From e3cdf865e5ff0243015376f49dc90a7ad5239e64 Mon Sep 17 00:00:00 2001
From: Hiroyuki Ikezoe <hikezoe@mozilla.com>
Date: Mon, 26 Mar 2018 11:25:56 +0900
Subject: [PATCH] Bug 1440523 - Bail out from
 nsHTMLDocument::EditingStateChanged if the docshell is being destroyed by
 FlushPendingNotifications call. r=masayuki

MozReview-Commit-ID: DlFXWdpB1Xv

--HG--
extra : rebase_source : ed93cee34592ad09845c769eac6f56ccdf362457
---
 dom/html/crashtests/1440523.html    | 13 +++++++++++++
 dom/html/crashtests/crashtests.list |  1 +
 dom/html/nsHTMLDocument.cpp         |  7 +++++++
 3 files changed, 21 insertions(+)
 create mode 100644 dom/html/crashtests/1440523.html

diff --git a/dom/html/crashtests/1440523.html b/dom/html/crashtests/1440523.html
new file mode 100644
index 000000000000..11ce69978197
--- /dev/null
+++ b/dom/html/crashtests/1440523.html
@@ -0,0 +1,13 @@
+<html>
+  <head>
+    <script>
+      try { frame = document.createElement('frame') } catch(e) { }
+      try { document.documentElement.appendChild(frame) } catch(e) { }
+      try { contentDocument = frame.contentDocument } catch(e) { }
+      try { contentDocument.writeln("<p contenteditable='true'>") } catch(e) { }
+      try { anotherDocument = document.implementation.createHTMLDocument(); } catch(e) { }
+      try { rootOfAnotherDocument = anotherDocument.documentElement; } catch(e) { }
+      try { document.replaceChild(rootOfAnotherDocument, document.documentElement); } catch(e) { }
+   </script>
+  </head>
+</html>
diff --git a/dom/html/crashtests/crashtests.list b/dom/html/crashtests/crashtests.list
index 8ac17a52828b..f2b509d741ac 100644
--- a/dom/html/crashtests/crashtests.list
+++ b/dom/html/crashtests/crashtests.list
@@ -87,3 +87,4 @@ load 1350972.html
 load 1386905.html
 asserts(0-4) load 1401726.html
 load 1412173.html
+load 1440523.html
diff --git a/dom/html/nsHTMLDocument.cpp b/dom/html/nsHTMLDocument.cpp
index 443cd11e252e..35e1fc3b92c4 100644
--- a/dom/html/nsHTMLDocument.cpp
+++ b/dom/html/nsHTMLDocument.cpp
@@ -2363,6 +2363,13 @@ nsHTMLDocument::EditingStateChanged()
   if (!docshell)
     return NS_ERROR_FAILURE;
 
+  // FlushPendingNotifications might destroy our docshell.
+  bool isBeingDestroyed = false;
+  docshell->IsBeingDestroyed(&isBeingDestroyed);
+  if (isBeingDestroyed) {
+    return NS_ERROR_FAILURE;
+  }
+
   nsCOMPtr<nsIEditingSession> editSession;
   nsresult rv = docshell->GetEditingSession(getter_AddRefs(editSession));
   NS_ENSURE_SUCCESS(rv, rv);