0, aPresContext=0x3018c20) at /home/karl/moz/dev/layout/generic/nsSelection.cpp:4193
#8  0x00007f8b8acff529 in nsFrameSelection::RepaintSelection (this=0x3b049a0, aType=1) at /home/karl/moz/dev/layout/generic/nsSelection.cpp:1752
#9  0x00007f8b8ac0a4d0 in PresShell::RepaintSelection (this=0x40f3a20, aType=1) at /home/karl/moz/dev/layout/base/nsPresShell.cpp:1561
#10 0x00007f8b8abcccee in nsDocViewerFocusListener::HandleEvent (this=0x3b38780, aEvent=0x4532c60) at /home/karl/moz/dev/layout/base/nsDocumentViewer.cpp:3529
Depends on: 785956
My patch in bug 785720 fixes this crash.
Depends on: CVE-2012-4180
Attached patch CrashtestSplinter Review
Assignee: nobody → ehsan
Status: NEW → ASSIGNED
Attachment #656530 - Flags: review?(roc)
https://hg.mozilla.org/integration/mozilla-inbound/rev/60ad807829dd
Flags: in-testsuite+
Target Milestone: --- → mozilla18
https://hg.mozilla.org/mozilla-central/rev/60ad807829dd
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
No longer depends on: 785956
You need to log in before you can comment on or make changes to this bug.