diff --git a/mozilla/accessible/src/html/nsHyperTextAccessible.cpp b/mozilla/accessible/src/html/nsHyperTextAccessible.cpp
index f3b0c2aadbb..9fb800330f4 100644
--- a/mozilla/accessible/src/html/nsHyperTextAccessible.cpp
+++ b/mozilla/accessible/src/html/nsHyperTextAccessible.cpp
@@ -1480,8 +1480,10 @@ nsresult nsHyperTextAccessible::SetSelectionRange(PRInt32 aStartPos, PRInt32 aEn
}
if (selCon) {
+ // XXX I'm not sure this can do synchronous scrolling. If the last param is
+ // set to true, this calling might flush the pending reflow. See bug 418470.
selCon->ScrollSelectionIntoView(nsISelectionController::SELECTION_NORMAL,
- nsISelectionController::SELECTION_FOCUS_REGION, PR_FALSE);
+ nsISelectionController::SELECTION_FOCUS_REGION, PR_FALSE);
}
return NS_OK;
diff --git a/mozilla/content/base/public/nsISelectionController.idl b/mozilla/content/base/public/nsISelectionController.idl
index 0144db0e2af..4c9f4b6bec2 100644
--- a/mozilla/content/base/public/nsISelectionController.idl
+++ b/mozilla/content/base/public/nsISelectionController.idl
@@ -102,6 +102,9 @@ interface nsISelectionController : nsISelectionDisplay
* @param aIsSynchronous when true, scrolls the selection into view
* before returning. If false, posts a request which is processed
* at some point after the method returns.
+ *
+ * Note that if isSynchronous is true, then this might flush the pending
+ * reflow. It's dangerous for some objects. See bug 418470 comment 12.
*/
void scrollSelectionIntoView(in short type, in short region, in boolean isSynchronous);
/**
diff --git a/mozilla/content/events/src/nsEventListenerManager.cpp b/mozilla/content/events/src/nsEventListenerManager.cpp
index b963cbb54bf..60a27e0a5b6 100644
--- a/mozilla/content/events/src/nsEventListenerManager.cpp
+++ b/mozilla/content/events/src/nsEventListenerManager.cpp
@@ -1118,6 +1118,8 @@ nsEventListenerManager::HandleEvent(nsPresContext* aPresContext,
}
PRUint16 currentGroup = aFlags & NS_EVENT_FLAG_SYSTEM_EVENT;
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
if (aEvent->message == NS_CONTEXTMENU &&
NS_FAILED(FixContextMenuEvent(aPresContext, aCurrentTarget, aEvent,
aDOMEvent))) {
@@ -1380,6 +1382,8 @@ nsEventListenerManager::FixContextMenuEvent(nsPresContext* aPresContext,
// see if we should use the caret position for the popup
if (contextMenuKey) {
nsPoint caretPoint;
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
if (PrepareToUseCaretPosition(((nsGUIEvent*)aEvent)->widget,
shell, caretPoint)) {
// caret position is good
@@ -1507,6 +1511,8 @@ nsEventListenerManager::PrepareToUseCaretPosition(nsIWidget* aEventWidget,
else
selCon = do_QueryInterface(aShell);
if (selCon) {
+ // After ScrollSelectionIntoView(), the pending notifications might be
+ // flushed and PresShell/PresContext/Frames may be dead. See bug 418470.
