Bug 1440523 - Bail out from nsHTMLDocument::EditingStateChanged if the docshell is being destroyed by FlushPendingNotifications call. r?masayuki
MozReview-Commit-ID: DlFXWdpB1Xv
new file mode 100644
--- /dev/null
+++ b/dom/html/crashtests/1440523.html
@@ -0,0 +1,13 @@
+<html>
+ <head>
+ <script>
+ try { frame = document.createElement('frame') } catch(e) { }
+ try { document.documentElement.appendChild(frame) } catch(e) { }
+ try { contentDocument = frame.contentDocument } catch(e) { }
+ try { contentDocument.writeln("<p contenteditable='true'>") } catch(e) { }
+ try { anotherDocument = document.implementation.createHTMLDocument(); } catch(e) { }
+ try { rootOfAnotherDocument = anotherDocument.documentElement; } catch(e) { }
+ try { document.replaceChild(rootOfAnotherDocument, document.documentElement); } catch(e) { }
+ </script>
+ </head>
+</html>
--- a/dom/html/crashtests/crashtests.list
+++ b/dom/html/crashtests/crashtests.list
@@ -82,8 +82,9 @@ load 1282894.html
load 1290904.html
load 1343886-1.html
load 1343886-2.xml
load 1343886-3.xml
load 1350972.html
load 1386905.html
asserts(0-4) load 1401726.html
load 1412173.html
+load 1440523.html
--- a/dom/html/nsHTMLDocument.cpp
+++ b/dom/html/nsHTMLDocument.cpp
@@ -2358,16 +2358,23 @@ nsHTMLDocument::EditingStateChanged()
nsCOMPtr<nsPIDOMWindowOuter> window = GetWindow();
if (!window)
return NS_ERROR_FAILURE;
nsIDocShell *docshell = window->GetDocShell();
if (!docshell)
return NS_ERROR_FAILURE;
+ // FlushPendingNotifications might destroy our docshell.
+ bool isBeingDestroyed = false;
+ docshell->IsBeingDestroyed(&isBeingDestroyed);
+ if (isBeingDestroyed) {
+ return NS_ERROR_FAILURE;
+ }
+
nsCOMPtr<nsIEditingSession> editSession;
nsresult rv = docshell->GetEditingSession(getter_AddRefs(editSession));
NS_ENSURE_SUCCESS(rv, rv);
RefPtr<HTMLEditor> htmlEditor = editSession->GetHTMLEditorForWindow(window);
if (htmlEditor) {
// We might already have an editor if it was set up for mail, let's see
// if this is actually the case.