"ASSERTION: negative length" with -moz-column, rtl, pre-line

RESOLVED FIXED in Firefox 7

Status

()

Core
Layout: Text
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Assigned: smontagu)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla7
x86_64
Mac OS X
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox5- wontfix, firefox6 unaffected, firefox7+ fixed)

Details

(Whiteboard: [qa-])

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 540686 [details]
testcase

###!!! ASSERTION: negative length: 'GetContentEnd() - mContentOffset >= 0', file /builds/slave/cen-osx64-dbg/build/layout/generic/nsTextFrame.h, line 327
(Assignee)

Comment 1

6 years ago
Created attachment 540726 [details] [diff] [review]
Patch
Assignee: nobody → smontagu
Attachment #540726 - Flags: review?(roc)
Comment on attachment 540726 [details] [diff] [review]
Patch

Review of attachment 540726 [details] [diff] [review]:
-----------------------------------------------------------------

So the problem occurs when the entire continuation chain doesn't cover all the text in the node? When did that happen? Was it just a transient state?
Attachment #540726 - Flags: review?(roc) → review+
(Assignee)

Comment 3

6 years ago
Not the entire continuation chain, the sibling chain. Bug 663295 made us break off walking continuations at the last sibling. I'll edit some of the code comments to make this clearer before checking in.
Assuming sg:critical if there's also a runtime crash, please correct if wrong
Whiteboard: [sg:critical?]

Updated

6 years ago
status-firefox5: --- → wontfix
status-firefox6: --- → affected
status-firefox7: --- → affected
tracking-firefox5: --- → -
tracking-firefox6: --- → +
tracking-firefox7: --- → +
(Assignee)

Comment 5

6 years ago
No runtime crash in either debug or opt build.
Whiteboard: [sg:critical?]
(Assignee)

Comment 6

6 years ago
http://hg.mozilla.org/mozilla-central/rev/99c270809649
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
(Reporter)

Updated

6 years ago
Depends on: 668941
If there's no crash then what is a crashtest testing?
(Reporter)

Comment 8

6 years ago
Assertions :)  The reftest framework catches leaks and assertions in addition to crashes and hangs.  "Crashtest" is short for "Make sure nothing goes horribly and obviously wrong when loading this page".
Should this bug be unhidden then, not a security bug after all?
If it's a security bug we need to land this on mozilla-beta for firefox 6. If it's not then we should stop tracking it for 6 and move on.
status-firefox7: affected → fixed
Target Milestone: --- → mozilla7
(Assignee)

Comment 11

6 years ago
The assertion doesn't occur in a current mozilla-beta build, so comment 10 is moot.
status-firefox6: affected → unaffected
tracking-firefox6: + → ---
Group: core-security
(Assignee)

Updated

6 years ago
Depends on: 670226
qa- as no QA fix verification needed
Whiteboard: [qa-]
You need to log in before you can comment on or make changes to this bug.