Closed Bug 1145768 Opened 5 years ago Closed 5 years ago

"Assertion failure: mListLink == aOther.mListLink (comparing iterators over different lists)" with writing-mode


(Core :: Layout, defect, critical)

Not set



Tracking Status
firefox40 --- fixed


(Reporter: jruderman, Assigned: mats)


(Blocks 3 open bugs)


(Keywords: assertion, sec-other, testcase, Whiteboard: [adv-main40-])


(5 files)

Attached file testcase
1. Set:
     user_pref("layout.css.vertical-text.enabled", true);
2. Load the testcase in a debug build

Assertion failure: mListLink == aOther.mListLink (comparing iterators over different lists), at layout/generic/nsLineBox.h:854
Attached file stack
This might be a security issue, so in the interest of users that have enabled
this feature I'm hiding this bug.
Group: layout-core-security
Group: layout-core-security → core-security
Keywords: sec-moderate
Whiteboard: (sec-high if vertical text is enabled)
Attached patch fixSplinter Review
This is harmless apart from the assertion since RFindLineContaining
searches backward and only use begin() in the condition to exit the
loop.  We should always find the frame on the overflow list though,
if it's not on the principal list.

We still don't reflow the frame tree after the mutation but that
seems like a separate issue - I'll file a separate bug on that.
Assignee: nobody → mats
Attachment #8589656 - Flags: review?(roc)
It's harmless apart from the assertion in DEBUG builds.
Keywords: sec-moderatesec-other
OS: Mac OS X → All
Hardware: x86_64 → All
Whiteboard: (sec-high if vertical text is enabled)
Attached file frame tree
Here's the frame tree for testcase with the patch applied.
As you can see we haven't reflowed the tree properly and the
page is blank for me.  The rendering looks correct after
resizing the window though (a sideways "R").
Group: core-security
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
Blocks: 1154541
Whiteboard: [adv-main40-]
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.