From e02ac255f2ec578655de322b5216c190c156fe68 Mon Sep 17 00:00:00 2001 From: Boris Zbarsky Date: Fri, 18 Sep 2009 14:52:36 -0400 Subject: [PATCH] Bug 515829. Don't assume that mDefaultSubmitElement is non-null just because our firstSubmitSlot contains non-null. r=jst --- content/html/content/crashtests/515829-1.html | 7 +++++++ content/html/content/crashtests/515829-2.html | 7 +++++++ .../html/content/crashtests/crashtests.list | 2 ++ content/html/content/src/nsHTMLFormElement.cpp | 18 ++++++++++-------- 4 files changed, 26 insertions(+), 8 deletions(-) create mode 100644 content/html/content/crashtests/515829-1.html create mode 100644 content/html/content/crashtests/515829-2.html diff --git a/content/html/content/crashtests/515829-1.html b/content/html/content/crashtests/515829-1.html new file mode 100644 index 00000000000..e2fc655c01a --- /dev/null +++ b/content/html/content/crashtests/515829-1.html @@ -0,0 +1,7 @@ + + + + +
+ + diff --git a/content/html/content/crashtests/515829-2.html b/content/html/content/crashtests/515829-2.html new file mode 100644 index 00000000000..6de6d5986c4 --- /dev/null +++ b/content/html/content/crashtests/515829-2.html @@ -0,0 +1,7 @@ + + + + +
+ + diff --git a/content/html/content/crashtests/crashtests.list b/content/html/content/crashtests/crashtests.list index 08087537252..23cb08e7a80 100644 --- a/content/html/content/crashtests/crashtests.list +++ b/content/html/content/crashtests/crashtests.list @@ -10,3 +10,5 @@ load 423371-1.html load 451123-1.html load 453406-1.html load 504183-1.html +load 515829-1.html +load 515829-2.html diff --git a/content/html/content/src/nsHTMLFormElement.cpp b/content/html/content/src/nsHTMLFormElement.cpp index df7ab251ba8..f81c4d609c0 100644 --- a/content/html/content/src/nsHTMLFormElement.cpp +++ b/content/html/content/src/nsHTMLFormElement.cpp @@ -1433,19 +1433,21 @@ nsHTMLFormElement::AddElement(nsIFormControl* aChild, if (!*firstSubmitSlot || (!lastElement && CompareFormControlPosition(aChild, *firstSubmitSlot, this) < 0)) { - NS_ASSERTION(*firstSubmitSlot == mDefaultSubmitElement || - mDefaultSubmitElement, - "How can we have a null mDefaultSubmitElement but a " - "first-submit slot in one of the lists?"); - if (*firstSubmitSlot == mDefaultSubmitElement || - CompareFormControlPosition(aChild, - mDefaultSubmitElement, this) < 0) { + // Update mDefaultSubmitElement if it's currently in a valid state. + // Valid state means either non-null or null because there are in fact + // no submit elements around. + if ((mDefaultSubmitElement || + (!mFirstSubmitInElements && !mFirstSubmitNotInElements)) && + (*firstSubmitSlot == mDefaultSubmitElement || + CompareFormControlPosition(aChild, + mDefaultSubmitElement, this) < 0)) { mDefaultSubmitElement = aChild; } *firstSubmitSlot = aChild; } NS_POSTCONDITION(mDefaultSubmitElement == mFirstSubmitInElements || - mDefaultSubmitElement == mFirstSubmitNotInElements, + mDefaultSubmitElement == mFirstSubmitNotInElements || + !mDefaultSubmitElement, "What happened here?"); // Notify that the state of the previous default submit element has changed