Bug 1428353: Allow undisplayed maps to be queried for elements out of the document. r?mats
MozReview-Commit-ID: 69lQNFk5vhG
new file mode 100644
--- /dev/null
+++ b/layout/base/crashtests/1428353.html
@@ -0,0 +1,15 @@
+<script>
+ try { o1 = document.createTextNode(''); } catch(e) { }
+ try { o2 = document.createElement('slot') } catch(e) { }
+ try { o3 = document.createElement('s') } catch(e) { }
+ try { o4 = document.getSelection() } catch(e) { }
+ try { document.head.appendChild(o1) } catch(e) { }
+ try { document.documentElement.appendChild(o2) } catch(e) { }
+ try { document.head.appendChild(o3) } catch(e) { }
+ try { o1.after('', document.head) } catch(e) { }
+ try { document.designMode = 'on' } catch(e) { }
+ try { document.execCommand('formatblock', false, 'pre') } catch(e) { }
+ try { document.designMode = 'off' } catch(e) { }
+ try { o5 = o4.getRangeAt(0) } catch(e) { }
+ try { o5.selectNode(o3); } catch(e) { }
+</script>
--- a/layout/base/crashtests/crashtests.list
+++ b/layout/base/crashtests/crashtests.list
@@ -514,8 +514,9 @@ load 1404789-2.html
load 1406562.html
load 1409088.html
load 1409147.html
load 1411138.html
load 1419762.html
load 1420533.html
load 1425959.html
load 1425893.html
+load 1428353.html
--- a/layout/base/nsFrameManager.cpp
+++ b/layout/base/nsFrameManager.cpp
@@ -130,17 +130,16 @@ nsFrameManager::Destroy()
//----------------------------------------------------------------------
/* static */ nsIContent*
nsFrameManager::ParentForUndisplayedMap(const nsIContent* aContent)
{
MOZ_ASSERT(aContent);
nsIContent* parent = aContent->GetParentElementCrossingShadowRoot();
- MOZ_ASSERT(parent || !aContent->GetParent(), "no non-elements");
// Normalize the parent:
parent = UndisplayedMap::GetApplicableParent(parent);
return parent;
}
/* static */ nsStyleContext*
@@ -204,16 +203,17 @@ nsFrameManager::SetStyleContextInMap(Und
MOZ_ASSERT(!GetStyleContextInMap(aMap, aContent),
"Already have an entry for aContent");
// This function is an entry point into UndisplayedMap handling code, so the
// parent that we act on must be normalized by GetApplicableParent (as per
// that function's documentation). We rely on ParentForUndisplayedMap to
// have done that for us.
nsIContent* parent = ParentForUndisplayedMap(aContent);
+ MOZ_ASSERT(parent || !aContent->GetParent(), "no non-elements");
#ifdef DEBUG
nsIPresShell* shell = aStyleContext->PresContext()->PresShell();
NS_ASSERTION(parent || (shell && shell->GetDocument() &&
shell->GetDocument()->GetRootElement() == aContent),
"undisplayed content must have a parent, unless it's the root "
"element");
#endif
@@ -252,16 +252,17 @@ nsFrameManager::ChangeStyleContextInMap(
printf("ChangeStyleContextInMap(%d): p=%p \n", i++, (void *)aContent);
#endif
// This function is an entry point into UndisplayedMap handling code, so the
// parent that we act on must be normalized by GetApplicableParent (as per
// that function's documentation). We rely on ParentForUndisplayedMap to
// have done that for us.
nsIContent* parent = ParentForUndisplayedMap(aContent);
+ MOZ_ASSERT(parent || !aContent->GetParent(), "no non-elements");
for (UndisplayedNode* node = aMap->GetFirstNode(parent);
node; node = node->getNext()) {
if (node->mContent == aContent) {
node->mStyle = aStyleContext;
return;
}
}