taking, Can I add Martin Wargers to security related bugs, he is a testcase createur extraordinaire

Yes.

I managed to reduce it a bit further, but it is still not minimal. When you get a slow script warning, just continue. After the page has finished consuming all cpu, click once in the page to get the crash. The style table { border-collapse: collapse; } seems also necessary to trigger the crash.

This is how the dom source looks like of the parentNode of allNodes[60] just before the crash. allNodes[60] is the second td.

I see the crash with attachment 196333 as described in comment 4

I tried today to get this testcase down to something reasonable, but failed. Is there any known way how to rewind these random things into something usefull? With the attached testcase its impossible for me to debug this.

Martijn, that testcase is great, its reasonable small, crashes and is debugable.

Bernd, is this patch ready for review?

I need to rtest the patch and to add some comments at least to the bug or better to the source to get this into a shape where I can ask Boris to review this.

The problem here is that rebuild cellmap relied on Appendcells to increase the mRowCount. This fails if an empty row is in the table, as AppendCells will not be called in this case. Only when the rows are to be added or to be removed we know for certain that they are real and not dead rows so putting the burden here at AppendCells is wrong.

fix checked in

Comment on attachment 197277 [details] [diff] [review] patch Did this land on trunk or branch?

This has so far landed on trunk but not branch.

I am not sure that I will be able to checkin before friday, if this is urgent then please check it in before.

fixed on branch

Using Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b5) Gecko/20050928 Firefox/1.4, I still crash using the first test case, as well as the fourth test case. Reopening. Talkback ID is TB9840133M for the first testcase. Running OSX 10.4.2.

resolving fixed again - I will test tomorrow. Misread the checkin date. sorry.

Looks good using Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b5) Gecko/20050929 Firefox/1.4. No crashes with any of the test cases. If I run the first test case, Firefox does throw up an alert "Unresponsive script." Is this expected?

crash test landed http://hg.mozilla.org/mozilla-central/rev/6336a2d9d0d9