See testcase, which usually crashes for me directly or after a few reloads (reloads automatically) Talkback ID: TB30143067M nsCharTraits<unsigned short>::length [mozilla/dist/include/string/nschartraits.h, line 370] nsBidiPresUtils::ProcessText [mozilla/layout/base/nsbidipresutils.cpp, line 1515] 0x0012e60c nsROCSSPrimitiveValue::GetCssText [mozilla/layout/style/nsrocssprimitivevalue.cpp, line 199] 0x68016a01 This regressed between 2007-03-04 and 2007-03-05: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-03-04+04&maxdate=2007-03-05+08&cvsroot=%2Fcvsroot Regression from bug 370588, somehow? The talkback stacktrace seems to indicate this is regression from roc: [mozilla/layout/style/nsrocssprimitivevalue.cpp, line 199] ^^^ Marking security sensitive for now, please open up if this is not necessary.

If you are not the right person to assign this to, please help us find someone that is.

I guess this could be fixed by bug 333659.

(In reply to comment #0) > The talkback stacktrace seems to indicate this is regression from roc: > [mozilla/layout/style/nsrocssprimitivevalue.cpp, line 199] Um, is this intended as a joke? "ro" in that filename means read-only.

This does not crash with new textframe.

Indeed, doesn't seem to crash, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a6pre) Gecko/20070620 Minefield/3.0a6pre (which is a build after the new-text-frame patch landed)

Crash test: https://hg.mozilla.org/integration/mozilla-inbound/rev/659d596caf43