This condition was needed when FindInsertionPrevSibling and co didn't understand
display: contents.
Editor is pretty broken (and calls into PresShell::ContentRemoved directly, and
incorrectly, using anonymous nodes).
In this case we were taking the XBL path because of display: contents, which
means that we tried to seek to the editor anonymous node, and crash (since it's
not an explicit kid).
Editor needs to get fixed, but this is technically more correct and fixes the
crash, so we may as well take it in the interim.
Differential Revision: https://phabricator.services.mozilla.com/D42472
--HG--
extra : moz-landing-system : lando
Having NAC bound to the tree when not connected is not quite fine, make sure to
clean up properly.
Differential Revision: https://phabricator.services.mozilla.com/D33704
--HG--
extra : moz-landing-system : lando
`HTMLEditor` initializes selection ancestor limit when it receives `focus`
event. If `Document.execCommand()` is called immediately after an
ancestor of active editing host becomes new editing host,
`HTMLEditor::GetActiveEditingHost()` returns the new one, but selection
ancestor limit is still the previous one. This mismatch causes a lot of
bugs. Therefore, this patch makes `nsGenericHTMLElement` notifies `HTMLEditor`
of an element becoming `contenteditable`, and makes `HTMLEditor` update
selection ancestor limit only when the new editing host is ancestor of
old selection ancestor limit.
Differential Revision: https://phabricator.services.mozilla.com/D32823
--HG--
extra : moz-landing-system : lando
`HTMLEditRules::ApplyBlockStyle()` stores `curBlock` and `newBlock` during its
loop to keep handling from deeper child to ancestor, and may do two things for
a `curNode`. If `curBlock` and/or `newBlock` is moved from expected container
when it sets one of or both of them, this patch check whether mutation event
listeners change the DOM tree. Additionally, this patch also checks whether
`curNode' is moved by mutation event listener at first step of two jobs for it.
Differential Revision: https://phabricator.services.mozilla.com/D32689
--HG--
extra : moz-landing-system : lando
`WSRunObject` scans previous and next node of given point/range **without**
checking editing host boundary. Therefore, its methods may return non-editable
nodes or editable nodes in another editing host. In such cases, `HTMLEditRules`
is confused.
This patch makes it store editing host at initialization and it check the
boundary. However, the former cost may appear in score of some benchmark
tests, but we shouldn't allow attackers to use this entrance.
Differential Revision: https://phabricator.services.mozilla.com/D32467
--HG--
extra : moz-landing-system : lando
Oddly, `WSRunObject::InsertText()` returns `NS_OK` even when
`HTMLEditor::InsertTextWithTransaction()` returns error. However,
it fails if insertion point is not editable like `<noscript>` element.
In such case, `aPointAfterInsertedString` isn't modified and its caller,
`HTMLEditRules::WillInsertText()` keep handling inserting remaining text
with non-positioned `EditorDOMPoint`. Therefore, at the next time,
`WSRunObject` fails to do anything since it requires positioned
`EditorDOMPoint`.
For making uplift safer, this patch makes `WSRunObject::InsertText()` set
`aPointAfterInsertedString` by itself when
`HTMLEditor::InsertTextWithTransaction()` returns error.
Differential Revision: https://phabricator.services.mozilla.com/D32131
--HG--
extra : moz-landing-system : lando
This is a simple mistake of `MOZ_ASSERTION()` in it. When `mParent` is a node
which can have children, `mChild` should be non-`nullptr` or `mOffset` should
/ be set to the end of `mParent`. But when `mParent` is not a container, any
`mOffset` value should be allowed.
Differential Revision: https://phabricator.services.mozilla.com/D30014
--HG--
extra : moz-landing-system : lando
We should stop handling splitting nodes if mutation event listeners move or
remove the split nodes unexpectedly because the post processors may not be
able to keep handling the nodes. For example, if a node is moved to outside
of editing host, we shouldn't touch it anymore due to non-editable.
This patch makes `EditorBase::DoSplitNode()` return new error for making
any parent callers stop their job, but note that the following patch makes
any public methods expose the new error as exception for compatibility with
Chrome.
