Bug 1410226: Properly compute the insertion point for a display: contents child in an XBL binding. r?mats
MozReview-Commit-ID: DzuGDHZEc1A
--- a/layout/base/nsCSSFrameConstructor.cpp
+++ b/layout/base/nsCSSFrameConstructor.cpp
@@ -7106,37 +7106,33 @@ nsCSSFrameConstructor::GetInsertionPrevS
*aIsRangeInsertSafe = (childDisplay == UNSET_DISPLAY);
return prevSibling;
}
nsContainerFrame*
nsCSSFrameConstructor::GetContentInsertionFrameFor(nsIContent* aContent)
{
- // Get the primary frame associated with the content
- nsIFrame* frame = aContent->GetPrimaryFrame();
-
- if (!frame) {
- if (GetDisplayContentsStyleFor(aContent)) {
- nsIContent* parent = aContent->GetParent();
- if (parent && parent == aContent->GetContainingShadow()) {
- parent = parent->GetBindingParent();
- }
- frame = parent ? GetContentInsertionFrameFor(parent) : nullptr;
- }
- if (!frame) {
+ nsIFrame* frame;
+ while (!(frame = aContent->GetPrimaryFrame())) {
+ if (!GetDisplayContentsStyleFor(aContent)) {
+ return nullptr;
+ }
+
+ aContent = aContent->GetFlattenedTreeParent();
+ if (!aContent) {
return nullptr;
}
- } else {
- // If the content of the frame is not the desired content then this is not
- // really a frame for the desired content.
- // XXX This check is needed due to bug 135040. Remove it once that's fixed.
- if (frame->GetContent() != aContent) {
- return nullptr;
- }
+ }
+
+ // If the content of the frame is not the desired content then this is not
+ // really a frame for the desired content.
+ // XXX This check is needed due to bug 135040. Remove it once that's fixed.
+ if (frame->GetContent() != aContent) {
+ return nullptr;
}
nsContainerFrame* insertionFrame = frame->GetContentInsertionFrame();
NS_ASSERTION(!insertionFrame || insertionFrame == frame || !frame->IsLeaf(),
"The insertion frame is the primary frame or the primary frame isn't a leaf");
return insertionFrame;
new file mode 100644
--- /dev/null
+++ b/layout/style/crashtests/1410226-1.html
@@ -0,0 +1,8 @@
+<style>
+ * { display: contents; }
+</style>
+<details>
+</details>
+<marquee>
+<ul>
+<canvas>
new file mode 100644
--- /dev/null
+++ b/layout/style/crashtests/1410226-2.html
@@ -0,0 +1,16 @@
+<!doctype html>
+<style>
+ * { display: contents; }
+</style>
+<marquee>
+<div id="target">
+</div>
+</marquee>
+<script>
+document.body.offsetTop;
+let div = document.createElement('div');
+div.style.display = "block";
+div.appendChild(document.createTextNode('where am I'));
+target.appendChild(div);
+document.body.style.color = "red";
+</script>
--- a/layout/style/crashtests/crashtests.list
+++ b/layout/style/crashtests/crashtests.list
@@ -247,8 +247,10 @@ load 1404316.html
load 1406222-1.html
load 1406222-2.html
load 1404324-1.html
load 1404324-2.html
load 1404324-3.html
load 1404057.html
load 1409502.html
load 1409931.html
+load 1410226-1.html
+load 1410226-2.html
