Ubuntu
firefox-3.0 package

  1. Bug #256624
  2. Comment #4

Comment 4 for bug 256624

Revision history for this message
In , Bzbarsky (bzbarsky) wrote :

This looks like a parser/content-sink bug. We're getting a ContentAppended on the body aIndexInContainer == 2, coming from nsHTMLContentSink::CloseBody. At this point, the relevant part of the DOM looks like this (containment indicated by nesting):

  <body>
    <s>
      #text
    <form>
      <select>
        <optgroup>
          #text
    <form>
      <s>
        #text
        <iframe>
        #text
        <script>
        #text
      <form>
      #text
      <table>
        #text

Thing is, when we last notified (from HandleSavedTokens calling BeginContext), that second form wasn't there, and the third one was. So in other words, we're double-notifying on the entire subtree rooted at that third form, which naturally breaks things.

Somewhere in here we should have had a ContentInserted notification (when we created the <form> containing the <select>), and updated the mNumFlushed for the <body> accordingly.