Closed Bug 1161384 Opened 9 years ago Closed 9 years ago

Do not fire content mutation event on changes to nsCanvasFrame's anonymous content


(Core :: Layout, defect)

Not set



Tracking Status
firefox40 --- affected


(Reporter: TYLin, Assigned: TYLin)



Follow-up for 1110039 comment 52.

When running "./mach crashtest layout/base/crashtests/897852.html", we have a issue that the frame tree will be destructed after constructing the first AccessibleCaret. We protected it by adding nsAutoScriptBlocker in AccessibleCaretEventHub::Init(). 

The full callstack without nsAutoScriptBlocker:

roc suggested in bug 1110039 comment 52 that we should fix in a different way --- content mutation event listeners should not fire on changes to the nsCanvasFrame's anonymous content.
Assignee: nobody → tlin
I've tried to use |aNotify = false| when calling AppendChildTo() in nsIDocument::InsertAnonymousContent() in [1] so that no mutation event will be sent when inserting anonymous content. However, the crash still happens when no nsAutoScriptBlocker is protecting AccessibleCaretEventHub::Init(). The reason is that 897852.html have a contenteditable html, and it listens DOMNodeInserted to remove a dom node. After constructing the first AccessibleCaret, nsEditor will insert some nodes to make the window editable as the callstack shown in [2]. When the script runs later, the callback in 897852.html removes a dom node, and makes the frame tree destroyed as shown in the callstack in Description.

As a result, I think we still need the nsAutoScriptBlocker to prevent any Javascript function being running to destroy the frame tree during the construction of AccessibleCaretEventHub. 

Base on comment 1, I'll keep the nsAutoScriptBlocker in AccessibleCaretEventHub::Init() and close this issue.
Closed: 9 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.