Closed Bug 87610 Opened 24 years ago Closed 24 years ago

Crash when viewing Arabic or hebrew content - Trunk [@ nsCaret::DrawCaret]

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: wolruf, Assigned: mkaply)

References

(
URL
)

Details

(Keywords: crash, topcrash, Whiteboard: critical for 0.9.2; checked into 0.9.2 branch)

Crash Data

Attachments

(2 files)

a text input in a rtl body
372 bytes, text/html
Details
suggested patch
3.31 KB, patch
Details | Diff | Splinter Review
This follows my previous bug #83694 (itself dup of #83448). The page: http://nocc.sf.net/demo/?lang=he (Hebrew) or http://nocc.sf.net/demo/?lang=ar (Arabic) used to work with releases between the closing date of previous bug (June 10th) and today (don't know when exactly). Using build 20010624 on Win2k, the crash is more serious than #83694 as it systematically crashes the browser. I don't have time right now to reproducible smaller test-case but I will investigate later.
Sorry, forgot the talkback ID: TB32144761X
Keywords: crash
Attached simplified version of the crashing page. Attachment crashes when text input is focused. The page http://nocc.sf.net/demo/?lang=he has inline javascript that gives focus to a text input, apparently causing the crash. No crash without dir=rtl in body tag. Language makes no difference. (win98 2001-06-22-21-0.9.2)
WFM, linux, build 2001062506
This is caused by the fix for bug 84031. We were calling |sizeof| with a pointer to a PRUint8 without dereferencing it, and GetBidiProperty was trashing the stack.
In looking at: http://lxr.mozilla.org/seamonkey/source/layout/base/src/nsCaret.cpp#579 It seems that there are other places where we are passing the sizeof(PRUint8)
mkaply, I don't understand what problem you have with passing the sizeof(PRUint8). The stack crash is caused by passing the sizeof the address instead of the sizeof the data.
Sorry, the ** threw me off. I get it now. aNextLevel is the pointer, *aNextLevel is the actual PRUint8. r=mkaply
sr=kin@netscape.com Please ask drivers if this can get into the trunk and the MOZILLA_0_9_2_BRANCH. Simon, did you do a sweep over all GetBidiProperty() calls to make sure there weren't anymore places that needed to be changed? Also why does GetBidiProperty() take a void** instead of a void*? It seems that most of the time you are passing in a pointer to data, not a pointer to a pointer?
Adding [@ nsCaret::DrawCaret] to summary and topcrash keyword. This is showing up on the Trunk topcrash report from Talkback. Here is the latest data: nsCaret::DrawCaret 21 First BBID :32144385 Last BBID :32165625 Min Runtime :11 Max Runtime :51468 First Appearance Date : 2001-06-25 Last Appearance Date : 2001-06-25 First BuildID : 2001062206 Last BuildID : 2001062509 Stack Trace: nsCaret::DrawCaret [d:\builds\seamonkey\mozilla\layout\base\src\nsCaret.cpp line 904] Source File : http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/base/src/nsCaret.cpp line : 904 (32165625) URL: http://nocc.sf.net/demo/?lang=he (32165625) Comments: Bugzilla Bug 87610 Crash when viewing Arabic or hebrew content (32161463) URL: http://nocc.sf.net/demo/?lang=he (32161463) Comments: Loading and crashes when JS input (32151362) URL: http://tinderbox.mozilla.org (32147259) Comments: arabic (32146241) Comments: arabic (32146184) Comments: hebrew (32145863) Comments: hebrew test url (32145091) URL: http://nocc.sf.net/demo/?lang=ar (32144761) URL: http://nocc.sf.net/demo/?lang=he (32144385) URL: http://nocc.sf.net/demo/?lang=ar (32144385) Comments: Just loading crashes the page every time I'll post a stack trace when I find one in the Talkback data. I also think this might be a dup of bug 87813, but I'll leave it to QA to confirm that.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Keywords: topcrash
Summary: Crash when viewing Arabic or hebrew content → Crash when viewing Arabic or hebrew content - Trunk [@ nsCaret::DrawCaret]
This change doesn't fix the crash for me. When I double click the entry field, the browser closes with no crash info or anything. Still looking.
Checked in to trunk, because Tinderbox says I don't need driver approval to do that. Sent request to drivers to check into branch.
>Simon, did you do a sweep over all GetBidiProperty() calls to make sure there >weren't anymore places that needed to be changed? Yes and yes. >Also why does GetBidiProperty() take a void** instead of a void*? It seems that >most of the time you are passing in a pointer to data, not a pointer to a >pointer? Even if numerically there are more cases where it's a pointer to a data, the method was primarily intended for use with an *nsIFrame to return the new frames created by bidi reordering.
mkaply, I can't reproduce the crash on double click, and the crash on setting focus is fixed. Do you want to leave this bug open, or close it and open a new one?
I've checked this into the 0.9.2 branch for you since we're getting down to the wire. I hope you don't mind.
Whiteboard: critical for 0.9.2
*** Bug 88022 has been marked as a duplicate of this bug. ***
blizzard, I don't mind anything that saves me work :-)
Can you close this?
Whiteboard: critical for 0.9.2 → critical for 0.9.2; checked into 0.9.2 branch
shouldn't this be marked fix since it is in trunk and branch? marking as such
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
*** Bug 87813 has been marked as a duplicate of this bug. ***
Component: Layout: BiDi Hebrew & Arabic → Layout: Text
QA Contact: giladehven → layout.fonts-and-text
Crash Signature: [@ nsCaret::DrawCaret]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: