Bug 1386905 - Move away mRuleNode in nsTextEditorState::UnbindFromFrame before storing the value into text buffer. r=Ehsan
authorXidorn Quan <me@upsuper.org>
Fri, 04 Aug 2017 14:18:41 +1000
changeset 424825 0800d81dbd72013e560ccc86c4cf4bc8197fd885
parent 424824 6f029af6aa34b8cef8ad7a192b5bcec534bce8f3
child 424826 11c744cde4284f2415ede6a0d1254db07104e7d9
push id1567
push userjlorenzo@mozilla.com
push dateThu, 02 Nov 2017 12:36:05 +0000
treeherdermozilla-release@e512c14a0406 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersEhsan
bugs1386905
milestone57.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1386905 - Move away mRuleNode in nsTextEditorState::UnbindFromFrame before storing the value into text buffer. r=Ehsan Otherwise SetValue may think it's still safe to notify, while it isn't. MozReview-Commit-ID: 6a3or1WXWAq
dom/html/crashtests/1386905.html
dom/html/crashtests/crashtests.list
dom/html/nsTextEditorState.cpp
new file mode 100644
--- /dev/null
+++ b/dom/html/crashtests/1386905.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+document.documentElement.getBoundingClientRect()
+document.documentElement.innerHTML = "<input placeholder=e type=number readonly>"
+document.designMode = "on"
+document.execCommand("inserttext", false, "")
+document.designMode = "off"
+document.documentElement.style.display = 'none'
+</script>
+</head>
+</html>
--- a/dom/html/crashtests/crashtests.list
+++ b/dom/html/crashtests/crashtests.list
@@ -77,8 +77,9 @@ load 1230110.html
 load 1237633.html
 load 1281972-1.html
 load 1282894.html
 load 1290904.html
 load 1343886-1.html
 load 1343886-2.xml
 load 1343886-3.xml
 asserts(0-3) load 1350972.html
+load 1386905.html
--- a/dom/html/nsTextEditorState.cpp
+++ b/dom/html/nsTextEditorState.cpp
@@ -2222,34 +2222,36 @@ nsTextEditorState::UnbindFromFrame(nsTex
         NS_LITERAL_STRING("keyup"),
         TrustedEventsAtSystemGroupBubble());
     }
 
     mTextListener = nullptr;
   }
 
   mBoundFrame = nullptr;
+  // Clear mRootNode so that we don't unexpectedly notify below.
+  nsCOMPtr<Element> rootNode = mRootNode.forget();
 
   // Now that we don't have a frame any more, store the value in the text buffer.
   // The only case where we don't do this is if a value transfer is in progress.
   if (!mValueTransferInProgress) {
     bool success = SetValue(value, eSetValue_Internal);
     // TODO Find something better to do if this fails...
     NS_ENSURE_TRUE_VOID(success);
   }
 
-  if (mRootNode && mMutationObserver) {
-    mRootNode->RemoveMutationObserver(mMutationObserver);
+  if (rootNode && mMutationObserver) {
+    rootNode->RemoveMutationObserver(mMutationObserver);
     mMutationObserver = nullptr;
   }
 
   // Unbind the anonymous content from the tree.
   // We actually hold a reference to the content nodes so that
   // they're not actually destroyed.
-  nsContentUtils::DestroyAnonymousContent(&mRootNode);
+  nsContentUtils::DestroyAnonymousContent(&rootNode);
   nsContentUtils::DestroyAnonymousContent(&mPlaceholderDiv);
   nsContentUtils::DestroyAnonymousContent(&mPreviewDiv);
 }
 
 nsresult
 nsTextEditorState::CreateRootNode()
 {
   MOZ_ASSERT(!mRootNode);