Closed
Bug 81078
Opened 23 years ago
Closed 23 years ago
UMR: nsTextFrame::GetPosition() when selecting text. - Trunk [@ nsTextFrame::GetPosition]
Categories
(Core :: Layout, defect, P3)
Tracking
()
VERIFIED
FIXED
mozilla0.9.1
People
(Reporter: kinmoz, Assigned: kinmoz)
References
()
Details
(Keywords: crash, topcrash, Whiteboard: r/sr=kin/sfraser a=blizzard for moz0.9.1 check in)
Crash Data
I started up Mozilla (with a hompage of www.mozilla.org) under Purify, then
loaded the URL:
http://bugzilla.mozilla.org/show_bug.cgi?id=74383
I selected some text on the page and saw several UMR warnings coming from the
nsTextFrame::GetPosition() method:
[W] UMR: Uninitialized memory read in nsTextFrame::GetPosition(nsIPresContext *,
nsPoint const&,nsIContent * *,int&,int&) {2 occurrences}
Reading 2 bytes from 0x0013ef28 (2 bytes at 0x0013ef28 uninitialized)
Address 0x0013ef28 points into a thread's stack
Address 0x0013ef28 is 96 bytes past the start of local variable 'paintBu
ffer' in nsTextFrame::GetPosition(nsIPresContext *,nsPoint const&,nsIContent * *
,int&,int&)
Thread ID: 0xfd
Error location
nsTextFrame::GetPosition(nsIPresContext *,nsPoint const&,nsIContent
* *,int&,int&) [nsTextFrame.cpp:3343]
nsTextFrame::GetContentAndOffsetsFromPoint(nsIPresContext *,nsPoint
const&,nsIContent * *,int&,int&,int&) [nsTextFrame.cpp:3380]
nsFrame::GetNextPrevLineFromeBlockFrame(nsIPresContext *,nsPeekOffse
tStruct *,nsIFrame *,int,signed char) [nsFrame.cpp:2954]
nsBlockFrame::HandleEvent(nsIPresContext *,nsGUIEvent *,nsEventStatu
s *) [nsBlockFrame.cpp:5343]
PresShell::HandleEventInternal(nsEvent *,nsIView *,UINT,nsEventStatu
s *) [nsPresShell.cpp:5522]
PresShell::HandleEvent(nsIView *,nsGUIEvent *,nsEventStatus *,int,in
t&) [nsPresShell.cpp:5434]
nsView::HandleEvent(nsGUIEvent *,UINT,nsEventStatus *,int,int&) [nsV
iew.cpp:364]
nsViewManager::DispatchEvent(nsGUIEvent *,nsEventStatus *) [nsViewMa
nager.cpp:2053]
HandleEvent [nsView.cpp:67]
nsWindow::DispatchEvent(nsGUIEvent *,nsEventStatus&) [nsWindow.cpp:7
02]
You might be able to generate these UMRs selecting any text on any page, but
I haven't tried it.I should have added that the UMR is generated by the following BIDI code:
#ifdef IBMBIDI
=> while (IS_BIDI_DIACRITIC(text[aContentOffset - mContentOffset]) ) {
aContentOffset++;
}
#endif // IBMBIDI
|
||
Comment 3•23 years ago
|
||
I think we should change
#ifdef IBMBIDI
while (IS_BIDI_DIACRITIC(text[aContentOffset - mContentOffset]) ) {
aContentOffset++;
}
#endif // IBMBIDI
to
#ifdef IBMBIDI
while ((aContentOffset < mContentLength) &&
IS_BIDI_DIACRITIC(text[aContentOffset - mContentOffset]) ) {
aContentOffset++;
}
#endif // IBMBIDI
simon- is that right?
Assignee: ftang → simon
Target Milestone: --- → mozilla0.9.1
I think the bounds check expression should be:
while ((aContentOffset >= mContentOffset &&
aContentOffset < (mContentOffset + mContentLength)) &&
IS_BIDI_DIACRITIC(text[aContentOffset - mContentOffset]) ) {
|
||
Comment 5•23 years ago
|
||
I agree with kin's version of the bounds checking.
|
|
||
Comment 6•23 years ago
|
||
reassign back to ftang for review process
Assignee: simon → ftang
Whiteboard: patch exist
|
|
||
Comment 7•23 years ago
|
||
fixed and check in
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
It seems that this doesn't fix the problem completely, since you need to use the ip[] offsets array to make sure that you don't run off the end of the text[] array. The text[] array used for rendering can be shorter than the content string because adjacent spaces are collapsed/dropped under certain situations. Reopening this bug.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Updated•23 years ago
|
Status: REOPENED → ASSIGNED
Whiteboard: patch exist
By the way, mjudge and I tried the following patch yesterday, which we believe
is the right thing to do, but we still get a UMR whenever aContentOffset is
equivalent to (mContentOffset + mContentLength - 1) which should be a legal
index according to the ip[] array! Is PrepareUnicode text not filling in the
last char of the text[] array?
You can see this UMR by selecting some text in a paragraph that has multiple
wrapping lines. Click in a line, and drag out of the paragraph so you are moving
the mouse up/down just past the right edge of the paragraph.
