Bug 1419802: Bailout from ScheduleViewManagerFlush if already destroying the shell. r?mats
MozReview-Commit-ID: Ixq9jwX2kET
--- a/layout/base/PresShell.cpp
+++ b/layout/base/PresShell.cpp
@@ -3775,16 +3775,20 @@ PresShell::GetRectVisibility(nsIFrame* a
return nsRectVisibility_kRightOfViewport;
return nsRectVisibility_kVisible;
}
void
PresShell::ScheduleViewManagerFlush(PaintType aType)
{
+ if (MOZ_UNLIKELY(mIsDestroying)) {
+ return;
+ }
+
if (aType == PAINT_DELAYED_COMPRESS) {
// Delay paint for 1 second.
static const uint32_t kPaintDelayPeriod = 1000;
if (!mDelayedPaintTimer) {
nsTimerCallbackFunc
PaintTimerCallBack = [](nsITimer* aTimer, void* aClosure) {
// The passed-in PresShell is always alive here. Because if PresShell
// died, mDelayedPaintTimer->Cancel() would be called during the
new file mode 100644
--- /dev/null
+++ b/layout/base/crashtests/1419802.html
@@ -0,0 +1,9 @@
+<script>
+ try { o1 = document.createElement('i') } catch(e) { }
+ try { o2 = document.createElement('style') } catch(e) { }
+ try { document.documentElement.appendChild(o1) } catch(e) { }
+ try { document.head.appendChild(o2) } catch(e) { }
+ try { document.writeln("<data id='id0'></data>\n<style id='id0'>#id0{margin-left:619}#id0{display:ruby-base}</style>") } catch(e) { }
+ try { o1.innerHTML = "<style>" } catch(e) { }
+ try { document.styleSheets[2].insertRule(":first-letter { }", 0); } catch(e) { }
+</script>
--- a/layout/base/crashtests/crashtests.list
+++ b/layout/base/crashtests/crashtests.list
@@ -508,16 +508,17 @@ load 1400599-1.html
load 1401739.html
load 1401840.html
load 1402476.html
load 1404789-2.html
load 1406562.html
load 1409147.html
load 1411138.html
load 1419762.html
+load 1419802.html
load 1420533.html
load 1425959.html
load 1425893.html
load 1428353.html
pref(dom.webcomponents.shadowdom.enabled,true) load 1429088.html
load 1429961.html
load 1435015.html
load 1429962.html
