Created attachment 444324 [details] testcase (may crash Firefox when loaded) nsTextBoxFrame::UpdateAccessTitle tried to subtract 1 from 0 and got 2^32-1. ###!!! ASSERTION: index exceeds allowable range: 'i <= mLength', file nsTString.h, line 129 At least on a 64-bit system, a crash immediately follows the assertion. #5 0x00007f9f2e7b9422 in nsString::CharAt (this=0x7f9f13b78ac8, i=4294967295) at ../../../dist/include/nsTString.h:130 #6 0x00007f9f2e7b9448 in nsString::operator (this=0x7f9f13b78ac8, i=4294967295) at ../../../dist/include/nsTString.h:135 #7 0x00007f9f2ec81bcd in nsTextBoxFrame::UpdateAccessTitle (this=0x7f9f13b78a78) at layout/xul/base/src/nsTextBoxFrame.cpp:878 #8 0x00007f9f2ec7fc9e in nsTextBoxFrame::UpdateAccesskey (this=0x7f9f13b78a78, aWeakThis=...) at layout/xul/base/src/nsTextBoxFrame.cpp:264 #9 0x00007f9f2ec82b13 in nsAsyncAccesskeyUpdate::ReflowFinished (this=0x7f9f13b91060) at layout/xul/base/src/nsTextBoxFrame.cpp:224
Reported on 64-bit Linux. I can't reproduce even the assertion on 32-bit Mac.
Created attachment 444469 [details] [diff] [review] patch The title consists of only the ellipsis, so the offset is zero, and we check the character before to see if it is a space. If we are at the start then we don't want to insert a separating space.
Landed http://hg.mozilla.org/mozilla-central/rev/e40cbab6a972 but backed out because something in the push was causing orange http://hg.mozilla.org/mozilla-central/rev/01befa5163ee
Comment on attachment 444469 [details] [diff] [review] patch Approved for 22.214.171.124 and 126.96.36.199, a=dveditz for release-drivers
Verified for 1.9.2 on 64-bit Ubuntu 10.4 with Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:188.8.131.52pre) Gecko/20100622 Namoroka/3.6.6pre. Crashes the 184.108.40.206 release with attached testcase.
Added crashtest http://hg.mozilla.org/mozilla-central/rev/ec7b4a08a04e