tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit 00f9daab91792a1f748804e3e17f4de4b5c5f42a
parent a892c5d309de24d468e1f9eb102aa11d5fc8d228
Author: Ting-Yu Lin <tlin@mozilla.com>
Date:   Sat, 15 Nov 2025 05:54:48 +0000

Bug 1999396 - Relax an assertion in nsBlockFrame::RemoveFloat(). r=layout-reviewers,emilio

`nsFloatingFirstLetterFrame` might lose its floating style after calling
`nsBlockFrame::UpdateFirstLetterStyle()`. I believe we have existing issues with
`::first-letter` and `::first-line` styling. It's probably related to bug 13610
or bug 548836.

Differential Revision: https://phabricator.services.mozilla.com/D272674

Diffstat:

Mlayout/generic/nsBlockFrame.cpp | 6+++++-


Atesting/web-platform/tests/css/css-pseudo/first-letter-first-line-dynamic-001-crash.html | 19+++++++++++++++++++


2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/layout/generic/nsBlockFrame.cpp b/layout/generic/nsBlockFrame.cpp
@@ -47,6 +47,7 @@
 #include "nsCSSRendering.h"
 #include "nsDisplayList.h"
 #include "nsError.h"
+#include "nsFirstLetterFrame.h"
 #include "nsFlexContainerFrame.h"
 #include "nsFloatManager.h"
 #include "nsFontMetrics.h"
@@ -6577,7 +6578,10 @@ void nsBlockFrame::RemoveFloat(nsIFrame* aFloat) {
 }
 
 void nsBlockFrame::DoRemoveFloats(DestroyContext& aContext, nsIFrame* aFrame) {
-  MOZ_ASSERT(aFrame->IsFloating(),
+  // Note: nsFloatingFirstLetterFrame might lose its floating style after
+  // nsBlockFrame::UpdateFirstLetterStyle().
+  MOZ_ASSERT(aFrame->IsFloating() || static_cast<nsFloatingFirstLetterFrame*>(
+                                         do_QueryFrame(aFrame)),
              "DoRemoveFloats() can only remove float elements!");
 
   // The containing block is always the parent of aFrame.
diff --git a/testing/web-platform/tests/css/css-pseudo/first-letter-first-line-dynamic-001-crash.html b/testing/web-platform/tests/css/css-pseudo/first-letter-first-line-dynamic-001-crash.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<link rel="help" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1999396">
+<script>
+document.addEventListener("DOMContentLoaded", () => {
+  o3 = document.createElement('div');
+  document.body.appendChild(o3);
+  o14 = document.createElement('style');
+  document.documentElement.appendChild(o14);
+  o18 = document.createElement('style');
+  o14.appendChild(o18);
+  s4 = unescape('%u06A10');
+  o3.appendChild(document.createTextNode(s4));
+  o59 = document.createTextNode("{}:first-letter{ all: inherit;'x'}\n*{ float: left }:first-line{}");
+  o18['before'](o18, -1, o59);
+  document.documentElement.offsetHeight;
+  o3.appendChild(document.createTextNode(s4));
+  o18['before'](o18, -1, o59);
+})
+</script>