From 6c450d021dd5430f06fbe1251489b91602eab455 Mon Sep 17 00:00:00 2001 From: "cvshook%sicking.cc" Date: Fri, 17 Mar 2006 00:28:26 +0000 Subject: [PATCH] Bug 330084: Don't crash when removing an node from the tree that noone holds on to. r/sr=jst --- content/base/src/nsGenericElement.cpp | 7 +++++-- content/html/content/src/nsHTMLSelectElement.cpp | 3 ++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/content/base/src/nsGenericElement.cpp b/content/base/src/nsGenericElement.cpp index b409e7ebe991..8f7006624a99 100644 --- a/content/base/src/nsGenericElement.cpp +++ b/content/base/src/nsGenericElement.cpp @@ -2788,6 +2788,10 @@ nsGenericElement::doReplaceOrInsertBefore(PRBool aReplace, return NS_ERROR_NULL_POINTER; } + // Keep a strong reference to the node that we'll return to ensure it + // doesn't go away. + nsCOMPtr returnVal = aReplace ? aRefChild : aNewChild; + nsCOMPtr refContent; nsresult res = NS_OK; PRInt32 insPos; @@ -3065,8 +3069,7 @@ nsGenericElement::doReplaceOrInsertBefore(PRBool aReplace, NS_ENSURE_SUCCESS(res, res); } - *aReturn = aReplace ? aRefChild : aNewChild; - NS_ADDREF(*aReturn); + returnVal.swap(*aReturn); return res; } diff --git a/content/html/content/src/nsHTMLSelectElement.cpp b/content/html/content/src/nsHTMLSelectElement.cpp index 3cae1322c943..b1d82ea65e0c 100644 --- a/content/html/content/src/nsHTMLSelectElement.cpp +++ b/content/html/content/src/nsHTMLSelectElement.cpp @@ -2285,7 +2285,8 @@ nsHTMLOptionCollection::SetOption(PRInt32 aIndex, rv = mSelect->AppendChild(aOption, getter_AddRefs(ret)); } else { // Find the option they're talking about and replace it - nsIDOMHTMLOptionElement *refChild = mElements.SafeObjectAt(aIndex); + // hold a strong reference to follow COM rules. + nsCOMPtr refChild = mElements.SafeObjectAt(aIndex); NS_ENSURE_TRUE(refChild, NS_ERROR_UNEXPECTED); nsCOMPtr parent;