Index: nsTextFrame.cpp
===================================================================
RCS file: /cvsroot/mozilla/layout/html/base/src/nsTextFrame.cpp,v
retrieving revision 1.300
diff -u -r1.300 nsTextFrame.cpp
--- nsTextFrame.cpp 2001/05/16 13:40:08 1.300
+++ nsTextFrame.cpp 2001/05/17 17:37:41
@@ -3342,7 +3342,7 @@
#ifdef IBMBIDI
while ((aContentOffset >= mContentOffset) &&
(aContentOffset < (mContentOffset + mContentLength)) &&
- IS_BIDI_DIACRITIC(text[aContentOffset - mContentOffset]) ) {
+ IS_BIDI_DIACRITIC(text[ip[aContentOffset - mContentOffset]]) ) {
aContentOffset++;
}
#endif // IBMBIDI
|
Assignee | |
Comment 10•23 years ago
|
||
Bah, I pasted the wrong diff file above, here's the correct one:
Index: nsTextFrame.cpp
===================================================================
RCS file: /cvsroot/mozilla/layout/html/base/src/nsTextFrame.cpp,v
retrieving revision 1.300
diff -u -r1.300 nsTextFrame.cpp
--- nsTextFrame.cpp 2001/05/16 13:40:08 1.300
+++ nsTextFrame.cpp 2001/05/17 17:50:04
@@ -3340,10 +3340,12 @@
}
}
#ifdef IBMBIDI
- while ((aContentOffset >= mContentOffset) &&
- (aContentOffset < (mContentOffset + mContentLength)) &&
- IS_BIDI_DIACRITIC(text[aContentOffset - mContentOffset]) ) {
- aContentOffset++;
+ if (aContentOffset >= mContentOffset) {
+ PRInt32 stopOffset = mContentOffset + mContentLength;
+ while (aContentOffset < stopOffset &&
+ IS_BIDI_DIACRITIC(text[ip[aContentOffset - mContentOffset]]) )
{
+ aContentOffset++;
+ }
}
#endif // IBMBIDI
aContentOffsetEnd = aContentOffset;|
|
||
Comment 11•23 years ago
|
||
simon- can you review this ? mkaply- can you drive the review process and check in ?
Assignee: ftang → mkaply
Status: ASSIGNED → NEW
|
|
||
Comment 12•23 years ago
|
||
r=simon@softel.co.il
|
|
||
Comment 13•23 years ago
|
||
kin said we should keep this bug open even after we check in because there are some other issue around. mkaply- can you ask sfraser to sr and check in this today?
|
||
Comment 14•23 years ago
|
||
kin: can you sr this?
|
|
||
Comment 15•23 years ago
|
||
I talked to kin. Kin's patch is good, so sr=sfraser on it, but this bug needs to stay open for the remaining UMR. It seems that we're exposing a lot of bugs in the BiDi text frame code. Who reviewed this on the layout side?
|
|
||
Comment 16•23 years ago
|
||
From nsTextFrame.cpp log: 1.291 erik%netscape.com Apr 11 16:32 bug 74946; author=simon@softel.co.il; r=erik; sr=attinasi; diffs from IBM bidi project (e.g. Arabic, Hebrew)
|
|
||
Comment 17•23 years ago
|
||
I think the most important part in kin's patch is the ip[] redirect lookup part. The rest is performance which does not really impact the correctness. Just try to clerify.
|
|
||
Comment 18•23 years ago
|
||
mkaply said he will land it today. mkaply- make sure you DO NOT close this bug after you land it. kin said there are more issue here.
Whiteboard: r/sr=kin/sfraser a=blizzard for moz0.9.1 check in
|
||
Comment 19•23 years ago
|
||
The change from kin is in
|
|
||
Comment 20•23 years ago
|
||
Changing milestone since 0.9.1 changes are in.
Target Milestone: mozilla0.9.1 → mozilla0.9.2
|
|
Assignee | |
Comment 21•23 years ago
|
||
FYI: It turns out that my last patch introduced a hang/crash on linux. (Bug 82556). See the patch in 82556 which fixes the crash, and should fix the UMRs caused by this loop. I'll verify that it indeed fixes the UMRs today.
|
|
Assignee | |
Comment 22•23 years ago
|
||
I just checked in a fix to the trunk that should hopefully close out this bug:
mozilla/layout/html/base/src/nsTextFrame.cpp revision 1.305Assignee: mkaply → kin
Priority: -- → P3
|
|
Assignee | |
Comment 23•23 years ago
|
||
I just verified with Purify that this is fixed. FYI, the fix I checked in was for bug 82556: http://bugzilla.mozilla.org/showattachment.cgi?attach_id=36095
Status: NEW → RESOLVED
Closed: 23 years ago → 23 years ago
Resolution: --- → FIXED
Target Milestone: mozilla0.9.2 → mozilla0.9.1
|
||
Comment 24•23 years ago
|
||
Adding crash, topcrash keywords and Trunk [@ nsTextFrame::GetPosition] to summary for tracking. This crash has been showing up in the Talkback topcrash reports for a couple of days now. Since this was just fixed, I'll keep any eye out for any new crashes after today.
|
|
||
Comment 25•23 years ago
|
||
*** Bug 82686 has been marked as a duplicate of this bug. ***
|
||
Updated•13 years ago
|
Crash Signature: [@ nsTextFrame::GetPosition]
You need to log in
before you can comment on or make changes to this bug.
Description
•