1161384 - Do not fire content mutation event on changes to nsCanvasFrame's anonymous content

Status: RESOLVED WONTFIX

(Core :: Layout, defect)

Description

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

Follow-up for 1110039 comment 52.

When running "./mach crashtest layout/base/crashtests/897852.html", we have a issue that the frame tree will be destructed after constructing the first AccessibleCaret. We protected it by adding nsAutoScriptBlocker in AccessibleCaretEventHub::Init(). 

The full callstack without nsAutoScriptBlocker: https://pastebin.mozilla.org/8832301

roc suggested in bug 1110039 comment 52 that we should fix in a different way --- content mutation event listeners should not fire on changes to the nsCanvasFrame's anonymous content.

Comment 1

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

I've tried to use |aNotify = false| when calling AppendChildTo() in nsIDocument::InsertAnonymousContent() in [1] so that no mutation event will be sent when inserting anonymous content. However, the crash still happens when no nsAutoScriptBlocker is protecting AccessibleCaretEventHub::Init(). The reason is that 897852.html have a contenteditable html, and it listens DOMNodeInserted to remove a dom node. After constructing the first AccessibleCaret, nsEditor will insert some nodes to make the window editable as the callstack shown in [2]. When the script runs later, the callback in 897852.html removes a dom node, and makes the frame tree destroyed as shown in the callstack in Description.

As a result, I think we still need the nsAutoScriptBlocker to prevent any Javascript function being running to destroy the frame tree during the construction of AccessibleCaretEventHub. 

[1] https://hg.mozilla.org/mozilla-central/file/ff2e07228041/dom/base/nsDocument.cpp#l5331
[2] https://pastebin.mozilla.org/8834807

Comment 2

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

Base on comment 1, I'll keep the nsAutoScriptBlocker in AccessibleCaretEventHub::Init() and close this issue.