###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file /Users/jruderman/central/gfx/thebes/src/gfxSkipChars.cpp, line 92 ###!!! ASSERTION: aPos out of range: '0 <= aPos && aPos < mCharacterCount', file ../../../dist/include/thebes/gfxFont.h, line 857 Hang

Same assertions as bug 489691

Same first assertion, at least.

What happens here is that when rebuilding text runs after bidi resolution BuildTextRunsScanner::ContinueTextRunAcrossFrames splits the text runs between the Latin text frame and the Arabic text frame (http://mxr.mozilla.org/mozilla-central/source/layout/generic/nsTextFrameThebes.cpp?mark=1316-1325#1299). Later, however, the frame with the Arabic text is removed (http://mxr.mozilla.org/mozilla-central/source/layout/generic/nsLineLayout.cpp?mark=1001-1011#985), and the previous frame is left with offsets pointing beyond the end of its text run. I'm not sure if this is the ideal fix: it might be better to prevent the previous frame from being marked as NS_FRAME_COMPLETE, but I'm not quite sure where that happens.

(The patch fixes bug 489691 also, so I have added crashtests for both bugs)

Comment on attachment 375189 [details] [diff] [review] Patch + if (mPrevContinuation) { + nsTextFrame* textFrame = static_cast<nsTextFrame*>(mPrevContinuation); + if (textFrame) { + textFrame->ClearTextRun(); You don't have to recheck textFrame for null here.

verified FIXED on debug builds (no crash or asserts): Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090528 Shiretoko/3.5pre ID:20090528130303 and Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090528 Minefield/3.6a1pre ID:20090528112613