nsTArray's Replace/InsertElementsAt and AppendElements unconditionally dereference [0] on the array that's passed to the method. This isn't safe if the other array has 0 elements. Patch coming up.

Comment on attachment 204317 [details] [diff] [review] patch >Index: nsTArray.h > PRBool ReplaceElementsAt(index_type start, size_type count, > const self_type& a) { >- return ReplaceElementsAt(start, count, &a[0], a.Length()); >+ PRUint32 length = a.Length(); >+ return (length == 0) ? PR_TRUE >+ : ReplaceElementsAt(start, count, &a[0], length); > } If |a| is empty (see .IsEmpty() method), then that doesn't make ReplaceElementsAt a no-op. Instead, it means that we need to remove |count| elements from the offset |start|. It'd be nice if there was a way to avoid the branches checking for an empty string. Perhaps the solution is to use |a.Elements()| instead of "&a[0]".

checked in