Bug 1386905 - Move away mRuleNode in nsTextEditorState::UnbindFromFrame before storing the value into text buffer. r=Ehsan, a=lizzard
authorXidorn Quan <me@upsuper.org>
Fri, 04 Aug 2017 14:18:41 +1000
changeset 423521 71154d26091a721d399b9d8ab0eb03c5e306d63d
parent 423520 e7efe3c1a1c4e3a192cd8682ffeac2173dcb232a
child 423522 0f875d25932a5ffec9c9abc05c0f899a6990bdf8
push id1517
push userjlorenzo@mozilla.com
push dateThu, 14 Sep 2017 16:50:54 +0000
treeherdermozilla-release@3b41fd564418 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersEhsan, lizzard
bugs1386905
milestone56.0
Bug 1386905 - Move away mRuleNode in nsTextEditorState::UnbindFromFrame before storing the value into text buffer. r=Ehsan, a=lizzard Otherwise SetValue may think it's still safe to notify, while it isn't. MozReview-Commit-ID: 6a3or1WXWAq
dom/html/crashtests/1386905.html
dom/html/crashtests/crashtests.list
dom/html/nsTextEditorState.cpp
new file mode 100644
--- /dev/null
+++ b/dom/html/crashtests/1386905.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+document.documentElement.getBoundingClientRect()
+document.documentElement.innerHTML = "<input placeholder=e type=number readonly>"
+document.designMode = "on"
+document.execCommand("inserttext", false, "")
+document.designMode = "off"
+document.documentElement.style.display = 'none'
+</script>
+</head>
+</html>
--- a/dom/html/crashtests/crashtests.list
+++ b/dom/html/crashtests/crashtests.list
@@ -77,8 +77,9 @@ load 1230110.html
 load 1237633.html
 load 1281972-1.html
 load 1282894.html
 load 1290904.html
 load 1343886-1.html
 load 1343886-2.xml
 load 1343886-3.xml
 asserts(0-3) load 1350972.html
+load 1386905.html
--- a/dom/html/nsTextEditorState.cpp
+++ b/dom/html/nsTextEditorState.cpp
@@ -2230,34 +2230,36 @@ nsTextEditorState::UnbindFromFrame(nsTex
         NS_LITERAL_STRING("keyup"),
         TrustedEventsAtSystemGroupBubble());
     }
 
     mTextListener = nullptr;
   }
 
   mBoundFrame = nullptr;
+  // Clear mRootNode so that we don't unexpectedly notify below.
+  nsCOMPtr<Element> rootNode = mRootNode.forget();
 
   // Now that we don't have a frame any more, store the value in the text buffer.
   // The only case where we don't do this is if a value transfer is in progress.
   if (!mValueTransferInProgress) {
     bool success = SetValue(value, eSetValue_Internal);
     // TODO Find something better to do if this fails...
     NS_ENSURE_TRUE_VOID(success);
   }
 
-  if (mRootNode && mMutationObserver) {
-    mRootNode->RemoveMutationObserver(mMutationObserver);
+  if (rootNode && mMutationObserver) {
+    rootNode->RemoveMutationObserver(mMutationObserver);
     mMutationObserver = nullptr;
   }
 
   // Unbind the anonymous content from the tree.
   // We actually hold a reference to the content nodes so that
   // they're not actually destroyed.
-  nsContentUtils::DestroyAnonymousContent(&mRootNode);
+  nsContentUtils::DestroyAnonymousContent(&rootNode);
   nsContentUtils::DestroyAnonymousContent(&mPlaceholderDiv);
   nsContentUtils::DestroyAnonymousContent(&mPreviewDiv);
 }
 
 nsresult
 nsTextEditorState::CreateRootNode()
 {
   MOZ_ASSERT(!mRootNode);