Open Bug 1943225 Opened 22 days ago Updated 9 days ago

Fix inconsistent checks between `RangeUtils::ComputeRootNode()` and `nsFrameSelection::NodeIsInLimiters()`

Categories

(Core :: DOM: Selection, defect)

defect

Tracking

()

People

(Reporter: masayuki, Unassigned)

References

(Blocks 1 open bug)

Details

RangeUtils::ComputeRootNode() returns GetClosestNativeAnonymousSubtreeRootParentOrHost() result if given node is in a native anonymous subtree.

However, nsFrameSelection::NodeIsInLimiters() returns true when there is no limiter (i.e., for document) but the given node is in a native anonymous subtree.

Therefore, nsFrameSelection allows to cross a native anonymous subtree boundary when extending a selection range. Then, this assertion in nsRange::AssertIfMismatchRootAndRangeBoundaries() must fail only in debug builds.

Finally, nsRange::DoSetRange() add itself as a mutation observer to one of the roots. So, if the root is a parent of a native anonymous subtree, the other range boundary may not be tracked by the mutation observer. So, invalid nsRange may appear after some mutations.

However, as far as I've tested with the native anonymous subtree of <details>, selection is reset to in or outside of the native anonymous subtree. Therefore, I've not found actual case that this mismatch causes the crashes.

You need to log in before you can comment on or make changes to this bug.