see https://bugzilla.mozilla.org/show_bug.cgi?id=265867#c28 <DIV STYLE="display:table-column-group;"> <DIV>Hello</DIV> </DIV> the inner div should not create a frame, even if by some code path it does, it should never be reflown. patch coming soon
Note that the same is true for table-column frames. Please make sure to fix ContentAppended and ContentInserted, not just TableProcessChild...
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b) Gecko/20050201 Firefox/1.0+ The testcase referenced at http://exchangecode.com/crashbugs/265867.html crashes on the Mac.
Hixie at w3c-style: On Mon, 31 Jan 2005, Boris Zbarsky wrote: >> >> Section 17.2.1 seems to miss a few cases of nesting of various types of table >> elements. In particular, I am interested in the following cases: >> >> 1) A child T of a table-column-group P when T is not a table-column >> 2) A child T of a table-column P No anonymous boxes are created in those cases (since nothing is described in that section). >> Should any sort of anonymous objects be generated in these cases? If not, >> what should be the rendering? # Elements with 'display' set to 'table-column' or 'table-column-group' # are not rendered (exactly as if they had 'display: none'), but they are # useful, because they may have attributes which induce a certain style # for the columns they represent." -- http://www.w3.org/TR/CSS21/tables.html#q2
Keywords: crash, testcase
Created attachment 173781 [details] [diff] [review] revised patch
Comment on attachment 173781 [details] [diff] [review] revised patch r+sr=bzbarsky
Comment on attachment 173781 [details] [diff] [review] revised patch I rtested the patch, it fixes one of these mangleme crashes
Attachment #173781 - Flags: approval1.8b?
Severity: normal → critical
Comment on attachment 173781 [details] [diff] [review] revised patch a=asa for 1.8b checkin
Attachment #173781 - Flags: approval1.8b? → approval1.8b+
fix checked in
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
*** Bug 282172 has been marked as a duplicate of this bug. ***
in-testsuite+ covered by the crashtest for bug 265867 (in my tree, will push soon).
You need to log in before you can comment on or make changes to this bug.