Closed
Bug 1145768
Opened 10 years ago
Closed 10 years ago
"Assertion failure: mListLink == aOther.mListLink (comparing iterators over different lists)" with writing-mode
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla40
| Tracking | Status | |
|---|---|---|
| firefox40 | --- | fixed |
People
(Reporter: jruderman, Assigned: MatsPalmgren_bugz)
References
Details
(Keywords: assertion, sec-other, testcase, Whiteboard: [adv-main40-])
Attachments
(5 files)
|
464 bytes,
text/html
|
Details | |
|
6.16 KB,
text/plain
|
Details | |
|
1.99 KB,
patch
|
roc
:
review+
|
Details | Diff | Splinter Review |
|
2.82 KB,
patch
|
Details | Diff | Splinter Review | |
|
5.86 KB,
text/plain
|
Details |
1. Set:
user_pref("layout.css.vertical-text.enabled", true);
2. Load the testcase in a debug build
Assertion failure: mListLink == aOther.mListLink (comparing iterators over different lists), at layout/generic/nsLineBox.h:854
|
Reporter | |
Comment 1•10 years ago
|
||
|
Assignee | |
Comment 2•10 years ago
|
||
This might be a security issue, so in the interest of users that have enabled
this feature I'm hiding this bug.
Group: layout-core-security
|
||
Updated•10 years ago
|
Group: layout-core-security → core-security
|
||
Updated•10 years ago
|
Keywords: sec-moderate
Whiteboard: (sec-high if vertical text is enabled)
|
|
Assignee | |
Comment 3•10 years ago
|
||
This is harmless apart from the assertion since RFindLineContaining
searches backward and only use begin() in the condition to exit the
loop. We should always find the frame on the overflow list though,
if it's not on the principal list.
We still don't reflow the frame tree after the mutation but that
seems like a separate issue - I'll file a separate bug on that.
Assignee: nobody → mats
Attachment #8589656 -
Flags: review?(roc)
|
|
Assignee | |
Comment 4•10 years ago
|
||
|
|
Assignee | |
Comment 5•10 years ago
|
||
It's harmless apart from the assertion in DEBUG builds.
Keywords: sec-moderate → sec-other
OS: Mac OS X → All
Hardware: x86_64 → All
Whiteboard: (sec-high if vertical text is enabled)
|
|
Assignee | |
Comment 6•10 years ago
|
||
Here's the frame tree for testcase with the patch applied.
As you can see we haven't reflowed the tree properly and the
page is blank for me. The rendering looks correct after
resizing the window though (a sideways "R").
Attachment #8589656 -
Flags: review?(roc) → review+
|
|
Assignee | |
Comment 7•10 years ago
|
||
Flags: in-testsuite?
|
|
Reporter | |
Updated•10 years ago
|
Group: core-security
|
||
Comment 8•10 years ago
|
||
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox40:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
|
||
Updated•10 years ago
|
Whiteboard: [adv-main40-]
|
||
Comment 10•10 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Updated•10 years ago
|
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•