Bug 1454572: nsComputedDOMStyle: Don't crash when used on a detached pseudo-element. r=emilio,xidorn:emilio a=RyanVM
authorJames Teh <jteh@mozilla.com>
Thu, 19 Apr 2018 15:53:25 +1000
changeset 463488 9215ab5bc95411c5c2b1b0a746a9c84c5f2ec57a
parent 463487 363aebb824a06ea3ce94543122f866d8e6abdb52
child 463489 06f6ddcfe8d9020925359210acdcfd3edb787277
push id1683
push usersfraser@mozilla.com
push dateThu, 26 Apr 2018 16:43:40 +0000
treeherdermozilla-release@5af6cb21869d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersemilio, xidorn, RyanVM
bugs1454572
milestone60.0
Bug 1454572: nsComputedDOMStyle: Don't crash when used on a detached pseudo-element. r=emilio,xidorn:emilio a=RyanVM This shouldn't normally happen, but it does in some rare cases; e.g. if an accessibility client queries info for a node that is being removed. MozReview-Commit-ID: 3nac9ITN66f
layout/style/nsComputedDOMStyle.cpp
--- a/layout/style/nsComputedDOMStyle.cpp
+++ b/layout/style/nsComputedDOMStyle.cpp
@@ -681,16 +681,17 @@ MustReresolveStyle(const nsStyleContext*
 already_AddRefed<nsStyleContext>
 nsComputedDOMStyle::DoGetStyleContextNoFlush(Element* aElement,
                                              nsAtom* aPseudo,
                                              nsIPresShell* aPresShell,
                                              StyleType aStyleType,
                                              AnimationFlag aAnimationFlag)
 {
   MOZ_ASSERT(aElement, "NULL element");
+
   // If the content has a pres shell, we must use it.  Otherwise we'd
   // potentially mix rule trees by using the wrong pres shell's style
   // set.  Using the pres shell from the content also means that any
   // content that's actually *in* a document will get the style from the
   // correct document.
   nsIPresShell* presShell = nsContentUtils::GetPresShellForContent(aElement);
   bool inDocWithShell = true;
   if (!presShell) {
@@ -723,16 +724,24 @@ nsComputedDOMStyle::DoGetStyleContextNoF
   if (aPseudo) {
     pseudoType = nsCSSPseudoElements::
       GetPseudoType(aPseudo, CSSEnabledState::eIgnoreEnabledState);
     if (pseudoType >= CSSPseudoElementType::Count) {
       return nullptr;
     }
   }
 
+  if (aElement->IsInNativeAnonymousSubtree() && !aElement->IsInComposedDoc()) {
+    // Normal web content can't access NAC, but Accessibility, DevTools and
+    // Editor use this same API and this may get called for anonymous content.
+    // Computing the style of a pseudo-element that doesn't have a parent doesn't
+    // really make sense.
+    return nullptr;
+  }
+
   // XXX the !aElement->IsHTMLElement(nsGkAtoms::area)
   // check is needed due to bug 135040 (to avoid using
   // mPrimaryFrame). Remove it once that's fixed.
   if (inDocWithShell &&
       aStyleType == eAll &&
       !aElement->IsHTMLElement(nsGkAtoms::area)) {
     nsIFrame* frame = nullptr;
     if (aPseudo == nsCSSPseudoElements::before) {