Differential Revision: https://phabricator.services.mozilla.com/D20810
--HG--
extra : moz-landing-system : lando
This code was already handling the world going away, but did not handle the case
of just getting unbound, which can happen if some selection listener (e.g.,
AccessibleCaret) flushes layout.
Differential Revision: https://phabricator.services.mozilla.com/D20469
--HG--
extra : moz-landing-system : lando
Summary:
The latest version of Gecko doesn't crash by this HTML, but I would like to add
this for the future.
Bug #: 1441619
Differential Revision: https://phabricator.services.mozilla.com/D14846
--HG--
extra : rebase_source : 5633e508d1c1f405465857a71f7c544fbb3782e8
SplitStyleAbovePoint calls SplitNodeDeepWithTransaction repeatedly. If
SplitNodeDeepWithTransaction creates orphan node like this test case,
this crash occurs. So we should check whether node becomes orphan node.
Differential Revision: https://phabricator.services.mozilla.com/D1993
--HG--
extra : moz-landing-system : lando
TextEditor::DeleteSelectionAsAction() is called even if it's a part of edit
action. For example, it's called to prepare for inserting text.
For bug 1465702, editor itself and edit rules classes should not call
public DeleteSelectionAsAction() directly. Therefore, this patch creates
DeleteSelectionAsSubAction() for internal use.
Note that this patch adds NS_ASSERTION() to detect wrong caller. However,
it cannot distinguish if the call is valid, for example, it's allowed to
call DeleteSelectionAsSelection() even if it's handling an edit action but
the method is called via mutation event listener. So, we need to allow
some assertions with some tests. But unfortunately, 1405747.html uses
mutation event listener too many times (about 1,000 times) and the number
of assertion isn't stable. Therefore, this patch makes the test stop using
the mutation event listener 2nd time since I can reproduce the crash with
ESR 52 at the 2nd time.
MozReview-Commit-ID: 1TWaypmnoCC
--HG--
extra : rebase_source : a6a4fb1cbcaf2ab6f10c5f3e7168a6bc0fcb02ed
This assertion was added by review comment of bug 1487945. Since mutation event
handler of this test case hides resizer, this case hits this assertion.
Although 4th parameter of SetAttr can control mutation event, if this event
isn't fired, another test case (layout/base/tests/test_bug558663.html) becomes
failure.
So we should move the assertion before setting resizer attribute.
Differential Revision: https://phabricator.services.mozilla.com/D1854
--HG--
extra : moz-landing-system : lando
This crash occurs when start container of range for range updater is nullptr
in GetNodesForOperation.
Splitted node by SplitNodeDeepWithTransaction can return orphan node, so we
should return error when splitted node is orphan node.
MozReview-Commit-ID: 3ySdzc9FAzL
--HG--
extra : rebase_source : 3c6f37e81641751d32b8a9777b8362baad301ecb
SplitNodeDeepWithTransaction will split nodes until better point. But
this test case becomes that node is orphan into loop. So I would like to
add more check whether parent is nothing.
MozReview-Commit-ID: EroSV4uVBVL
--HG--
extra : rebase_source : f594bdf7cd9efac7d10e6e05a8f87dadfc761295
This crash is that HTMLEditor::ClearStyle returns nullptr for aNode even if
successful.
When current start node and offset isn't within ancestor limiter,
HTMLEditor::ClearStyle will return nullptr for split node even if successful.
Because SplitNodeTransation returns error since Selection::Collapse is failed.
Then, SplitNodeDeep in HTMLEditor::SplitStyleAvovePoint returns error. But
this error is ignored. So node will becomes null even if successful.
CreateStyleForInsertText will set new selection when there is split node, so
we shouldn't set selection on ClearStyle.
Also, InsertNodeTransation is ignored for error when Collapse is failed, but
SplitNodeTransaction isn't ignored. We should create a rule when collapse is
failed on transaction.
