This is a follow-up from bug 1255555; see bug 1255555 comment 19 for some backstory. While investigating that bug, I discovered that on some pages, a frame reconstruction can be triggered such that all the anonymous content elements on the document get cloned. The old anonymous content elements are no longer attached to the document, and the new ones are. It seems that the AccessibleCaret code creates anonymous content elements, attaches them to the document, and continues to hold a reference to them. If the frame reconstruction described above happens, these references become invalid in the sense that they point to elements that are no longer in the document. Using this elements for anything is effectively a no-op and can result in unexpected user behaviour. The AccessibleCaret code should be audited to make sure it can properly deal with this scenario.
Actually, AccessibleCaret is holding a reference to a AnonymousContent, not the Element . When the content being cloned in , the AnonymousContent in the document remains intact, but the content node is being updated to the cloned one . So AccessibleCaret could still use the original reference to AnonymousContent to get the new cloned content node in . kats, do you think the reasoning is correct?  http://searchfox.org/mozilla-central/rev/a7c8e9f3cc323fd707659175a46826ad12899cd1/layout/base/AccessibleCaret.h#208  http://searchfox.org/mozilla-central/rev/a7c8e9f3cc323fd707659175a46826ad12899cd1/layout/generic/nsCanvasFrame.cpp#147  http://searchfox.org/mozilla-central/rev/a7c8e9f3cc323fd707659175a46826ad12899cd1/layout/generic/nsCanvasFrame.cpp#148  http://searchfox.org/mozilla-central/rev/a7c8e9f3cc323fd707659175a46826ad12899cd1/layout/base/AccessibleCaret.h#136
Yes, you are correct. Sorry, I didn't think about it properly before filling this bug.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
That's OK. It's always good to clarify a potential issue sooner than later :)
You need to log in before you can comment on or make changes to this bug.