Bug 502869 - Crash [@ nsHtml5TreeBuilder::appendToCurrentNodeAndPushElementMayFoster]. r=bnewman
authorHenri Sivonen <hsivonen@iki.fi>
Tue, 18 Aug 2009 10:48:59 +0300
changeset 31626 15ea02367063f66c6c3a8c3929675ab243471311
parent 31625 13bc65e5eeec5220609c361e9dba5ed51fb9bf7e
child 31627 859f85e86b0da8c3a7954e602a6ea95cca10f26a
push idunknown
push userunknown
push dateunknown
reviewersbnewman
bugs502869
milestone1.9.3a1pre
Bug 502869 - Crash [@ nsHtml5TreeBuilder::appendToCurrentNodeAndPushElementMayFoster]. r=bnewman
parser/html/nsHtml5Parser.cpp
parser/html/nsHtml5TreeBuilderCppSupplement.h
--- a/parser/html/nsHtml5Parser.cpp
+++ b/parser/html/nsHtml5Parser.cpp
@@ -492,19 +492,20 @@ nsHtml5Parser::ParseFragment(const nsASt
           nsCOMPtr<nsIScriptElement> script = do_QueryInterface(mScriptElement);
           NS_ASSERTION(script, "mScriptElement didn't QI to nsIScriptElement!");
           script->PreventExecution();
           mScriptElement = nsnull;
         }
       }
     }
   }
+  mLifeCycle = TERMINATED;
   mTokenizer->eof();
   mTokenizer->end();
-  mLifeCycle = TERMINATED;
+  mTreeBuilder->Flush();
   DropParserAndPerfHint();
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsHtml5Parser::BuildModel(void)
 {
   // XXX who calls this? Should this be a no-op?
@@ -760,19 +761,20 @@ nsHtml5Parser::WillBuildModel(nsDTDMode 
   return NS_ERROR_NOT_IMPLEMENTED;
 }
 
 // This is called when the tree construction has ended
 NS_IMETHODIMP
 nsHtml5Parser::DidBuildModel()
 {
   NS_ASSERTION(mLifeCycle == STREAM_ENDING, "Bad life cycle.");
+  mLifeCycle = TERMINATED;
   mTokenizer->eof();
   mTokenizer->end();
-  mLifeCycle = TERMINATED;
+  mTreeBuilder->Flush();
   // This is comes from nsXMLContentSink
   DidBuildModelImpl();
   mDocument->ScriptLoader()->RemoveObserver(this);
   StartLayout(PR_FALSE);
   ScrollToRef();
   mDocument->RemoveObserver(this);
   mDocument->EndLoad();
   DropParserAndPerfHint();
--- a/parser/html/nsHtml5TreeBuilderCppSupplement.h
+++ b/parser/html/nsHtml5TreeBuilderCppSupplement.h
@@ -272,17 +272,16 @@ nsHtml5TreeBuilder::start(PRBool fragmen
   mActive = PR_TRUE;
 #endif
 }
 
 void
 nsHtml5TreeBuilder::end()
 {
   mFlushTimer->Cancel();
-  Flush();
 #ifdef DEBUG
   mActive = PR_FALSE;
 #endif
 #ifdef DEBUG_hsivonen
   printf("MAX INSERTION BATCH LEN: %d\n", sInsertionBatchMaxLength);
   printf("MAX NOTIFICATION BATCH LEN: %d\n", sAppendBatchMaxSize);
   if (sAppendBatchExaminations != 0) {
     printf("AVERAGE SLOTS EXAMINED: %d\n", sAppendBatchSlotsExamined / sAppendBatchExaminations);