The testcase that I'll attach crashes my recent Firefox trunk build. Basically the testcase consists of this: <html><head><style> a:hover, a:hover+br{display:table-row;} </style></head><body> <a href="#">Hovering over the link should not crash Mozilla</a><br> </body></html> Talkback ID's: http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB2684548X http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB2684252W http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB2683947H They look all the same to me, so I'll post here just one stack trace: 0x11d33efa nsTableFrame::AdjustRowIndices [c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/layout/tables/nsTableFrame.cpp, line 654] nsTableFrame::RemoveRows [c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/layout/tables/nsTableFrame.cpp, line 1217] nsTableRowGroupFrame::RemoveFrame [c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/layout/tables/nsTableRowGroupFrame.cpp, line 1446] nsFrameManager::RemoveFrame [c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/layout/base/nsFrameManager.cpp, line 740] nsCSSFrameConstructor::ContentRemoved [c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9751] nsCSSFrameConstructor::RecreateFramesForContent [c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11557] nsCSSFrameConstructor::RestyleElement [c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10147] nsCSSFrameConstructor::ProcessPendingRestyles [c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13562] PresShell::FlushPendingNotifications [c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/layout/base/nsPresShell.cpp, line 4968] nsEventStateManager::FlushPendingEvents [c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp, line 4421] PresShell::HandleEventInternal [c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/layout/base/nsPresShell.cpp, line 5914] PresShell::HandleEvent [c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/layout/base/nsPresShell.cpp, line 5772] nsViewManager::HandleEvent [c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 2402] nsViewManager::DispatchEvent [c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 2127] HandleEvent [c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp, line 174] nsWindow::DispatchEvent [c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1102] nsWindow::DispatchMouseEvent [c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 5387] ChildWindow::DispatchMouseEvent [c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 5638] nsWindow::WindowProc [c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1383] USER32.dll + 0x27b17 (0x77d37b17) USER32.dll + 0x2cdce (0x77d3cdce) USER32.dll + 0x4435 (0x77d14435) USER32.dll + 0x9611 (0x77d19611) nsAppStartup::Run [c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 156] main [c:/builds/tinderbox/firefox/WINNT_5.0_Clobber/mozilla/browser/app/nsBrowserApp.cpp, line 60] kernel32.dll + 0x1eb69 (0x77e5eb69)

Frame dump just before this line (which casts it into nsTableRowFrame*): http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/tables/nsTableFrame.cpp&rev=3.599&root=/cvsroot&mark=653#645 ++++++++++++++++++++++++++++++++++++++++ TableRow(a)(3)@0x85219a4 next=0x8522014 {0,0,5320,294} [state=00010004] [content=0x86c0cb0] [sc=0x86bf040]< TableCell(a)(3)@0x8521b04 {0,0,5320,294} [state=00000004] [content=0x86c0cb0] [sc=0x8521a80] pst=:-moz-table-cell< Block(a)(3)@0x8521b64 {0,0,5320,294} [state=00c00004] sc=0x8521c10(i=1,b=0) pst=:-moz-cell-content< line 0x8521d00: count=1 state=inline,clean,prevmarginclean,not impacted,not wrapped,before:nobr,after:nobr[0x4100] mew=1008 {0,0,5320,294} < Text(0)@0x8521cc0[0,47,T] {0,0,5320,294} [state=40200034] sc=0x8521c94 pst=:-moz-non-element< "Hovering over the link should not crash Mozilla" > > > > > ---------------------------------------- ++++++++++++++++++++++++++++++++++++++++ Frame(br)(4)@0x8522014 {0,294,0,0} [state=00000024] [content=0x86c0d68] ---------------------------------------- The same problem occurs for <img> (and probably others too) but that does not crash for some reason.

testcase crashes current nightly: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a6) Gecko/20041222 TB2697346G http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB2697346G

The basic issue is that ConstructHTMLFrame doesn't do pseudo-frames right, just like in bug 269566. I bet fixing that bug would fix this one too.

Fixed by checkin for bug 269566

Verified FIXED using the testcase at https://bugzilla.mozilla.org/attachment.cgi?id=169332 with build 2005-01-26-06 on Windows XP, Seamonkey trunk.

I tried writing a crashtest for this that would actually crash in the old builds, but can't quite manage to do that... The attachment here crashes, of course, but setting the styles via JS doesn't seem to. Martijn, want to give this a shot?