nsHTMLContentSerializer::AppendElementEnd assumes that any element whose tag name is "script" will implement nsIScriptElement, which isn't true for XUL or for a namespace Gecko doesn't recognize. The code was introduced in bug 305873, "Unclosed script data should not be parsed as HTML". (Other parts of the function appear to make similar assumptions about other tag names: "meta", "pre", etc.) Loading the testcase triggers: ###!!! ASSERTION: What kind of weird script element is this?: 'script', file /Users/jruderman/trunk/mozilla/content/base/src/nsHTMLContentSerializer.cpp, line 778 ###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../../dist/include/xpcom/nsCOMPtr.h, line 847 and a null-dereference crash.

WFM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4

That makes sense, because bug 305873 hasn't been fixed on the branch yet.

crashes trunk build on Windows though

If the script isn't an nsIScriptElement, we don't care about it.

Fix checked into trunk.

Crashtest checked in.