Closed Bug 604843 Opened 14 years ago Closed 14 years ago

"ASSERTION: No text for IsSpace" with wrapping inside table cell

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla2.0b7
Tracking Flags:
Tracking Status
blocking2.0 --- final+
blocking1.9.2 --- .13+
status1.9.2 --- .13-fixed
blocking1.9.1 --- .16+
status1.9.1 --- .16-fixed

People

(Reporter: jruderman, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [sg:critical?])

Attachments

(4 files, 3 obsolete files)

testcase
(deleted), text/html
Details
stack traces
(deleted), text/plain
Details
Trace results
(deleted), text/html
Details
Patch rev. 4
(deleted), patch
roc
: review+
roc
: approval2.0+
Details | Diff | Splinter Review
Attached file testcase (deleted) — 
###!!! ASSERTION: No text for IsSpace!: 'aPos < aFrag->GetLength()', 
file layout/generic/nsTextFrameThebes.cpp, line 627

###!!! ASSERTION: bad index: 'PRUint32(aIndex) < mState.mLength', 
file nsTextFragment.h, line 204
Attached file stack traces (deleted) — 

    
    

    
  
This is a regression from bug 571995.
Blocks: 571995
blocking2.0: --- → ?
Component: Layout: Tables → Layout
Keywords: regression
OS: Mac OS X → All
QA Contact: layout.tables → layout
Hardware: x86 → All

    
    

    
  

      
      
      
      

        Attached file
          
        Trace results (deleted)
        — 
      

    


  
We have a text run (0x7fffdfd943e0 in red) that spans multiple frames,
then we call AssignTextRun for a frame (0x7fffdfdc5c48 green) in the
middle of that continuation chain, this is the case were we keep the
old text run for the prev-continuations (per bug 571995) and assign
the new text run to the tail of continuations.

The problem is that old text run still has an unmodified
'mCharacterCount' which leads to the assertions here.
The old text run has 'mCharacterCount' = 80, the new (aTextRun) is 41.
(so there's an overlap after AssignTextRun)
Assignee: nobody → matspal

    
    

    
  

      
      
      
      

        Attached patch
          
          
        wip1 (obsolete) (deleted)
        — Splinter Review
      

    


  
We have a text run (0x7fffdfd943e0 in red) that spans multiple frames,
then we call AssignTextRun for a frame (0x7fffdfdc5c48 green) in the
middle of that continuation chain, this is the case were we keep the
old text run for the prev-continuations (per bug 571995) and assign
the new text run to the tail of continuations.

The problem is that old text run still has an unmodified
'mCharacterCount' which leads to the assertions here.
The old text run has 'mCharacterCount' = 80, the new (aTextRun) is 41.

Introducing a brute force gfxTextRun::SetLength() to set the old
text run length to 39 fixes the assertions, but leads to a new one:
  ASSERTION: Textrun was not completely removed from the cache!:
    'aTextRun->mCachedWords == 0', gfxTextRunWordCache.cpp, line 869
so I added "gfxTextRunWordCache::RemoveTextRun(oldTextRun)" which
removes ALL cached words for the old text run.
(fwiw, the patch passed TryServer unit tests)

It fixes the assertion above, but it doesn't feel right, we should
try to keep the words for 0..38 I think.  The problem is that the key
for the hash table includes the string length in the hash, so if I keep
the [0..38] words and then try to find them later with a different
text run length I won't find the last word since it now is shorter
than when we put it into the table so we'll use the wrong key.

So, for a text run [0..N] that is "split" at M, for the words 0..M
we should keep them as is, except the last one which should be
re-entered with length M instead of N. Words M..N should be removed
(since they belong to aTextRun).

Does that sound right? is it necessary? (or is this word cache data
re-created as needed?)  Do we have other data structures that will
fail if I shorten the text run length?

(I'll take a stab at fixing the word cache and see what falls out)

    
    

    
  
correction: the length itself isn't part of the hash key,
but length characters from the text is.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        wip2 (obsolete) (deleted)
        — Splinter Review
      

    


  
Here's a patch that updates the word cache per comment 4.

    
    

    
  
(In reply to comment #4)
> Created attachment 483973 [details] [diff] [review]
> wip1
> 
> We have a text run (0x7fffdfd943e0 in red) that spans multiple frames,
> then we call AssignTextRun for a frame (0x7fffdfdc5c48 green) in the
> middle of that continuation chain, this is the case were we keep the
> old text run for the prev-continuations (per bug 571995) and assign
> the new text run to the tail of continuations.

Hmm, I must have got the previous reviews wrong. I thought we were only going to keep the old textrun when the frame continuations from the assignment point forward were all empty. I don't want to start chopping textruns up like this.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch rev. 3 (obsolete) (deleted)
        — Splinter Review
      

    


  
Ok, point taken.  So, this looks at continuations from the assignment point
forward while they refer to the same text run, stopping at the first frame
where GetContentLength() != 0, and if so destroys the old text run.
Is there an easier way to check this?  Perhaps in the multi flow
case it's enough to check TextRunMappedFlow.mContentLength != 0
and avoid looking at each frame?

        Attachment #483973 -
        Attachment is obsolete: true

        Attachment #484041 -
        Attachment is obsolete: true

        Attachment #484348 -
        Flags: review?(roc)

    
  
Blocks: 605340

    
    

    
  
Actually I think all you need to do is get the content-offset of f, map it into the textrun text offsets using gfxSkipCharsIterator, and check that the resulting offset is at the end of the textrun!

    
    

    
  
Guys, can we get a security rating for this?

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch rev. 4 (deleted)
        — Splinter Review
      

    


  
Simplify the emptiness check.  Also, I found that ~98% of the checks
can be optimized away by first checking if f == firstFrame, in which
case 'ClearTextRun' will remove all references and destroy the text
run anyway.  (FindFlowForContent was just moved earlier in the file,
it's not changed in any way)

        Attachment #484348 -
        Attachment is obsolete: true

        Attachment #484790 -
        Flags: review?(roc)

        Attachment #484348 -
        Flags: review?(roc)

    
  

        Attachment #484790 -
        Flags: approval2.0?

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/4c01c008b5c7
http://hg.mozilla.org/mozilla-central/rev/847ed2b55fe0
Status: NEW → RESOLVED
Closed: 14 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b8
Target Milestone: mozilla2.0b8 → mozilla2.0b7

    
    

    
  
Marking this regression a branch blocker for qa verification because bug 571995 is a blocker.
blocking1.9.1: --- → .16+
blocking1.9.2: --- → .13+

          status1.9.1:
          --- → wanted

          status1.9.2:
          --- → wanted
Whiteboard: [sg:critical?]
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: