570376 - Crash [@ MaybeSetForm] with html5.enable == false and <form><legend>

Status: VERIFIED FIXED

(Core :: DOM: HTML Parser, defect)

Description

[Phil Ringnalda (:philor)]

STR:

1. In any build after bug 565611 landed, set html5.enable to false
2. Load data:text/html,<form><legend> (or, if you insist on realism, load a UPS tracking page, that's what I did)
3. Crash, bang, boom, http://crash-stats.mozilla.com/report/index/b6cfaae1-ec96-4d31-a77c-dc5752100605

My naive assumption is that just removing case eHTMLTag_legend: from http://hg.mozilla.org/mozilla-central/annotate/b219912edfec/content/html/document/src/nsHTMLContentSink.cpp#l500 will fix the crash, but I'm not sure how to write a crashtest that requires having a pref set to crash.

Comment 1

[Phil Ringnalda (:philor)]

Attachment: Fix v.1

Comment 2

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 449564 [details] [diff] [review]
Fix v.1

r=bzbarsky.  Sorry for the lag!

Comment 3

[Chris Jones [:cjones] inactive; ni?/f?/r? if you need me]

http://hg.mozilla.org/mozilla-central/rev/b51803f3fdef

Comment 4

[rsx11m]

V. Fixed for Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a6pre) Gecko/20100625 SeaMonkey/2.1a3pre, no more crash despite html5.enable=false.

Comment 5

[Phil Ringnalda (:philor)]

And http://hg.mozilla.org/mozilla-central/rev/de899bedeb3e since as Jesse pointed out, I typoed the bug number when I gave it to gen_template.pl, so with the no-bug-number commit message, it really looked like I was hiding something.