Bug 1484778 - Null-check scroll frame in DispatchScrollingEvent. r=surkov
authorEitan Isaacson <eitan@monotonous.org>
Tue, 21 Aug 2018 10:24:00 -0400
changeset 488301 4746df79fc33bb8d5c87cfb4738a7029004ebc57
parent 488300 2982d92cdd7ab8d125d5f902d63a9ea5eb4d0ab3
child 488302 72a1e585702b9698662955cf3fe05136c415ce26
push id9719
push userffxbld-merge
push dateFri, 24 Aug 2018 17:49:46 +0000
treeherdermozilla-beta@719ec98fba77 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssurkov
bugs1484778
milestone63.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1484778 - Null-check scroll frame in DispatchScrollingEvent. r=surkov
accessible/generic/DocAccessible.cpp
accessible/tests/crashtests/1484778.html
accessible/tests/crashtests/crashtests.list
--- a/accessible/generic/DocAccessible.cpp
+++ b/accessible/generic/DocAccessible.cpp
@@ -2443,16 +2443,19 @@ DocAccessible::IsLoadEventTarget() const
   // It's content (not chrome) root document.
   return (treeItem->ItemType() == nsIDocShellTreeItem::typeContent);
 }
 
 void
 DocAccessible::DispatchScrollingEvent(uint32_t aEventType)
 {
   nsIScrollableFrame* sf = mPresShell->GetRootScrollFrameAsScrollable();
+  if (!sf) {
+    return;
+  }
 
   int32_t appUnitsPerDevPixel = mPresShell->GetPresContext()->AppUnitsPerDevPixel();
   LayoutDevicePoint scrollPoint = LayoutDevicePoint::FromAppUnits(
     sf->GetScrollPosition(), appUnitsPerDevPixel) * mPresShell->GetResolution();
 
   LayoutDeviceRect scrollRange = LayoutDeviceRect::FromAppUnits(
     sf->GetScrollRange(), appUnitsPerDevPixel);
   scrollRange.ScaleRoundOut(mPresShell->GetResolution());
new file mode 100644
--- /dev/null
+++ b/accessible/tests/crashtests/1484778.html
@@ -0,0 +1,26 @@
+<style>
+#a { border-left: solid -moz-hyperlinktext 93em }
+</style>
+<script>
+/*
+  I dont't know why but this seems to be required to trigger the crash...
+  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+*/
+function go() {
+  var b = document.elementFromPoint(0,0);
+  window.scroll({left: 97, top: -1});
+  document.adoptNode(b);
+}
+</script>
+<body onload=go()>
+<ins id="a">
--- a/accessible/tests/crashtests/crashtests.list
+++ b/accessible/tests/crashtests/crashtests.list
@@ -1,12 +1,13 @@
 load 448064.xhtml # This test instantiates a11y, so be careful about adding tests before it
 load 471493.xul
 asserts-if(!browserIsRemote,2) load 884202.html
 load 890760.html
 load 893515.html
 load 1072792.xhtml
 load 1380199.html
 load 1402999.html
+load 1484778.html
 
 # last_test_to_unload_testsuite.xul MUST be the last test in the list because it
 # is responsible for shutting down accessibility service affecting later tests.
 load last_test_to_unload_testsuite.xul