Fixing crasher bug 73331. When cleaning up incorrect content in the HTML content sink we ended up creating frames for content that was about to be taken out of the document shortly after only to be inserted into the document again at a different place, this caused frame construction to happen for the new content that was about to be moved. So we created frames for no good reason and the frames we created got distroyed immediately after they've been created. The frame construction left old frames around that held on to anonymous content that was partly torn down and didn't have a valid document pointer, this caused a crash later on in the style resolution code. r=harishd@netscape.com, sr=vidur@netscape.com, a=drivers@mozilla.org (blizzard@mozilla.org).

2001-05-30 02:25:52 +00:00 · 2001-05-30 02:25:52 +00:00 · 6f138c7969
--- a/content/html/document/src/nsHTMLContentSink.cpp
+++ b/content/html/document/src/nsHTMLContentSink.cpp
@ -340,7 +340,9 @@ public:
  nsString* mTitle;
  nsString  mUnicodeXferBuf;

-  PRBool mLayoutStarted;
+  PRPackedBool mLayoutStarted;
+  PRPackedBool mIsDemotingContainer;
+
  PRInt32 mInScript;
  PRInt32 mInNotification;
  nsIDOMHTMLFormElement* mCurrentForm;
@ -1517,6 +1519,8 @@ SetDocumentInChildrenOf(nsIContent* aContent,
 nsresult
 SinkContext::DemoteContainer(const nsIParserNode& aNode)
 {
+  mSink->mIsDemotingContainer = PR_TRUE;
+
  nsresult result = NS_OK;
  nsHTMLTag nodeType = nsHTMLTag(aNode.GetNodeType());
  
@ -1548,7 +1552,7 @@ SinkContext::DemoteContainer(const nsIParserNode& aNode)
        sync = PR_TRUE;
      }
      // Otherwise just append the container to the parent without
-      // notification (it the container hasn't already been appended)
+      // notification (if the container hasn't already been appended)
      else if (!(mStack[stackPos].mFlags & APPENDED)) {
        mSink->mInNotification++;
        parent->AppendChildTo(container, PR_FALSE, PR_FALSE);
@ -1670,7 +1674,9 @@ SinkContext::DemoteContainer(const nsIParserNode& aNode)
      UpdateChildCounts();
    }
  }
-  
+
+  mSink->mIsDemotingContainer = PR_FALSE;
+
  return result;
 }

@ -4375,7 +4381,8 @@ HTMLContentSink::BeginUpdate(nsIDocument *aDocument)
  // notification to occur. Since this could result in frame
  // creation, make sure we've flushed everything before we
  // continue
-  if (mInScript && !mInNotification && mCurrentContext) {
+  if (mInScript && !mInNotification && mCurrentContext &&
+      !mIsDemotingContainer) {
    result = mCurrentContext->FlushTags(PR_TRUE);
  }

--- a/dom/src/base/nsDOMClassInfo.cpp
+++ b/dom/src/base/nsDOMClassInfo.cpp
@ -667,7 +667,7 @@ nsDOMClassInfo::Init()
                                        elt, getter_AddRefs(old));

  nsCOMPtr<nsIScriptSecurityManager> sm =
-      do_GetService("@mozilla.org/scriptsecuritymanager;1", &rv);
+    do_GetService("@mozilla.org/scriptsecuritymanager;1", &rv);
  NS_ENSURE_SUCCESS(rv, rv);
  sSecMan = sm;
  NS_ADDREF(sSecMan);
@ -1120,7 +1120,7 @@ nsWindowSH::doCheckWriteAccess(JSContext *cx, JSObject *obj, jsval id,
  // following lines ensure that the exception is propagated.

  nsCOMPtr<nsIXPCNativeCallContext> cnccx;
-  rv = sXPConnect->GetCurrentNativeCallContext(getter_AddRefs(cnccx));
+  sXPConnect->GetCurrentNativeCallContext(getter_AddRefs(cnccx));
  if (cnccx)
    cnccx->SetExceptionWasThrown(PR_TRUE);

@ -2156,7 +2156,7 @@ nsNamedArraySH::GetProperty(nsIXPConnectWrappedNative *wrapper, JSContext *cx,
      return NS_OK;
    }

-    // Fall through to nsArraySH::GetProperty() here
+    return NS_OK; // Don't fall through to nsArraySH::GetProperty() here
  }

  return nsArraySH::GetProperty(wrapper, cx, obj, id, vp, _retval);
@ -2489,12 +2489,13 @@ nsHTMLFormElementSH::GetProperty(nsIXPConnectWrappedNative *wrapper,
      return WrapNative(cx, ::JS_GetGlobalObject(cx), result,
                        NS_GET_IID(nsISupports), vp);
    }
+
+    return NS_OK; // Don't fall through
  }

  int32 n = -1;

-  if ((JSVAL_IS_NUMBER(id) || JSVAL_IS_STRING(id)) &&
-      ::JS_ValueToECMAInt32(cx, id, &n) && n >= 0) {
+  if (JSVAL_IS_NUMBER(id) && ::JS_ValueToECMAInt32(cx, id, &n) && n >= 0) {
    nsCOMPtr<nsIFormControl> control;
    form->GetElementAt(n, getter_AddRefs(control));

@ -2586,7 +2587,7 @@ nsHTMLSelectElementSH::SetProperty(nsIXPConnectWrappedNative *wrapper,
 {
  int32 n = -1;

-  if ((!JSVAL_IS_NUMBER(id) && !JSVAL_IS_STRING(id)) ||
+  if (!(JSVAL_IS_NUMBER(id) || JSVAL_IS_STRING(id)) ||
      !::JS_ValueToECMAInt32(cx, id, &n) || n < 0) {
    return NS_OK;
  }
@ -3014,7 +3015,7 @@ nsHTMLOptionCollectionSH::SetProperty(nsIXPConnectWrappedNative *wrapper,
 {
  int32 n = -1;

-  if ((!JSVAL_IS_NUMBER(id) && !JSVAL_IS_STRING(id)) ||
+  if (!(JSVAL_IS_NUMBER(id) || JSVAL_IS_STRING(id)) ||
      !::JS_ValueToECMAInt32(cx, id, &n) || n < 0) {
    return NS_OK;
  }
@ -3189,7 +3190,7 @@ nsMediaListSH::GetStringAt(nsISupports *aNative, PRInt32 aIndex,

  nsCOMPtr<nsIDOMMediaList> media_list(do_QueryInterface(aNative));

-  return media_list->Item(PRUint32(aNative), aResult);
+  return media_list->Item(PRUint32(aIndex), aResult);
 }


@ -3223,7 +3224,7 @@ nsCSSStyleDeclSH::GetStringAt(nsISupports *aNative, PRInt32 aIndex,

  nsCOMPtr<nsIDOMCSSStyleDeclaration> style_decl(do_QueryInterface(aNative));

-  return style_decl->Item(PRUint32(aNative), aResult);
+  return style_decl->Item(PRUint32(aIndex), aResult);
 }