"ASSERTION: Shouldn't be incomplete if availableHeight is UNCONSTRAINED" with -moz-column, rtl, contenteditable

RESOLVED WORKSFORME

Status

()

Core
Layout: Text
RESOLVED WORKSFORME
10 years ago
3 years ago

People

(Reporter: Jesse Ruderman, Assigned: Jesse Ruderman)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Trunk
x86
Mac OS X
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?])

Attachments

(2 attachments)

(Assignee)

Description

10 years ago
Created attachment 316734 [details]
testcase A

Both testcases trigger:

###!!! ASSERTION: Shouldn't be incomplete if availableHeight is UNCONSTRAINED.: 'aReflowState.availableHeight != NS_UNCONSTRAINEDSIZE', file /Users/jruderman/trunk/mozilla/layout/generic/nsBlockFrame.cpp, line 1403

###!!! ASSERTION: negative length: 'GetContentEnd() - mContentOffset >= 0', file /Users/jruderman/trunk/mozilla/layout/generic/nsTextFrame.h, line 303


Testcase A also triggers:

###!!! ASSERTION: integer overflow: 'mMaxTextLength <= mMaxTextLength + aFrame->GetContentLength()', file /Users/jruderman/trunk/mozilla/layout/generic/nsTextFrameThebes.cpp, line 1078

###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file /Users/jruderman/trunk/mozilla/gfx/thebes/src/gfxSkipChars.cpp, line 92


Testcase B also triggers:

###!!! ASSERTION: Attempting to allocate excessively large array: 'Error', file nsTArray.cpp, line 69
(Assignee)

Comment 1

10 years ago
Created attachment 316735 [details]
testcase B
(Assignee)

Comment 2

10 years ago
The scarier assertions are all gone.  Now I just get the first assertion in comment 0, and a few ordinary editor assertions.
(Assignee)

Updated

10 years ago
Summary: "ASSERTION: negative length" with -moz-column, rtl, contenteditable → "ASSERTION: Shouldn't be incomplete if availableHeight is UNCONSTRAINED" with -moz-column, rtl, contenteditable
(Assignee)

Comment 3

9 years ago
The scary assertions are back.
Whiteboard: [sg:critical?]
I get different and somewhat less scary assertions (on Linux):

###!!! ASSERTION: bad action nesting!: 'mActionNesting>0', file /usr/moz/hg3/editor/libeditor/html/nsHTMLEditRules.cpp, line 387
###!!! ASSERTION: no frame, see bug #188946: 'frame', file /usr/moz/hg3/editor/libeditor/base/nsEditor.cpp, line 4082
###!!! ASSERTION: No first node!: 'mFirst', file /usr/moz/hg3/content/base/src/nsContentIterator.cpp, line 910

(same for both testcases)
Whiteboard: [sg:critical?] → [sg:critical?] common fuzz blocker
On Linux mozilla-central I'm seeing the same as comment 4.
(Assignee)

Comment 6

9 years ago
Same here.  That makes this bug WFM.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → WORKSFORME
(Assignee)

Updated

9 years ago
Whiteboard: [sg:critical?] common fuzz blocker → [sg:critical?]

Updated

9 years ago
Flags: in-testsuite?
Landed the crashtests:
https://hg.mozilla.org/integration/mozilla-inbound/rev/39cf267db341
Group: core-security
Flags: in-testsuite? → in-testsuite+
https://hg.mozilla.org/mozilla-central/rev/39cf267db341
Assignee: nobody → jruderman
You need to log in before you can comment on or make changes to this bug.