Closed
Bug 665837
Opened 13 years ago
Closed 13 years ago
"ASSERTION: negative length" with -moz-column, rtl, pre-line
Categories
(Core :: Layout: Text and Fonts, defect)
Tracking
()
RESOLVED
FIXED
mozilla7
| Tracking | Status | |
|---|---|---|
| firefox5 | - | wontfix |
| firefox6 | --- | unaffected |
| firefox7 | + | fixed |
People
(Reporter: jruderman, Assigned: smontagu)
References
Details
(Keywords: assertion, testcase, Whiteboard: [qa-])
Attachments
(2 files)
|
309 bytes,
text/html
|
Details | |
|
2.90 KB,
patch
|
roc
:
review+
|
Details | Diff | Splinter Review |
###!!! ASSERTION: negative length: 'GetContentEnd() - mContentOffset >= 0', file /builds/slave/cen-osx64-dbg/build/layout/generic/nsTextFrame.h, line 327
|
Assignee | |
Comment 1•13 years ago
|
||
Assignee: nobody → smontagu
Attachment #540726 -
Flags: review?(roc)
Comment on attachment 540726 [details] [diff] [review]
Patch
Review of attachment 540726 [details] [diff] [review]:
-----------------------------------------------------------------
So the problem occurs when the entire continuation chain doesn't cover all the text in the node? When did that happen? Was it just a transient state?
Attachment #540726 -
Flags: review?(roc) → review+
|
|
Assignee | |
Comment 3•13 years ago
|
||
Not the entire continuation chain, the sibling chain. Bug 663295 made us break off walking continuations at the last sibling. I'll edit some of the code comments to make this clearer before checking in.
|
||
Comment 4•13 years ago
|
||
Assuming sg:critical if there's also a runtime crash, please correct if wrong
Whiteboard: [sg:critical?]
|
||
Updated•13 years ago
|
status-firefox5:
--- → wontfix
status-firefox6:
--- → affected
status-firefox7:
--- → affected
tracking-firefox5:
--- → -
tracking-firefox6:
--- → +
tracking-firefox7:
--- → +
|
|
Assignee | |
Comment 5•13 years ago
|
||
No runtime crash in either debug or opt build.
Whiteboard: [sg:critical?]
|
|
Assignee | |
Comment 6•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
|
|
||
Comment 7•13 years ago
|
||
If there's no crash then what is a crashtest testing?
|
Reporter | |
Comment 8•13 years ago
|
||
Assertions :) The reftest framework catches leaks and assertions in addition to crashes and hangs. "Crashtest" is short for "Make sure nothing goes horribly and obviously wrong when loading this page".
|
|
||
Comment 9•13 years ago
|
||
Should this bug be unhidden then, not a security bug after all?
|
|
||
Comment 10•13 years ago
|
||
If it's a security bug we need to land this on mozilla-beta for firefox 6. If it's not then we should stop tracking it for 6 and move on.
Target Milestone: --- → mozilla7
|
|
Assignee | |
Comment 11•13 years ago
|
||
The assertion doesn't occur in a current mozilla-beta build, so comment 10 is moot.
tracking-firefox6:
+ → ---
|
|
||
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•