Bug 1419802: Bailout from ScheduleViewManagerFlush if already destroying the shell. r=mats
authorEmilio Cobos Álvarez <emilio@crisal.io>
Wed, 23 May 2018 17:20:14 +0200
changeset 419618 91c6df51ea6163d73eb1d45a44ae64f4f38dcbd7
parent 419617 bcae764555a8f86a0ad262d1e4d4ab46b6609440
child 419619 5024a6a9176a9576b54e225a7b3c3142047f06b6
push id34040
push userebalazs@mozilla.com
push dateThu, 24 May 2018 09:37:05 +0000
treeherdermozilla-central@c411ccb6bb4a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmats
bugs1419802
milestone62.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1419802: Bailout from ScheduleViewManagerFlush if already destroying the shell. r=mats MozReview-Commit-ID: Ixq9jwX2kET
layout/base/PresShell.cpp
layout/base/crashtests/1419802.html
layout/base/crashtests/crashtests.list
--- a/layout/base/PresShell.cpp
+++ b/layout/base/PresShell.cpp
@@ -3775,16 +3775,20 @@ PresShell::GetRectVisibility(nsIFrame* a
     return nsRectVisibility_kRightOfViewport;
 
   return nsRectVisibility_kVisible;
 }
 
 void
 PresShell::ScheduleViewManagerFlush(PaintType aType)
 {
+  if (MOZ_UNLIKELY(mIsDestroying)) {
+    return;
+  }
+
   if (aType == PAINT_DELAYED_COMPRESS) {
     // Delay paint for 1 second.
     static const uint32_t kPaintDelayPeriod = 1000;
     if (!mDelayedPaintTimer) {
       nsTimerCallbackFunc
         PaintTimerCallBack = [](nsITimer* aTimer, void* aClosure) {
           // The passed-in PresShell is always alive here. Because if PresShell
           // died, mDelayedPaintTimer->Cancel() would be called during the
new file mode 100644
--- /dev/null
+++ b/layout/base/crashtests/1419802.html
@@ -0,0 +1,9 @@
+<script>
+	try { o1 = document.createElement('i') } catch(e) { }
+	try { o2 = document.createElement('style') } catch(e) { }
+	try { document.documentElement.appendChild(o1) } catch(e) { }
+	try { document.head.appendChild(o2) } catch(e) { }
+	try { document.writeln("<data id='id0'></data>\n<style id='id0'>#id0{margin-left:619}#id0{display:ruby-base}</style>") } catch(e) { }
+	try { o1.innerHTML = "<style>" } catch(e) { }
+	try { document.styleSheets[2].insertRule(":first-letter { }", 0); } catch(e) { }
+</script>
--- a/layout/base/crashtests/crashtests.list
+++ b/layout/base/crashtests/crashtests.list
@@ -508,16 +508,17 @@ load 1400599-1.html
 load 1401739.html
 load 1401840.html
 load 1402476.html
 load 1404789-2.html
 load 1406562.html
 load 1409147.html
 load 1411138.html
 load 1419762.html
+load 1419802.html
 load 1420533.html
 load 1425959.html
 load 1425893.html
 load 1428353.html
 pref(dom.webcomponents.shadowdom.enabled,true) load 1429088.html
 load 1429961.html
 load 1435015.html
 load 1429962.html