STEPS TO REPRODUCE 1. <table> 2. Remove the table from the DOM. 3. <div> (bogus element in this context, parser tries to move it outside the table) ACTUAL RESULTS Crash. EXPECTED RESULTS Content should be placed where the table used to be in the DOM. I'm not yet sure exactly what this means if other content is moved around in the DOM. I think if the <table> is no longer inside its original parent, then it should just append the bogus content to the parent.
Reproducible crash -> P1. Thread 0 Crashed: 0 com.apple.WebCore 0x01b4c778 WebCore::TreeShared<WebCore::Node>::parent() const + 20 (Shared.h:57) 1 com.apple.WebCore 0x01b4c7b0 WebCore::Node::parentNode() const + 36 (Node.h:89) 2 com.apple.WebCore 0x017a9a20 WebCore::HTMLParser::handleError(WebCore::Node*, bool, WebCore::AtomicString const&, int) + 6404 (HTMLParser.cpp:490) 3 com.apple.WebCore 0x017aa760 WebCore::HTMLParser::insertNode(WebCore::Node*, bool) + 912 (HTMLParser.cpp:281) 4 com.apple.WebCore 0x017ac178 WebCore::HTMLParser::parseToken(WebCore::Token*) + 1388 (HTMLParser.cpp:208) 5 com.apple.WebCore 0x017b006c WebCore::HTMLTokenizer::processToken() + 564 (HTMLTokenizer.cpp:1628) 6 com.apple.WebCore 0x017b37c0 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 7376 (HTMLTokenizer.cpp:1206) 7 com.apple.WebCore 0x017b43ec WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1744 (HTMLTokenizer.cpp:1432) 8 com.apple.WebCore 0x018a1728 WebCore::Frame::write(char const*, int) + 952 (Frame.cpp:654)
Thanks for the bug. I chose not to make it match your test case for now (since both FireFox and IE fail your test), but I did fix the crash.
Created attachment 7953 [details] Fixes crash
Comment on attachment 7953 [details] Fixes crash r=me