Mercurial > mozreview > gecko / changeset / 7c5d009538c5dd223cc8d050308f1d9b4ff5c365
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1386905 - Move away mRuleNode in nsTextEditorState::UnbindFromFrame before storing the value into text buffer. r?ehsan draft
authorXidorn Quan <me@upsuper.org>
Fri, 04 Aug 2017 14:18:41 +1000
changeset 620988 7c5d009538c5dd223cc8d050308f1d9b4ff5c365
parent 620979 1849aeb2b127b300d5576257e227610cf9e0e8f9
child 640856 c4b22432d2d1845fe3b4a51479b803dac51868a6
push id72210
push userxquan@mozilla.com
push dateFri, 04 Aug 2017 05:58:58 +0000
reviewersehsan
bugs1386905
milestone57.0a1
Bug 1386905 - Move away mRuleNode in nsTextEditorState::UnbindFromFrame before storing the value into text buffer. r?ehsan Otherwise SetValue may think it's still safe to notify, while it isn't. MozReview-Commit-ID: 6a3or1WXWAq
dom/html/crashtests/1386905.html file | annotate | diff | comparison | revisions
dom/html/crashtests/crashtests.list file | annotate | diff | comparison | revisions
dom/html/nsTextEditorState.cpp file | annotate | diff | comparison | revisions 
new file mode 100644
--- /dev/null
+++ b/dom/html/crashtests/1386905.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+document.documentElement.getBoundingClientRect()
+document.documentElement.innerHTML = "<input placeholder=e type=number readonly>"
+document.designMode = "on"
+document.execCommand("inserttext", false, "")
+document.designMode = "off"
+document.documentElement.style.display = 'none'
+</script>
+</head>
+</html>
--- a/dom/html/crashtests/crashtests.list
+++ b/dom/html/crashtests/crashtests.list
@@ -77,8 +77,9 @@ load 1230110.html
 load 1237633.html
 load 1281972-1.html
 load 1282894.html
 load 1290904.html
 load 1343886-1.html
 load 1343886-2.xml
 load 1343886-3.xml
 asserts(0-3) load 1350972.html
+load 1386905.html
--- a/dom/html/nsTextEditorState.cpp
+++ b/dom/html/nsTextEditorState.cpp
@@ -2215,34 +2215,36 @@ nsTextEditorState::UnbindFromFrame(nsTex
         NS_LITERAL_STRING("keyup"),
         TrustedEventsAtSystemGroupBubble());
     }
 
     mTextListener = nullptr;
   }
 
   mBoundFrame = nullptr;
+  // Clear mRootNode so that we don't unexpectedly notify below.
+  nsCOMPtr<Element> rootNode = mRootNode.forget();
 
   // Now that we don't have a frame any more, store the value in the text buffer.
   // The only case where we don't do this is if a value transfer is in progress.
   if (!mValueTransferInProgress) {
     bool success = SetValue(value, eSetValue_Internal);
     // TODO Find something better to do if this fails...
     NS_ENSURE_TRUE_VOID(success);
   }
 
-  if (mRootNode && mMutationObserver) {
-    mRootNode->RemoveMutationObserver(mMutationObserver);
+  if (rootNode && mMutationObserver) {
+    rootNode->RemoveMutationObserver(mMutationObserver);
     mMutationObserver = nullptr;
   }
 
   // Unbind the anonymous content from the tree.
   // We actually hold a reference to the content nodes so that
   // they're not actually destroyed.
-  nsContentUtils::DestroyAnonymousContent(&mRootNode);
+  nsContentUtils::DestroyAnonymousContent(&rootNode);
   nsContentUtils::DestroyAnonymousContent(&mPlaceholderDiv);
   nsContentUtils::DestroyAnonymousContent(&mPreviewDiv);
 }
 
 nsresult
 nsTextEditorState::CreateRootNode()
 {
   MOZ_ASSERT(!mRootNode);
gecko
Deployed from 4e825768105f at 2024-04-08T16:23:59Z.