Bug 1454572: nsComputedDOMStyle: Don't crash when used on a detached pseudo-element. r?:emilio
This shouldn't normally happen, but it does in some rare cases; e.g. if an accessibility client queries info for a node that is being removed.
MozReview-Commit-ID: 3nac9ITN66f
--- a/layout/style/nsComputedDOMStyle.cpp
+++ b/layout/style/nsComputedDOMStyle.cpp
@@ -496,16 +496,17 @@ GetPseudoType(nsAtom* aPseudo)
already_AddRefed<ComputedStyle>
nsComputedDOMStyle::DoGetComputedStyleNoFlush(Element* aElement,
nsAtom* aPseudo,
nsIPresShell* aPresShell,
StyleType aStyleType)
{
MOZ_ASSERT(aElement, "NULL element");
+
// If the content has a pres shell, we must use it. Otherwise we'd
// potentially mix rule trees by using the wrong pres shell's style
// set. Using the pres shell from the content also means that any
// content that's actually *in* a document will get the style from the
// correct document.
nsIPresShell* presShell = nsContentUtils::GetPresShellForContent(aElement);
bool inDocWithShell = true;
if (!presShell) {
@@ -516,16 +517,24 @@ nsComputedDOMStyle::DoGetComputedStyleNo
}
}
CSSPseudoElementType pseudoType = GetPseudoType(aPseudo);
if (aPseudo && pseudoType >= CSSPseudoElementType::Count) {
return nullptr;
}
+ if (aElement->IsInNativeAnonymousSubtree() && !aElement->IsInComposedDoc()) {
+ // Normal web content can't access NAC, but Accessibility, DevTools and
+ // Editor use this same API and this may get called for anonymous content.
+ // Computing the style of a pseudo-element that doesn't have a parent doesn't
+ // really make sense.
+ return nullptr;
+ }
+
// XXX the !aElement->IsHTMLElement(nsGkAtoms::area)
// check is needed due to bug 135040 (to avoid using
// mPrimaryFrame). Remove it once that's fixed.
if (inDocWithShell &&
aStyleType == eAll &&
!aElement->IsHTMLElement(nsGkAtoms::area)) {
nsIFrame* frame = nullptr;
if (aPseudo == nsCSSPseudoElements::before) {