Make the HTML5 parser manage formatting element list marker memory properly and not crash

content/html/parser/src/nsHtml5TreeBuilder.cpp

@@ -543,7 +543,9 @@ nsHtml5TreeBuilder::endTokenization()
   delete[] stack;
   stack = nsnull;
   while (listPtr > -1) {
-    listOfActiveFormattingElements[listPtr]->release();
+    if (!!listOfActiveFormattingElements[listPtr]) {
+      listOfActiveFormattingElements[listPtr]->release();
+    }
     listPtr--;
   }
   delete[] listOfActiveFormattingElements;
@@ -2907,16 +2909,19 @@ nsHtml5TreeBuilder::append(nsHtml5StackNode* node)
 void 
 nsHtml5TreeBuilder::insertMarker()
 {
-  append(MARKER);
+  append(nsnull);
 }
 
 void 
 nsHtml5TreeBuilder::clearTheListOfActiveFormattingElementsUpToTheLastMarker()
 {
   while (listPtr > -1) {
-    if (listOfActiveFormattingElements[listPtr--] == MARKER) {
+    if (!listOfActiveFormattingElements[listPtr]) {
+      --listPtr;
       return;
     }
+    listOfActiveFormattingElements[listPtr]->release();
+    --listPtr;
   }
 }
 
@@ -2963,6 +2968,7 @@ nsHtml5TreeBuilder::removeFromStack(nsHtml5StackNode* node)
 void 
 nsHtml5TreeBuilder::removeFromListOfActiveFormattingElements(PRInt32 pos)
 {
+
   listOfActiveFormattingElements[pos]->release();
   if (pos == listPtr) {
 
@@ -2982,12 +2988,12 @@ nsHtml5TreeBuilder::adoptionAgencyEndTag(nsIAtom* name)
   for (; ; ) {
     PRInt32 formattingEltListPos = listPtr;
     while (formattingEltListPos > -1) {
-      nsIAtom* listName = listOfActiveFormattingElements[formattingEltListPos]->name;
-      if (listName == name) {
-        break;
-      } else if (!listName) {
+      nsHtml5StackNode* listNode = listOfActiveFormattingElements[formattingEltListPos];
+      if (!listNode) {
         formattingEltListPos = -1;
         break;
+      } else if (listNode->name == name) {
+        break;
       }
       formattingEltListPos--;
     }
@@ -3136,7 +3142,7 @@ nsHtml5TreeBuilder::findInListOfActiveFormattingElementsContainsBetweenEndAndLas
 {
   for (PRInt32 i = listPtr; i >= 0; i--) {
     nsHtml5StackNode* node = listOfActiveFormattingElements[i];
-    if (node == MARKER) {
+    if (!node) {
       return -1;
     } else if (node->name == name) {
       return i;
@@ -3198,7 +3204,7 @@ nsHtml5TreeBuilder::reconstructTheActiveFormattingElements()
     return;
   }
   nsHtml5StackNode* mostRecent = listOfActiveFormattingElements[listPtr];
-  if (mostRecent == MARKER || isInStack(mostRecent)) {
+  if (!mostRecent || isInStack(mostRecent)) {
     return;
   }
   PRInt32 entryPos = listPtr;
@@ -3207,7 +3213,7 @@ nsHtml5TreeBuilder::reconstructTheActiveFormattingElements()
     if (entryPos == -1) {
       break;
     }
-    if (listOfActiveFormattingElements[entryPos] == MARKER) {
+    if (!listOfActiveFormattingElements[entryPos]) {
       break;
     }
     if (isInStack(listOfActiveFormattingElements[entryPos])) {

content/html/parser/src/nsHtml5TreeBuilder.h

@@ -67,7 +67,6 @@ class nsHtml5TreeBuilder
   private:
     static jArray<PRUnichar,PRInt32> ISINDEX_PROMPT;
     static jArray<nsString*,PRInt32> QUIRKY_PUBLIC_IDS;
-    nsHtml5StackNode* MARKER;
     static nsIAtom* HTML_LOCAL;
     PRInt32 mode;
     PRInt32 originalMode;

content/html/parser/src/nsHtml5TreeBuilderCppSupplement.h

@@ -63,8 +63,7 @@
 jArray<PRUnichar,PRInt32> nsHtml5TreeBuilder::ISINDEX_PROMPT = jArray<PRUnichar,PRInt32>();
 
 nsHtml5TreeBuilder::nsHtml5TreeBuilder(nsHtml5Parser* aParser)
-  : MARKER(new nsHtml5StackNode(0, nsHtml5ElementName::NULL_ELEMENT_NAME, nsnull)),
-    documentModeHandler(aParser),
+  : documentModeHandler(aParser),
     fragment(PR_FALSE),
     formPointer(nsnull),
     headPointer(nsnull),
@@ -78,7 +77,6 @@ nsHtml5TreeBuilder::nsHtml5TreeBuilder(nsHtml5Parser* aParser)
 nsHtml5TreeBuilder::~nsHtml5TreeBuilder()
 {
   MOZ_COUNT_DTOR(nsHtml5TreeBuilder);
-  delete MARKER;
   mOpQueue.Clear();
 }