Bug 488388. Handle inserts at the end of a colgroup that has anonymous colframe kids. r=bernd, sr=roc
authorBoris Zbarsky <bzbarsky@mit.edu>
Wed, 15 Apr 2009 17:44:53 -0400
changeset 27376 178916d78891fc35a9f8259966145caad069b274
parent 27375 c326ec77e6e141dc888b4b45d2e517da53e5aed1
child 27377 9dc4b85b3470cb71593422d21f8ad60f1a922052
push idunknown
push userunknown
push dateunknown
reviewersbernd, roc
bugs488388
milestone1.9.2a1pre
Bug 488388. Handle inserts at the end of a colgroup that has anonymous colframe kids. r=bernd, sr=roc
layout/tables/crashtests/488388-1.html
layout/tables/crashtests/crashtests.list
layout/tables/nsTableColGroupFrame.cpp
new file mode 100644
--- /dev/null
+++ b/layout/tables/crashtests/488388-1.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script type="text/javascript">
+
+function boom()
+{
+  var table = document.createElement('table');
+  document.body.appendChild(table);
+  var colgroup = document.createElement('colgroup');
+  table.appendChild(colgroup);
+  var col = document.createElement('col');
+  colgroup.appendChild(col);
+}
+
+
+</script>
+</head>
+
+<body onload="boom();"></body>
+</html>
--- a/layout/tables/crashtests/crashtests.list
+++ b/layout/tables/crashtests/crashtests.list
@@ -74,8 +74,9 @@ load 411582.xhtml
 load 413180-1.html
 load 416845-1.xhtml
 load 416845-2.xhtml
 load 416845-3.html   
 load 423514-1.xhtml
 load 456041.html
 load 457115.html
 load 467141-1.html
+load 488388-1.html
--- a/layout/tables/nsTableColGroupFrame.cpp
+++ b/layout/tables/nsTableColGroupFrame.cpp
@@ -262,18 +262,24 @@ nsTableColGroupFrame::InsertFrames(nsIAt
 
   nsTableColFrame* col = GetFirstColumn();
   nsTableColFrame* nextCol;
   while (col && col->GetColType() == eColAnonymousColGroup) {
     // this colgroup spans one or more columns but now that there is a
     // real column below, spanned anonymous columns should be removed,
     // since the HTML spec says to ignore the span of a colgroup if it
     // has content columns in it.
-    NS_ASSERTION(col != aPrevFrame, "Bad aPrevFrame");
     nextCol = col->GetNextCol();
+    if (col == aPrevFrame) {
+      // This can happen when we're being appended to
+      NS_ASSERTION(!nextCol || nextCol->GetColType() != eColAnonymousColGroup,
+                   "Inserting in the middle of our anonymous cols?");
+      // We'll want to insert at the beginning
+      aPrevFrame = nsnull;
+    }
     RemoveFrame(nsnull, col);
     col = nextCol;
   }
 
   NS_ASSERTION(!aPrevFrame || aPrevFrame == aPrevFrame->GetLastContinuation(),
                "Prev frame should be last in continuation chain");
   NS_ASSERTION(!aPrevFrame || !GetNextColumn(aPrevFrame) ||
                GetNextColumn(aPrevFrame)->GetColType() != eColAnonymousCol,