Last Comment Bug 665837 - "ASSERTION: negative length" with -moz-column, rtl, pre-line
: "ASSERTION: negative length" with -moz-column, rtl, pre-line
: assertion, testcase
Product: Core
Classification: Components
Component: Layout: Text (show other bugs)
: Trunk
: x86_64 Mac OS X
-- normal (vote)
: mozilla7
Assigned To: Simon Montagu :smontagu
Depends on: 668941 670226
Blocks: randomstyles
  Show dependency treegraph
Reported: 2011-06-20 23:24 PDT by Jesse Ruderman
Modified: 2011-09-22 15:23 PDT (History)
6 users (show)
smontagu: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (309 bytes, text/html)
2011-06-20 23:24 PDT, Jesse Ruderman
no flags Details
Patch (2.90 KB, patch)
2011-06-21 06:37 PDT, Simon Montagu :smontagu
roc: review+
Details | Diff | Splinter Review

Description User image Jesse Ruderman 2011-06-20 23:24:26 PDT
Created attachment 540686 [details]

###!!! ASSERTION: negative length: 'GetContentEnd() - mContentOffset >= 0', file /builds/slave/cen-osx64-dbg/build/layout/generic/nsTextFrame.h, line 327
Comment 1 User image Simon Montagu :smontagu 2011-06-21 06:37:23 PDT
Created attachment 540726 [details] [diff] [review]
Comment 2 User image Robert O'Callahan (:roc) (email my personal email if necessary) 2011-06-21 20:29:08 PDT
Comment on attachment 540726 [details] [diff] [review]

Review of attachment 540726 [details] [diff] [review]:

So the problem occurs when the entire continuation chain doesn't cover all the text in the node? When did that happen? Was it just a transient state?
Comment 3 User image Simon Montagu :smontagu 2011-06-22 03:41:38 PDT
Not the entire continuation chain, the sibling chain. Bug 663295 made us break off walking continuations at the last sibling. I'll edit some of the code comments to make this clearer before checking in.
Comment 4 User image Daniel Veditz [:dveditz] 2011-06-22 17:22:08 PDT
Assuming sg:critical if there's also a runtime crash, please correct if wrong
Comment 5 User image Simon Montagu :smontagu 2011-06-26 09:21:55 PDT
No runtime crash in either debug or opt build.
Comment 6 User image Simon Montagu :smontagu 2011-06-27 09:37:09 PDT
Comment 7 User image Daniel Veditz [:dveditz] 2011-07-06 10:53:34 PDT
If there's no crash then what is a crashtest testing?
Comment 8 User image Jesse Ruderman 2011-07-06 11:23:47 PDT
Assertions :)  The reftest framework catches leaks and assertions in addition to crashes and hangs.  "Crashtest" is short for "Make sure nothing goes horribly and obviously wrong when loading this page".
Comment 9 User image Daniel Veditz [:dveditz] 2011-07-06 11:33:47 PDT
Should this bug be unhidden then, not a security bug after all?
Comment 10 User image Daniel Veditz [:dveditz] 2011-07-06 16:33:44 PDT
If it's a security bug we need to land this on mozilla-beta for firefox 6. If it's not then we should stop tracking it for 6 and move on.
Comment 11 User image Simon Montagu :smontagu 2011-07-08 01:53:47 PDT
The assertion doesn't occur in a current mozilla-beta build, so comment 10 is moot.
Comment 12 User image Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2011-09-22 15:23:18 PDT
qa- as no QA fix verification needed

Note You need to log in before you can comment on or make changes to this bug.