Last Comment Bug 665837 - "ASSERTION: negative length" with -moz-column, rtl, pre-line
: "ASSERTION: negative length" with -moz-column, rtl, pre-line
Status: RESOLVED FIXED
[qa-]
: assertion, testcase
Product: Core
Classification: Components
Component: Layout: Text (show other bugs)
: Trunk
: x86_64 Mac OS X
: -- normal (vote)
: mozilla7
Assigned To: Simon Montagu :smontagu
:
Mentors:
Depends on: 668941 670226
Blocks: randomstyles
  Show dependency treegraph
 
Reported: 2011-06-20 23:24 PDT by Jesse Ruderman
Modified: 2011-09-22 15:23 PDT (History)
6 users (show)
smontagu: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-
wontfix
unaffected
+
fixed


Attachments
testcase (309 bytes, text/html)
2011-06-20 23:24 PDT, Jesse Ruderman
no flags Details
Patch (2.90 KB, patch)
2011-06-21 06:37 PDT, Simon Montagu :smontagu
roc: review+
Details | Diff | Review

Description Jesse Ruderman 2011-06-20 23:24:26 PDT
Created attachment 540686 [details]
testcase

###!!! ASSERTION: negative length: 'GetContentEnd() - mContentOffset >= 0', file /builds/slave/cen-osx64-dbg/build/layout/generic/nsTextFrame.h, line 327
Comment 1 Simon Montagu :smontagu 2011-06-21 06:37:23 PDT
Created attachment 540726 [details] [diff] [review]
Patch
Comment 2 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2011-06-21 20:29:08 PDT
Comment on attachment 540726 [details] [diff] [review]
Patch

Review of attachment 540726 [details] [diff] [review]:
-----------------------------------------------------------------

So the problem occurs when the entire continuation chain doesn't cover all the text in the node? When did that happen? Was it just a transient state?
Comment 3 Simon Montagu :smontagu 2011-06-22 03:41:38 PDT
Not the entire continuation chain, the sibling chain. Bug 663295 made us break off walking continuations at the last sibling. I'll edit some of the code comments to make this clearer before checking in.
Comment 4 Daniel Veditz [:dveditz] 2011-06-22 17:22:08 PDT
Assuming sg:critical if there's also a runtime crash, please correct if wrong
Comment 5 Simon Montagu :smontagu 2011-06-26 09:21:55 PDT
No runtime crash in either debug or opt build.
Comment 6 Simon Montagu :smontagu 2011-06-27 09:37:09 PDT
http://hg.mozilla.org/mozilla-central/rev/99c270809649
Comment 7 Daniel Veditz [:dveditz] 2011-07-06 10:53:34 PDT
If there's no crash then what is a crashtest testing?
Comment 8 Jesse Ruderman 2011-07-06 11:23:47 PDT
Assertions :)  The reftest framework catches leaks and assertions in addition to crashes and hangs.  "Crashtest" is short for "Make sure nothing goes horribly and obviously wrong when loading this page".
Comment 9 Daniel Veditz [:dveditz] 2011-07-06 11:33:47 PDT
Should this bug be unhidden then, not a security bug after all?
Comment 10 Daniel Veditz [:dveditz] 2011-07-06 16:33:44 PDT
If it's a security bug we need to land this on mozilla-beta for firefox 6. If it's not then we should stop tracking it for 6 and move on.
Comment 11 Simon Montagu :smontagu 2011-07-08 01:53:47 PDT
The assertion doesn't occur in a current mozilla-beta build, so comment 10 is moot.
Comment 12 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2011-09-22 15:23:18 PDT
qa- as no QA fix verification needed

Note You need to log in before you can comment on or make changes to this bug.