Bug 1343886 - Handle input or textarea elements having a non-textcontrol frame better. r=ehsan a=gchang
authorBoris Zbarsky <bzbarsky@mit.edu>
Mon, 06 Mar 2017 10:29:38 -0500
changeset 395062 715af4db0ac4dfb8d4a46ca9e8752ccbba32d54a
parent 395061 147c73709841da67c170f0dfc835e7293683a387
child 395063 b0b7222031460444b58e4aea30a2353270486ea2
push id1468
push userasasaki@mozilla.com
push dateMon, 05 Jun 2017 19:31:07 +0000
treeherdermozilla-release@0641fc6ee9d1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersehsan, gchang
bugs1343886
milestone54.0a2
Bug 1343886 - Handle input or textarea elements having a non-textcontrol frame better. r=ehsan a=gchang MozReview-Commit-ID: FRzdvTLMAID
dom/html/HTMLInputElement.cpp
dom/html/HTMLTextAreaElement.cpp
dom/html/crashtests/1343886-1.html
dom/html/crashtests/1343886-2.xml
dom/html/crashtests/1343886-3.xml
dom/html/crashtests/crashtests.list
dom/html/nsTextEditorState.cpp
--- a/dom/html/HTMLInputElement.cpp
+++ b/dom/html/HTMLInputElement.cpp
@@ -6610,24 +6610,16 @@ HTMLInputElement::GetFiles(nsIDOMFileLis
 NS_IMETHODIMP
 HTMLInputElement::GetSelectionRange(int32_t* aSelectionStart,
                                     int32_t* aSelectionEnd)
 {
   // Flush frames, because our editor state will want to work with the frame.
   if (IsInComposedDoc()) {
     GetComposedDoc()->FlushPendingNotifications(FlushType::Frames);
   }
-  if (!GetPrimaryFrame()) {
-    // Can we return a selection range anyway here, now that it lives on our
-    // state?  In fact, could we make this behave more like
-    // GetSelectionDirection, in the sense of working even when we have no
-    // frame, by just delegating entirely to mState?  And then, do we really
-    // need the flush?
-    return NS_ERROR_FAILURE;
-  }
 
   nsTextEditorState* state = GetEditorState();
   if (!state) {
     // Not a text control.
     return NS_ERROR_FAILURE;
   }
 
   return state->GetSelectionRange(aSelectionStart, aSelectionEnd);
--- a/dom/html/HTMLTextAreaElement.cpp
+++ b/dom/html/HTMLTextAreaElement.cpp
@@ -843,24 +843,16 @@ HTMLTextAreaElement::SetSelectionEnd(con
 NS_IMETHODIMP
 HTMLTextAreaElement::GetSelectionRange(int32_t* aSelectionStart,
                                        int32_t* aSelectionEnd)
 {
   // Flush frames, because our editor state will want to work with the frame.
   if (IsInComposedDoc()) {
     GetComposedDoc()->FlushPendingNotifications(FlushType::Frames);
   }
-  if (!GetPrimaryFrame()) {
-    // Can we return a selection range anyway here, now that it lives on our
-    // state?  In fact, could we make this behave more like
-    // GetSelectionDirection, in the sense of working even when we have no
-    // frame, by just delegating entirely to mState?  And then, do we really
-    // need the flush?
-    return NS_ERROR_FAILURE;
-  }
 
   return mState.GetSelectionRange(aSelectionStart, aSelectionEnd);
 }
 
 static void
 DirectionToName(nsITextControlFrame::SelectionDirection dir, nsAString& aDirection)
 {
   if (dir == nsITextControlFrame::eNone) {
new file mode 100644
--- /dev/null
+++ b/dom/html/crashtests/1343886-1.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <script>
+            document.documentElement.scrollTop = "500";
+            o1 = document.createRange();
+            o2 = document.createElement('input'); 
+            o1.selectNode(document.documentElement);
+            o1.surroundContents(o2);
+            o2.selectionStart;
+        </script>
+    </head>
+    <body></body>
+</html>
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/dom/html/crashtests/1343886-2.xml
@@ -0,0 +1,3 @@
+<input xmlns="http://www.w3.org/1999/xhtml">
+  <script>document.documentElement.selectionStart</script>
+</input>
new file mode 100644
--- /dev/null
+++ b/dom/html/crashtests/1343886-3.xml
@@ -0,0 +1,3 @@
+<textarea xmlns="http://www.w3.org/1999/xhtml">
+  <script>document.documentElement.selectionStart</script>
+</textarea>
--- a/dom/html/crashtests/crashtests.list
+++ b/dom/html/crashtests/crashtests.list
@@ -73,8 +73,11 @@ load 916322-2.html
 load 1032654.html
 load 1141260.html
 load 1228876.html
 load 1230110.html
 load 1237633.html
 load 1281972-1.html
 load 1282894.html
 load 1290904.html
+load 1343886-1.html
+load 1343886-2.xml
+load 1343886-3.xml
--- a/dom/html/nsTextEditorState.cpp
+++ b/dom/html/nsTextEditorState.cpp
@@ -1548,21 +1548,23 @@ nsTextEditorState::SetSelectionPropertie
     mSelectionProperties = aProps;
   }
 }
 
 nsresult
 nsTextEditorState::GetSelectionRange(int32_t* aSelectionStart,
                                      int32_t* aSelectionEnd)
 {
-  MOZ_ASSERT(mBoundFrame,
-             "Caller didn't flush out frames and check for a frame?");
   MOZ_ASSERT(aSelectionStart);
   MOZ_ASSERT(aSelectionEnd);
 
+  if (!mBoundFrame) {
+    return NS_ERROR_FAILURE;
+  }
+
   // It's not clear that all the checks here are needed, but the previous
   // version of this code in nsTextControlFrame was doing them, so we keep them
   // for now.
 
   nsresult rv = mBoundFrame->EnsureEditorInitialized();
   NS_ENSURE_SUCCESS(rv, rv);
 
   nsISelectionController* selCon = GetSelectionController();