Closed
Bug 1381710
Opened 7 years ago
Closed 7 years ago
Pass editing/run/backcolor.html on web-platform-tests when enabling lazy frame construction for editable content
Categories
(Core :: DOM: Selection, defect)
Core
DOM: Selection
Tracking
()
RESOLVED
FIXED
mozilla57
| Tracking | Status | |
|---|---|---|
| firefox57 | --- | fixed |
People
(Reporter: m_kato, Assigned: m_kato)
References
Details
Attachments
(1 file)
Split from bug 1348073. When enabling lazy frame construction for editable content, editing/run/backcolor.html is always failed due to NS_ERROR_FAILURE.
Because nsFrameSelection depends on frame when selecting table. But frame isn't constructed at this time.
|
||
Updated•7 years ago
|
Summary: Pass editing/run/backcolor.html on web-platform-tests when enabling lazy frame construction → Pass editing/run/backcolor.html on web-platform-tests when enabling lazy frame construction for editable content
|
Assignee | |
Comment 1•7 years ago
|
||
| Comment hidden (mozreview-request) |
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8887368 -
Flags: review?(tnikkel)
|
|
||
Comment 3•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8887368 [details]
Bug 1381710 - Selection.addRange will be failure with dynamic table insertion.
https://reviewboard.mozilla.org/r/158216/#review165022
Did you check that all places that call this are safe to expect a flush in this functio can destroy anything?
|
|
Assignee | |
Comment 4•7 years ago
|
||
(In reply to Timothy Nikkel (:tnikkel) from comment #3)
> Comment on attachment 8887368 [details]
> Bug 1381710 - Selection.addRange will be failed with dynamic table insertion.
>
> https://reviewboard.mozilla.org/r/158216/#review165022
>
> Did you check that all places that call this are safe to expect a flush in
> this functio can destroy anything?
GetCellLayout will call from (via HandleTableSelection or UnselectCells)
- nsFrameSelection::TakeFocus for table
- nsFrame::HandlePress for table
- nsFrame::HandleDrag for table
- a11y via nsFrameSelection::RemoveCellsFromSelection and nsFrameSelection::RestrictCellsToSelection
If we should fix Selection.addRange case only like this, we should only add calling FlushPendingNotification in Selection::GetTableCellLocationFromRange. It will be enough to fix this by adding FlushPendingNotification on GetTableCellLocationFromRange. How do you think?
|
|
||
Comment 5•7 years ago
|
||
(In reply to Makoto Kato [:m_kato] from comment #4)
> (In reply to Timothy Nikkel (:tnikkel) from comment #3)
> > Comment on attachment 8887368 [details]
> > Bug 1381710 - Selection.addRange will be failed with dynamic table insertion.
> >
> > https://reviewboard.mozilla.org/r/158216/#review165022
> >
> > Did you check that all places that call this are safe to expect a flush in
> > this functio can destroy anything?
>
> GetCellLayout will call from (via HandleTableSelection or UnselectCells)
> - nsFrameSelection::TakeFocus for table
> - nsFrame::HandlePress for table
> - nsFrame::HandleDrag for table
> - a11y via nsFrameSelection::RemoveCellsFromSelection and
> nsFrameSelection::RestrictCellsToSelection
>
> If we should fix Selection.addRange case only like this, we should only add
> calling FlushPendingNotification in
> Selection::GetTableCellLocationFromRange. It will be enough to fix this by
> adding FlushPendingNotification on GetTableCellLocationFromRange. How do
> you think?
I don't really know this code well enough to say what is better, I just want to make sure we're not adding potential UAF.
|
|
Assignee | |
Comment 6•7 years ago
|
||
(In reply to Timothy Nikkel (:tnikkel) from comment #5)
> I don't really know this code well enough to say what is better, I just want
> to make sure we're not adding potential UAF.
OK, current fix is impacted for all table selection, so I will change this for AddRange only.
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8887368 -
Flags: review?(tnikkel)
| Comment hidden (mozreview-request) |
|
|
Assignee | |
Comment 8•7 years ago
|
||
(In reply to Timothy Nikkel (:tnikkel) from comment #5)
> I don't really know this code well enough to say what is better, I just want
> to make sure we're not adding potential UAF.
Timothy, since mats is in vacation, who is better reviewer for this? This bug depends on qf:1.
|
|
||
Comment 9•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8887368 [details]
Bug 1381710 - Selection.addRange will be failure with dynamic table insertion.
https://reviewboard.mozilla.org/r/158216/#review170202
::: dom/base/Selection.cpp:662
(Diff revision 2)
> + if (presShell) {
> + presShell->FlushPendingNotifications(FlushType::Frames);
> + }
> +
> //Note: This is a non-ref-counted pointer to the frame
> nsITableCellLayout *cellLayout = mFrameSelection->GetCellLayout(child);
We don't hold a ref to |child| so it could be dead after we flush.
|mFrameSelection| could be null after we've flushed.
|this| could go away after we've flushed.
Selection::AddTableCellRange calls this function and it also doesn't seem to be prepared to handle flushing (ie |this| or |mFrameSelection| going away).
| Comment hidden (mozreview-request) |
|
|
||
Comment 11•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8887368 [details]
Bug 1381710 - Selection.addRange will be failure with dynamic table insertion.
https://reviewboard.mozilla.org/r/158216/#review172058
Attachment #8887368 -
Flags: review?(tnikkel) → review+
|
||
Comment 12•7 years ago
|
||
Pushed by m_kato@ga2.so-net.ne.jp:
https://hg.mozilla.org/integration/autoland/rev/4751560ba211
Selection.addRange will be failure with dynamic table insertion. r=tnikkel
|
||
Comment 13•7 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox57:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
You need to log in
before you can comment on or make changes to this bug.
Description
•