Closed Bug 1285019 Opened 8 years ago Closed 8 years ago

AccessibleCaret holds a reference to anonymous content which might become invalid

Categories

(Core :: DOM: Selection, defect)

Product:
Core
Component:
DOM: Selection
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox50 --- affected

People

(Reporter: kats, Unassigned)

References

Details

This is a follow-up from bug 1255555; see bug 1255555 comment 19 for some backstory. While investigating that bug, I discovered that on some pages, a frame reconstruction can be triggered such that all the anonymous content elements on the document get cloned. The old anonymous content elements are no longer attached to the document, and the new ones are. It seems that the AccessibleCaret code creates anonymous content elements, attaches them to the document, and continues to hold a reference to them. If the frame reconstruction described above happens, these references become invalid in the sense that they point to elements that are no longer in the document. Using this elements for anything is effectively a no-op and can result in unexpected user behaviour. The AccessibleCaret code should be audited to make sure it can properly deal with this scenario.
Actually, AccessibleCaret is holding a reference to a AnonymousContent, not the Element [1]. When the content being cloned in [2], the AnonymousContent in the document remains intact, but the content node is being updated to the cloned one [3]. So AccessibleCaret could still use the original reference to AnonymousContent to get the new cloned content node in [3]. kats, do you think the reasoning is correct? [1] http://searchfox.org/mozilla-central/rev/a7c8e9f3cc323fd707659175a46826ad12899cd1/layout/base/AccessibleCaret.h#208 [2] http://searchfox.org/mozilla-central/rev/a7c8e9f3cc323fd707659175a46826ad12899cd1/layout/generic/nsCanvasFrame.cpp#147 [3] http://searchfox.org/mozilla-central/rev/a7c8e9f3cc323fd707659175a46826ad12899cd1/layout/generic/nsCanvasFrame.cpp#148 [4] http://searchfox.org/mozilla-central/rev/a7c8e9f3cc323fd707659175a46826ad12899cd1/layout/base/AccessibleCaret.h#136
Flags: needinfo?(bugmail)
Yes, you are correct. Sorry, I didn't think about it properly before filling this bug.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(bugmail)
Resolution: --- → INVALID
That's OK. It's always good to clarify a potential issue sooner than later :)
You need to log in before you can comment on or make changes to this bug.