Bug 1470926 - Null-check mBoundFrame after calling SetSelectionRange on it. r=TYLin a=lizzard
authorEmilio Cobos Álvarez <emilio@crisal.io>
Thu, 21 Feb 2019 00:18:15 +0000
changeset 516173 524a4774fe51436368c729ab6eebad22072c61a6
parent 516172 4171deeda04bb446358cc6d6c76bd6cf4f0cd45f
child 516174 ba725018e9ab36cab501d12112c98b5af5b047f8
push id1953
push userffxbld-merge
push dateMon, 11 Mar 2019 12:10:20 +0000
treeherdermozilla-release@9c35dcbaa899 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersTYLin, lizzard
bugs1470926
milestone66.0
Bug 1470926 - Null-check mBoundFrame after calling SetSelectionRange on it. r=TYLin a=lizzard This code was already handling the world going away, but did not handle the case of just getting unbound, which can happen if some selection listener (e.g., AccessibleCaret) flushes layout. Differential Revision: https://phabricator.services.mozilla.com/D20469
dom/html/nsTextEditorState.cpp
editor/libeditor/crashtests/1470926.html
editor/libeditor/crashtests/crashtests.list
--- a/dom/html/nsTextEditorState.cpp
+++ b/dom/html/nsTextEditorState.cpp
@@ -1635,17 +1635,19 @@ void nsTextEditorState::SetSelectionRang
     props.SetEnd(aEnd);
     props.SetDirection(aDirection);
   } else {
     WeakPtr<nsTextEditorState> self(this);
     aRv = mBoundFrame->SetSelectionRange(aStart, aEnd, aDirection);
     if (aRv.Failed() || !self.get()) {
       return;
     }
-    rv = mBoundFrame->ScrollSelectionIntoView();
+    if (mBoundFrame) {
+      rv = mBoundFrame->ScrollSelectionIntoView();
+    }
     // Press on to firing the event even if that failed, like our old code did.
     // But is that really what we want?  Firing the event _and_ throwing from
     // here is weird.  Maybe we should just ignore ScrollSelectionIntoView
     // failures?
 
     // XXXbz This is preserving our current behavior of firing a "select" event
     // on all mutations when we have an editor, but we should really consider
     // fixing that...
new file mode 100644
--- /dev/null
+++ b/editor/libeditor/crashtests/1470926.html
@@ -0,0 +1,9 @@
+<script>
+function go() {
+  a.select();
+  a.setAttribute("hidden", "");
+  a.setRangeText("f");
+}
+</script>
+<body onload=go()>
+<textarea id="a">-</textarea>
--- a/editor/libeditor/crashtests/crashtests.list
+++ b/editor/libeditor/crashtests/crashtests.list
@@ -101,8 +101,9 @@ load 1423767.html
 needs-focus load 1423776.html
 needs-focus load 1424450.html
 load 1425091.html
 load 1441619.html
 load 1443664.html
 skip-if(Android) needs-focus load 1444630.html
 load 1446451.html
 asserts(0-2) load 1464251.html # assertion is that mutation event listener modifies content
+pref(layout.accessiblecaret.enabled,true) load 1470926.html