Reproduced with m-c: BuildID=20180523220103 SourceStamp=47e81ea1ef10189ef210867934bf36e14cf223dc Hit MOZ_CRASH(OOM) at src/xpcom/base/nsDebugImpl.cpp:614 #0 NS_ABORT_OOM(unsigned long) src/xpcom/base/nsDebugImpl.cpp:614:3 #1 PLDHashTable::Add(void const*) src/xpcom/ds/PLDHashTable.cpp:619:7 #2 nsIPresShell::AllocateByObjectID(mozilla::ArenaObjectID, unsigned long) src/layout/base/nsIPresShell.h:228:5 #3 nsCellMap::AllocCellData(nsTableCellFrame*) src/layout/tables/nsCellMap.cpp:2607:7 #4 nsCellMap::AppendCell(nsTableCellMap&, nsTableCellFrame*, int, bool, int, mozilla::TableArea&, int*) src/layout/tables/nsCellMap.cpp:1547:22 #5 nsCellMap::RebuildConsideringCells(nsTableCellMap&, int, nsTArray<nsTableCellFrame*>*, int, int, bool) src/layout/tables/nsCellMap.cpp:2261:15 #6 nsTableCellMap::RebuildConsideringCells(nsCellMap*, nsTArray<nsTableCellFrame*>*, int, int, bool, mozilla::TableArea&) src/layout/tables/nsCellMap.cpp #7 nsCellMap::InsertCells(nsTableCellMap&, nsTArray<nsTableCellFrame*>&, int, int, int, mozilla::TableArea&) src/layout/tables/nsCellMap.cpp:1710:10 #8 nsTableCellMap::InsertCells(nsTArray<nsTableCellFrame*>&, int, int, mozilla::TableArea&) src/layout/tables/nsCellMap.cpp:592:16 #9 nsTableFrame::InsertCells(nsTArray<nsTableCellFrame*>&, int, int) src/layout/tables/nsTableFrame.cpp:821:14 #10 nsTableFrame::RowOrColSpanChanged(nsTableCellFrame*) src/layout/tables/nsTableFrame.cpp:367:7 #11 nsCSSFrameConstructor::UpdateTableCellSpans(nsIContent*) src/layout/base/nsCSSFrameConstructor.cpp:9090:33 #12 mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1715:27 #13 mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:2993:9 #14 mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4282:41 #15 nsIDocument::FlushPendingNotifications(mozilla::ChangesToFlush) src/dom/base/nsDocument.cpp:7501:12 #16 nsIDocument::FlushPendingNotifications(mozilla::FlushType) src/dom/base/nsDocument.cpp:7440:3 #17 nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:694:14 #18 nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:627:5 #19 non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp #20 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:629:28 #21 nsIDocument::DoUnblockOnload() src/dom/base/nsDocument.cpp:8340:18 #22 nsDocument::UnblockOnload(bool) src/dom/base/nsDocument.cpp:8262:9 #23 nsIDocument::DispatchContentLoadedEvents() src/dom/base/nsDocument.cpp:5224:3 #24 mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1216:13 #25 mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32 #26 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14 #27 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #28 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #29 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:326:10 #30 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299:3 #31 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27 #32 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22 #33 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:269:9 #34 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:326:10 #35 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299:3 #36 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34 #37 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #38 main src/browser/app/nsBrowserApp.cpp:282:18 #39 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #40 _start (firefox+0x423434)

We should probably try harder to make the cell map use fallible allocations. Here this is a single, small allocation via the pres arena, and that API doesn't support fallible allocation, and I'm not sure it would end up freeing memory if we detect this small allocation failure and decide to throw away the cell map or something entirely. There are various comments in nsCellMap.cpp about not handling fallible allocation failures correctly. Or we could redesign the cell map so that it doesn't need to allocate memory for rowspan/colspan values that go past the number of rows and columns we actually have in the DOM.