Bug 761861 - Fix crash in nsHTMLEditor::DeleteSelectionImpl; r=ehsan
authorAryeh Gregor <ayg@aryeh.name>
Wed, 06 Jun 2012 14:19:16 +0300
changeset 98674 c4da1c7555eebab7e250de0ad61b2291b8442732
parent 98673 e5b003aaf179d4c824aac5587098826ccb9ab167
child 98675 5fb42dae7200cb81729e727534a4ddd6a4f62f4a
push id1729
push userlsblakk@mozilla.com
push dateMon, 16 Jul 2012 20:02:43 +0000
treeherdermozilla-aurora@f4e75e148951 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersehsan
bugs761861
milestone16.0a1
Bug 761861 - Fix crash in nsHTMLEditor::DeleteSelectionImpl; r=ehsan
editor/libeditor/html/crashtests/761861.html
editor/libeditor/html/crashtests/crashtests.list
editor/libeditor/html/nsHTMLEditor.cpp
new file mode 100644
--- /dev/null
+++ b/editor/libeditor/html/crashtests/761861.html
@@ -0,0 +1,15 @@
+<!doctype html>
+<script>
+function boom() {
+  var r = document.documentElement;
+  while (r.firstChild) {
+    r.removeChild(r.firstChild);
+  }
+
+  document.documentElement.contentEditable = "true";
+  document.documentElement.appendChild(document.createElement("span"));
+  document.documentElement.firstChild.appendChild(document.createTextNode("_"));
+  document.execCommand("forwarddelete");
+}
+</script>
+<body onload="boom()">
--- a/editor/libeditor/html/crashtests/crashtests.list
+++ b/editor/libeditor/html/crashtests/crashtests.list
@@ -22,8 +22,9 @@ load 582138-1.xhtml
 load 612565-1.html
 asserts(0-6) load 615015-1.html # Bug 439258
 load 615450-1.html
 load 639736-1.xhtml
 load 643786-1.html
 load 682650-1.html
 load 716456-1.html
 load 759748.html
+load 761861.html
--- a/editor/libeditor/html/nsHTMLEditor.cpp
+++ b/editor/libeditor/html/nsHTMLEditor.cpp
@@ -3397,19 +3397,22 @@ nsHTMLEditor::DeleteSelectionImpl(EDirec
   NS_ENSURE_STATE(typedSel->GetAnchorFocusRange()->Collapsed());
 
   nsCOMPtr<nsIContent> content = do_QueryInterface(typedSel->GetAnchorNode());
   NS_ENSURE_STATE(content);
 
   // Don't strip wrappers if this is the only wrapper in the block.  Then we'll
   // add a <br> later, so it won't be an empty wrapper in the end.
   nsCOMPtr<nsIContent> blockParent = content;
-  while (!IsBlockNode(blockParent)) {
+  while (blockParent && !IsBlockNode(blockParent)) {
     blockParent = blockParent->GetParent();
   }
+  if (!blockParent) {
+    return NS_OK;
+  }
   bool emptyBlockParent;
   res = IsEmptyNode(blockParent, &emptyBlockParent);
   NS_ENSURE_SUCCESS(res, res);
   if (emptyBlockParent) {
     return NS_OK;
   }
 
   if (content && !IsBlockNode(content) && !content->Length() &&