And at feature, we shouldn't set selection in CreateStyleForInsertText, and
then, it should return new insertion point for InsertText instead of setting
new selection.
MozReview-Commit-ID: BRKWLqTfrvC
--HG--
extra : rebase_source : 2cd025e9d40688f643a843b39512dccc2bb7c4a2
When calling UninitSpellChecker during calling UpdateDictionary, this crash
occurs. Since Thunderbird calls UninitSpellChecker by [Recheck Text] button,
this only occurs on Thunderbird.
After calling UninitSpellChecker, we should not update dictionary.
MozReview-Commit-ID: K4SPJ5FDo8n
--HG--
extra : rebase_source : d760c6472f56cef520c399e8c1f20536c3a22e36
When calling UninitSpellChecker during calling UpdateDictionary, this crash
occurs. Since Thunderbird calls UninitSpellChecker by [Recheck Text] button,
this only occurs on Thunderbird.
After calling UninitSpellChecker, we should not update dictionary.
MozReview-Commit-ID: K4SPJ5FDo8n
--HG--
extra : rebase_source : 67fa439e2a4767502ca84095754150d513a939b2
extra : amend_source : 1b065ebe275cefc02809478eb7d6d807f19dbbee
This crash test can cause crash before landing the patches for bug 1415509.
So, let's take this for regression test.
MozReview-Commit-ID: 652wi49e720
--HG--
extra : rebase_source : a7a897670220e4f14df91c4093e65aa7da7f6015
HTMLEditRules::BustUpInlinesAtRangeEndpoints() tries to split all inline nodes
at range start and range end. It uses EditorBase::SplitNodeDeep() to split
the nodes and HTMLEditRules::GetHighestInlineParent() to retrieve the highest
inline parent of them.
Currently, HTMLEditRules::GetHighestInlineParent() may return editing host or
ancestor of it if active editing host is not block. Then, it may cause
splitting editing host or its parents and following methods of HTMLEditRules
will fail to modify the nodes created outside the editing host.
So, HTMLEditRules::GetHighestInlineParent() should return only one of the
descendants of active editing host.
Unfortunately, even if just adding the test case as a crash test, I cannot
reproduce the crash with automated tests. Therefore, this patch doesn't
include any automated tests.
And this patch changes a crash test, 1402196.html, which expects that an inline
editing host is split by execCommand("insertOrderedList"). However, this patch
fixes this wrong behavior. Therefore, this patch changes the event target of
event listener from <p> inside the editing host to the editing host itself.
MozReview-Commit-ID: 8i5ci1fcrDd
--HG--
extra : rebase_source : 572a7b22550a38ca71c954f62eefa695addd53c2
1405747.html is kind of same issue. But when editing 1405747.html, the crash doesn't occur. So I keep original HTML by jsfuzzy.
MozReview-Commit-ID: 9BcUkWeBlr5
--HG--
extra : rebase_source : 1bac60293d3b4997a380cf625c6492db22f60160
extra : histedit_source : eae38e2d69e0705545acf1ef1f2d04e7977b8899
When parent node of selected node is null, crash might occur in GetCSSBackgroundColorState. So when parent is null, we should return default value. In this situation, Edge and Blink don't throw error, Gecko shouldn't return error too.
MozReview-Commit-ID: 5C6jSAFkCso
--HG--
extra : rebase_source : 0185f9fb5fde92eee5611e6bb95e8676c10b135c
When we turn on the pref security.data_uri.unique_opaque_origin to make
data URI is unique origin, the following tests will fail because now
data document is treated as cross origin, so we replace data URIs with
seperate files, hence it will still in the same origin.
Add minimal crash test for this. When removing a line, this doesn't occur.
MozReview-Commit-ID: JqS2E8q47ML
--HG--
extra : rebase_source : 322a77cbc49e29bbd6b705650485634dd4801b8b
Although this crash doesn't occur after landing bug 1369140, we should add this test to crashtest.
MozReview-Commit-ID: mRm4P876zg
--HG--
extra : rebase_source : 9a85c8ba3a5652000512d165b82df9aa2c8176e1