run-mangleme-tests 0x58c22e11 or download and open the attached file (if uses a refresh, so opening form Bugzilla won't work). Crashes reliably, but in a different place each time. Using run-mangleme-tests with --guard-malloc could perhaps help to isolate the problem.
Created attachment 7793 [details] test case
Created attachment 7802 [details] Reduced test case Memory smashing happens at render_frames.cpp:303 when the column- (or row-)length array is empty: gridLayout[gridLen - 1] += remainingLen[k];
Created attachment 7804 [details] One way to fix this
Comment on attachment 7804 [details] One way to fix this Seems to me that for an empty length array we should return len of 0, not 1. But returning 0 from toLengthArray does seem like a good idea when the string is empty. On the other hand, we could just change if (grid) to if (grid && gridLen) and leave toLengthArray alone, I think.
(In reply to comment #4) > Seems to me that for an empty length array we should return len of 0, not 1. Returning 1 makes WebKit match Firefox and WinIE's behavior when the cols (rows) attribute is an empty string, which is to make one column (row), and leaves everything in the state it would be if the attribute wasn't specified at all. > On the other hand, we could just change if (grid) to if (grid && gridLen) and > leave toLengthArray alone, I think. That alone would not fix the compatibility issue.
Created attachment 7942 [details] Patch, including layout test and change log Please see also my previous comment. I don't think you can test for the memory smasher.
Comment on attachment 7942 [details] Patch, including layout test and change log OK. I'm convinced. r=me