aboutsummaryrefslogblamecommitdiff
path: root/www/waterfox/files/patch-bug1405878
blob: fa3d058e234c2d54dd58e18cb864a025c7915c77 (plain) (tree) 
a78e81243d1f
























































































































1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
























































































































                                                                                                                                              
commit 87f3d592d92f
Author: Boris Zbarsky <bzbarsky@mit.edu>
Date:   Mon Oct 9 14:49:19 2017 -0400

    Bug 1405878 - Make sure to notify for our kids, if needed, before calling DoneAddingChildren in the XML content sink. r=hsivonen, a=sledru
    
    Once we call DoneAddingChildren, random code of various sorts will run, which
    can flush our notification state.  If that happens before we've notified on our
    kids, but after we've popped the element we're closing off the element stack,
    we will fail to ever notify on the kids.
    
    MozReview-Commit-ID: Ei7v5OobX8R
    
    --HG--
    extra : source : f144e1434312485cf9ee16a36d6159dbcb13a07d
---
 dom/xml/crashtests/1405878.xml         | 11 +++++++++++
 dom/xml/crashtests/crashtests.list     |  1 +
 dom/xml/nsXMLContentSink.cpp           | 18 +++++++++++-------
 layout/reftests/bugs/1405878-1-ref.xml |  7 +++++++
 layout/reftests/bugs/1405878-1.xml     |  6 ++++++
 layout/reftests/bugs/reftest.list      |  1 +
 6 files changed, 37 insertions(+), 7 deletions(-)

diff --git dom/xml/crashtests/1405878.xml dom/xml/crashtests/1405878.xml
new file mode 100644
index 000000000000..12677ade938d
--- /dev/null
+++ dom/xml/crashtests/1405878.xml
@@ -0,0 +1,11 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <body>
+    <select>
+      <script>document.documentElement.offsetHeight</script>
+    <option>Hello there</option>
+    </select>
+    <script>
+      document.querySelector("body").style.display = "inline";
+    </script>
+  </body>
+</html>
diff --git dom/xml/crashtests/crashtests.list dom/xml/crashtests/crashtests.list
index f18767d582c2..2c06ffc545ec 100644
--- dom/xml/crashtests/crashtests.list
+++ dom/xml/crashtests/crashtests.list
@@ -10,3 +10,4 @@ load 453278.html
 load 803586.xhtml
 load 994740-1.xhtml
 load 1038887.xhtml
+load 1405878.xml
diff --git dom/xml/nsXMLContentSink.cpp dom/xml/nsXMLContentSink.cpp
index 2593519aa44b..b04977d62cf1 100644
--- dom/xml/nsXMLContentSink.cpp
+++ dom/xml/nsXMLContentSink.cpp
@@ -1071,6 +1071,17 @@ nsXMLContentSink::HandleEndElement(const char16_t *aName,
                isTemplateElement, "Wrong element being closed");
 #endif
 
+  // Make sure to notify on our kids before we call out to any other code that
+  // might reenter us and call FlushTags, in a state in which we've already
+  // popped "content" from the stack but haven't notified on its kids yet.
+  int32_t stackLen = mContentStack.Length();
+  if (mNotifyLevel >= stackLen) {
+    if (numFlushed < content->GetChildCount()) {
+      NotifyAppend(content, numFlushed);
+    }
+    mNotifyLevel = stackLen - 1;
+  }
+
   result = CloseElement(content);
 
   if (mCurrentHead == content) {
@@ -1086,13 +1097,6 @@ nsXMLContentSink::HandleEndElement(const char16_t *aName,
     MaybeStartLayout(false);
   }
 
-  int32_t stackLen = mContentStack.Length();
-  if (mNotifyLevel >= stackLen) {
-    if (numFlushed < content->GetChildCount()) {
-      NotifyAppend(content, numFlushed);
-    }
-    mNotifyLevel = stackLen - 1;
-  }
   DidAddContent();
 
   if (content->IsSVGElement(nsGkAtoms::svg)) {
diff --git layout/reftests/bugs/1405878-1-ref.xml layout/reftests/bugs/1405878-1-ref.xml
new file mode 100644
index 000000000000..6d1dd199b41e
--- /dev/null
+++ layout/reftests/bugs/1405878-1-ref.xml
@@ -0,0 +1,7 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <select>
+    <script>document.documentElement.offsetHeight</script>
+    <option>Hello there</option>
+    <script>document.documentElement.offsetHeight</script>
+  </select>
+</html>
diff --git layout/reftests/bugs/1405878-1.xml layout/reftests/bugs/1405878-1.xml
new file mode 100644
index 000000000000..3915711b1103
--- /dev/null
+++ layout/reftests/bugs/1405878-1.xml
@@ -0,0 +1,6 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <select>
+    <script>document.documentElement.offsetHeight</script>
+    <option>Hello there</option>
+  </select>
+</html>
diff --git layout/reftests/bugs/reftest.list layout/reftests/bugs/reftest.list
index 52f8cb915cee..47c04cdf41d6 100644
--- layout/reftests/bugs/reftest.list
+++ layout/reftests/bugs/reftest.list
@@ -2037,3 +2037,4 @@ needs-focus != 1377447-1.html 1377447-2.html
 == 1380224-1.html 1380224-1-ref.html
 == 1384065.html 1384065-ref.html
 == 1384275-1.html 1384275-1-ref.html
+== 1405878-1.xml 1405878-1-ref.xml
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-26 11:14:16 +0000