Bug 1317704 - Part 1. Hold current ranges into RemoveInlineProperty. r?masayuki
Since current selection ranges might be modified by SplitStyleAboveRange, this crash occurs into RemoveInlinePropertyImpl. So we need hold current selection range for loop.
MozReview-Commit-ID: JuXn9XlwCp6
--- a/editor/libeditor/HTMLStyleEditor.cpp
+++ b/editor/libeditor/HTMLStyleEditor.cpp
@@ -1226,18 +1226,23 @@ HTMLEditor::RemoveInlinePropertyImpl(nsI
TextRulesInfo ruleInfo(EditAction::removeTextProperty);
// Protect the edit rules object from dying
nsCOMPtr<nsIEditRules> rules(mRules);
nsresult rv = rules->WillDoAction(selection, &ruleInfo, &cancel, &handled);
NS_ENSURE_SUCCESS(rv, rv);
if (!cancel && !handled) {
// Loop through the ranges in the selection
uint32_t rangeCount = selection->RangeCount();
+ // Since ranges might be modified by SplitStyleAboveRange, we need hold
+ // current ranges
+ AutoTArray<OwningNonNull<nsRange>, 8> arrayOfRanges;
for (uint32_t rangeIdx = 0; rangeIdx < rangeCount; ++rangeIdx) {
- OwningNonNull<nsRange> range = *selection->GetRangeAt(rangeIdx);
+ arrayOfRanges.AppendElement(*selection->GetRangeAt(rangeIdx));
+ }
+ for (auto& range : arrayOfRanges) {
if (aProperty == nsGkAtoms::name) {
// Promote range if it starts or end in a named anchor and we want to
// remove named anchors
rv = PromoteRangeIfStartsOrEndsInNamedAnchor(range);
if (NS_WARN_IF(NS_FAILED(rv))) {
return rv;
}
} else {