Bug 682058 - nsGenericElement::SetInnerHTML should suppress DOMNodeRemoved when dealing with a non-HTML5 document, r=sicking
authorOlli Pettay <Olli.Pettay@helsinki.fi>
Fri, 09 Sep 2011 12:18:00 +0300
changeset 76771 164976bffd31fdf47f61923b5d25aa48e245da5b
parent 76770 59e530a7f0dd03ffe0ba2cec1510d1bc11e204b1
child 76825 694520af9b1847cc9c70e5deac135d419407eb53
push id3
push userfelipc@gmail.com
push dateFri, 30 Sep 2011 20:09:13 +0000
reviewerssicking
bugs682058
milestone9.0a1
Bug 682058 - nsGenericElement::SetInnerHTML should suppress DOMNodeRemoved when dealing with a non-HTML5 document, r=sicking
content/html/content/crashtests/682058.xhtml
content/html/content/crashtests/crashtests.list
content/html/content/src/nsGenericHTMLElement.cpp
new file mode 100644
--- /dev/null
+++ b/content/html/content/crashtests/682058.xhtml
@@ -0,0 +1,11 @@
+<?xml version="1.0"?>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <body onload="test()">
+    <script>
+      function test() {
+        document.body.innerHTML = "Foobar";
+      }
+      document.addEventListener("DOMNodeRemoved", function() {});
+    </script>
+  </body>
+</html>
--- a/content/html/content/crashtests/crashtests.list
+++ b/content/html/content/crashtests/crashtests.list
@@ -24,9 +24,10 @@ load 604807.html
 load 605264.html
 load 606430-1.html
 load 602117.html
 load 613027.html
 load 614279.html
 load 614988-1.html
 load 620078-1.html
 load 620078-2.html
+load 682058.xhtml
 load 682460.html
--- a/content/html/content/src/nsGenericHTMLElement.cpp
+++ b/content/html/content/src/nsGenericHTMLElement.cpp
@@ -780,16 +780,21 @@ nsGenericHTMLElement::SetInnerHTML(const
     // HTML5 parser has notified, but not fired mutation events.
     FireMutationEventsForDirectParsing(doc, this, oldChildCount);
   } else {
     rv = nsContentUtils::CreateContextualFragment(this, aInnerHTML,
                                                   PR_TRUE,
                                                   getter_AddRefs(df));
     nsCOMPtr<nsINode> fragment = do_QueryInterface(df);
     if (NS_SUCCEEDED(rv)) {
+      // Suppress assertion about node removal mutation events that can't have
+      // listeners anyway, because no one has had the chance to register mutation
+      // listeners on the fragment that comes from the parser.
+      nsAutoScriptBlockerSuppressNodeRemoved scriptBlocker;
+
       static_cast<nsINode*>(this)->AppendChild(fragment, &rv);
     }
   }
 
   return rv;
 }
 
 enum nsAdjacentPosition {