Bug 1281745: Don't consider <xbl:children> in a shadow root without any binding active. r=smaug
MozReview-Commit-ID: GSewdIOpKIv
new file mode 100644
--- /dev/null
+++ b/dom/base/crashtests/1281745.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<!--
+user_pref("dom.webcomponents.enabled", true);
+-->
+<script>
+
+function boom() {
+ var x = document.createElementNS("http://www.mozilla.org/xbl", "children");
+ x.appendChild(document.createTextNode("t"));
+ document.body.attachShadow({ mode: "open" }).appendChild(x);
+}
+
+</script>
+</head>
+<body onload="boom();"></body>
+</html>
--- a/dom/base/crashtests/crashtests.list
+++ b/dom/base/crashtests/crashtests.list
@@ -197,16 +197,17 @@ pref(dom.webcomponents.shadowdom.enabled
pref(dom.webcomponents.shadowdom.enabled,true) load 1029710.html
load 1154598.xhtml
load 1157995.html
load 1158412.html
load 1181619.html
load 1230422.html
load 1251361.html
pref(dom.webcomponents.shadowdom.enabled,true) load 1281715.html
+pref(dom.webcomponents.shadowdom.enabled,true) load 1281745.html
load 1304437.html
pref(dom.IntersectionObserver.enabled,true) load 1324209.html
load 1324500.html
pref(dom.IntersectionObserver.enabled,true) load 1326194-1.html
pref(dom.IntersectionObserver.enabled,true) load 1326194-2.html
pref(dom.IntersectionObserver.enabled,true) load 1332939.html
pref(dom.webcomponents.customelements.enabled,true) load 1341693.html
load 1352453.html
--- a/dom/base/nsIContent.h
+++ b/dom/base/nsIContent.h
@@ -329,21 +329,18 @@ public:
return mNodeInfo->Equals(aTag, kNameSpaceID_MathML);
}
template<typename First, typename... Args>
inline bool IsAnyOfMathMLElements(First aFirst, Args... aArgs) const
{
return IsMathMLElement() && IsNodeInternal(aFirst, aArgs...);
}
- inline bool IsActiveChildrenElement() const
- {
- return mNodeInfo->Equals(nsGkAtoms::children, kNameSpaceID_XBL) &&
- GetBindingParent();
- }
+
+ inline bool IsActiveChildrenElement() const;
bool IsGeneratedContentContainerForBefore() const
{
return IsRootOfNativeAnonymousSubtree() &&
mNodeInfo->NameAtom() == nsGkAtoms::mozgeneratedcontentbefore;
}
bool IsGeneratedContentContainerForAfter() const
@@ -808,16 +805,18 @@ protected:
nsExtendedContentSlots();
virtual ~nsExtendedContentSlots();
virtual void Traverse(nsCycleCollectionTraversalCallback&);
virtual void Unlink();
/**
* The nearest enclosing content node with a binding that created us.
+ * TODO(emilio): This should be an Element*.
+ *
* @see nsIContent::GetBindingParent
*/
nsIContent* mBindingParent; // [Weak]
/**
* @see nsIContent::GetXBLInsertionPoint
*/
nsCOMPtr<nsIContent> mXBLInsertionPoint;
--- a/dom/base/nsIContentInlines.h
+++ b/dom/base/nsIContentInlines.h
@@ -159,9 +159,24 @@ nsINode::GetFlattenedTreeParentNodeForSt
}
inline bool
nsINode::NodeOrAncestorHasDirAuto() const
{
return AncestorHasDirAuto() || (IsElement() && AsElement()->HasDirAuto());
}
+inline bool
+nsIContent::IsActiveChildrenElement() const
+{
+ if (!mNodeInfo->Equals(nsGkAtoms::children, kNameSpaceID_XBL)) {
+ return false;
+ }
+
+ nsIContent* bindingParent = GetBindingParent();
+ if (!bindingParent) {
+ return false;
+ }
+
+ return !bindingParent->GetShadowRoot();
+}
+
#endif // nsIContentInlines_h
--- a/dom/xbl/nsBindingManager.cpp
+++ b/dom/xbl/nsBindingManager.cpp
@@ -11,16 +11,17 @@
#include "nsXBLService.h"
#include "nsIInputStream.h"
#include "nsIURI.h"
#include "nsIURL.h"
#include "nsIChannel.h"
#include "nsString.h"
#include "plstr.h"
#include "nsIContent.h"
+#include "nsIContentInlines.h"
#include "nsIDOMElement.h"
#include "nsIDocument.h"
#include "nsContentUtils.h"
#include "nsIPresShell.h"
#include "nsIPresShellInlines.h"
#include "nsIXMLContentSink.h"
#include "nsContentCID.h"
#include "mozilla/dom/XMLDocument.h"
