More proof this is probably the same as bug 310426, it doesn't crash with 2005-09-20 build, but crashes with 2005-09-21 build (which is the same regression range as bug 310505, which is essentially a dupe of bug 310426).
realCell is null on line 2318 of nsTableFrame.cpp. Adding a null check to the if(realCell != lastCell) line above would stop the crash, but I have no idea if it's the right thing to do: Are null cells something normal this code should be coping with, or is the fact we have a null cell the real problem?
Created attachment 204293 [details] testcase (WARNING: crashes onload) the code is simply wrong, it is seldom executed so its a very old bug
Created attachment 204294 [details] [diff] [review] patch this makes the code more symmetric to http://lxr.mozilla.org/mozilla/source/layout/tables/nsTableFrame.cpp#2444
12 years ago
Fix checked in, Martijn could you please test with a build that has the patch and open a new bug with security flag and a new stacktrace.
Ok, I filed bug 318451.
Comment on attachment 204294 [details] [diff] [review] patch low risk null check, I think its branch worth. if not 126.96.36.199 then 1.8.1( or how you name it) for sure.
Comment on attachment 204294 [details] [diff] [review] patch Please land in both 1.8.1 and 1.8.0 branches.
fixed on branches
verified the _specified_ crash no longer occurs on windows with 188.8.131.52. Firefox 184.108.40.206 hangs now and requires the process to be killed. Trunk crashes with a newer, uglier stack appears in bug 322704.
verified no crash with the testcase on 220.127.116.11, 1.8.1, 1.9a1 on windows.
crash test landed http://hg.mozilla.org/mozilla-central/rev/4d671f0bafad