Loading the testcase triggers two assertions and corrupts random memory, often leading to a crash later. ###!!! ASSERTION: no element to return: '!empty()', file /Users/jruderman/trunk/mozilla/layout/generic/nsLineBox.h, line 1247 ###!!! ASSERTION: running past end: 'mCurrent != mListLink', file /Users/jruderman/trunk/mozilla/layout/base/../generic/nsLineBox.h, line 620

I'm also seeing (on Linux): ###!!! ASSERTION: ResolveBidi called on non-first continuation: '!GetPrevInFlow()', file nsBlockFrame.cpp, line 6627 The crash is caused by setting a bit in arbitrary memory when |line| is an overflow line and |mLines| is empty: http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/generic/nsBlockFrame.cpp&rev=3.866&root=/cvsroot&mark=5225-5226#5197

* fix the assertion in comment 1. * fix the crash. (I'm guessing we don't need to set this bit in case the frame is in an overflow line.) * remove an unused variable

#ifdef IBMBIDI - ResolveBidi(); + if (!GetPrevInFlow()) + ResolveBidi(); #endif // IBMBIDI This is not the correct fix for this. Simon is working on a better fix in bug 394805. + if (!searchingOverflowList && line != mLines.front()) { We should still set the bit when the frame is an overflow line. We just need to check against the right first-line.

Ok, how about the case when it's the first overflow line - do we want to set the bit on the last line (if any) in mLines in that case?

Yes, actually. Good call.

This crash is annoying me, so here's my stab at a patch.

I need review here, Mats

Comment on attachment 282242 [details] [diff] [review] patch rev. 2 Looks good so far, but you forgot the case in comment 4.

Your patch + an added else-block for the first overflow line case.

mozilla/layout/generic/nsBlockFrame.cpp 3.874 mozilla/layout/generic/nsBlockFrame.h 3.252 -> FIXED

v. Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a9pre) Gecko/2007110610 Minefield/3.0a9pre

The testcase doesn't trigger any assertions or crashes on branch.

Crashtest checked in.