Bug 716456 - Make sure to pass a correct ancestor to GetPreviousContent; r=bzbarsky
authorEhsan Akhgari <ehsan@mozilla.com>
Tue, 10 Jan 2012 15:35:04 -0500
changeset 85375 018cfb14c03e95b679c793cfed1aeae941470771
parent 85374 b18d407e2321e01fcb286ed45080546d71db0c88
child 85376 9c2ca2a79d79159fd470ee31763d439f1e884beb
push id805
push userakeybl@mozilla.com
push dateWed, 01 Feb 2012 18:17:35 +0000
treeherdermozilla-aurora@6fb3bf232436 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbzbarsky
bugs716456
milestone12.0a1
Bug 716456 - Make sure to pass a correct ancestor to GetPreviousContent; r=bzbarsky
editor/libeditor/html/crashtests/716456-1.html
editor/libeditor/html/crashtests/crashtests.list
extensions/spellcheck/src/mozInlineSpellWordUtil.cpp
new file mode 100644
--- /dev/null
+++ b/editor/libeditor/html/crashtests/716456-1.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html class="reftest-wait">
+<head>
+<script>
+
+function boom()
+{
+  var div = document.querySelector("div");
+  div.contentEditable = "true";
+  div.focus();
+
+  var r = document.documentElement;
+  document["removeChild"](r);
+  document["appendChild"](r);
+
+  setTimeout(function() {
+    document.execCommand("inserthtml", false, "a");
+    setTimeout(function() {
+      document.documentElement.removeAttribute("class");
+    }, 0);
+  }, 0);
+}
+
+</script>
+</head>
+
+<body onload="boom();"><div></div></body>
+</html>
--- a/editor/libeditor/html/crashtests/crashtests.list
+++ b/editor/libeditor/html/crashtests/crashtests.list
@@ -19,8 +19,9 @@ load 513375-1.xhtml
 load 535632-1.xhtml
 load 574558-1.xhtml
 load 582138-1.xhtml
 load 612565-1.html
 asserts(0-6) load 615015-1.html # Bug 439258
 load 615450-1.html
 load 643786-1.html
 load 682650-1.html
+load 716456-1.html
--- a/extensions/spellcheck/src/mozInlineSpellWordUtil.cpp
+++ b/extensions/spellcheck/src/mozInlineSpellWordUtil.cpp
@@ -49,16 +49,17 @@
 #include "nsIDOMHTMLBRElement.h"
 #include "nsUnicharUtilCIID.h"
 #include "nsServiceManagerUtils.h"
 #include "nsIContent.h"
 #include "nsTextFragment.h"
 #include "mozilla/dom/Element.h"
 #include "nsIFrame.h"
 #include "nsRange.h"
+#include "nsContentUtils.h"
 
 using namespace mozilla;
 
 // IsIgnorableCharacter
 //
 //    These characters are ones that we should ignore in input.
 
 inline bool IsIgnorableCharacter(PRUnichar ch)
@@ -522,16 +523,20 @@ mozInlineSpellWordUtil::BuildSoftText()
     }
     checkBeforeOffset = PR_INT32_MAX;
     if (IsBreakElement(node)) {
       // Since GetPreviousContent follows tree *preorder*, we're about to traverse
       // up out of 'node'. Since node induces breaks (e.g., it's a block),
       // don't bother trying to look outside it, just stop now.
       break;
     }
+    // GetPreviousContent below expects mRootNode to be an ancestor of node.
+    if (!nsContentUtils::ContentIsDescendantOf(node, mRootNode)) {
+      break;
+    }
     node = node->GetPreviousContent(mRootNode);
   }
 
   // Now build up the string moving forward through the DOM until we reach
   // the soft end and *then* see a DOM word separator, a non-inline-element
   // boundary, or the hard end node.
   mSoftText.Truncate();
   mSoftTextDOMMapping.Clear();