rv = selCon->ScrollSelectionIntoView(nsISelectionController::SELECTION_NORMAL,
nsISelectionController::SELECTION_FOCUS_REGION, PR_TRUE);
NS_ENSURE_SUCCESS(rv, PR_FALSE);
diff --git a/mozilla/editor/composer/src/nsEditorSpellCheck.cpp b/mozilla/editor/composer/src/nsEditorSpellCheck.cpp
index b67bc112e2a..270aee47c39 100644
--- a/mozilla/editor/composer/src/nsEditorSpellCheck.cpp
+++ b/mozilla/editor/composer/src/nsEditorSpellCheck.cpp
@@ -247,6 +247,8 @@ nsEditorSpellCheck::GetNextMisspelledWord(PRUnichar **aNextMisspelledWord)
nsAutoString nextMisspelledWord;
DeleteSuggestedWordList();
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
nsresult rv = mSpellChecker->NextMisspelledWord(nextMisspelledWord,
&mSuggestedWordList);
diff --git a/mozilla/editor/libeditor/base/nsEditor.cpp b/mozilla/editor/libeditor/base/nsEditor.cpp
index 961690518c3..f440a5f00d0 100644
--- a/mozilla/editor/libeditor/base/nsEditor.cpp
+++ b/mozilla/editor/libeditor/base/nsEditor.cpp
@@ -991,6 +991,9 @@ nsEditor::EndPlaceHolderTransaction()
// time to turn off the batch
EndUpdateViewBatch();
// make sure selection is in view
+
+ // After ScrollSelectionIntoView(), the pending notifications might be
+ // flushed and PresShell/PresContext/Frames may be dead. See bug 418470.
ScrollSelectionIntoView(PR_FALSE);
// cached for frame offset are Not available now
@@ -2560,6 +2563,8 @@ NS_IMETHODIMP nsEditor::ScrollSelectionIntoView(PRBool aScrollToAnchor)
syncScroll = !(flags & nsIPlaintextEditor::eEditorUseAsyncUpdatesMask);
}
+ // After ScrollSelectionIntoView(), the pending notifications might be
+ // flushed and PresShell/PresContext/Frames may be dead. See bug 418470.
selCon->ScrollSelectionIntoView(nsISelectionController::SELECTION_NORMAL,
region, syncScroll);
}
diff --git a/mozilla/editor/libeditor/html/nsHTMLDataTransfer.cpp b/mozilla/editor/libeditor/html/nsHTMLDataTransfer.cpp
index 4def0986f83..5cb082d753d 100644
--- a/mozilla/editor/libeditor/html/nsHTMLDataTransfer.cpp
+++ b/mozilla/editor/libeditor/html/nsHTMLDataTransfer.cpp
@@ -1439,6 +1439,9 @@ NS_IMETHODIMP nsHTMLEditor::InsertFromTransferable(nsITransferable *transferable
}
// Try to scroll the selection into view if the paste/drop succeeded
+
+ // After ScrollSelectionIntoView(), the pending notifications might be
+ // flushed and PresShell/PresContext/Frames may be dead. See bug 418470.
if (NS_SUCCEEDED(rv))
ScrollSelectionIntoView(PR_FALSE);
@@ -1667,6 +1670,8 @@ NS_IMETHODIMP nsHTMLEditor::InsertFromDrop(nsIDOMEvent* aDropEvent)
if (!nsEditorHookUtils::DoInsertionHook(domdoc, aDropEvent, trans))
return NS_OK;
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
rv = InsertFromTransferable(trans, srcdomdoc, contextStr, infoStr,
newSelectionParent,
newSelectionOffset, deleteSelection);
@@ -1887,6 +1892,8 @@ NS_IMETHODIMP nsHTMLEditor::Paste(PRInt32 aSelectionType)
if (!nsEditorHookUtils::DoInsertionHook(domdoc, nsnull, trans))
return NS_OK;
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
rv = InsertFromTransferable(trans, nsnull, contextStr, infoStr,
nsnull, 0, PR_TRUE);
}
@@ -1918,6 +1925,8 @@ NS_IMETHODIMP nsHTMLEditor::PasteNoFormatting(PRInt32 aSelectionType)
if (NS_SUCCEEDED(clipboard->GetData(trans, aSelectionType)) && IsModifiable())
{
const nsAFlatString& empty = EmptyString();
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
rv = InsertFromTransferable(trans, nsnull, empty, empty, nsnull, 0,
PR_TRUE);
}
diff --git a/mozilla/editor/libeditor/text/nsEditorEventListeners.cpp b/mozilla/editor/libeditor/text/nsEditorEventListeners.cpp
index 5c66a26efff..b6dc1866a3a 100644
--- a/mozilla/editor/libeditor/text/nsEditorEventListeners.cpp
+++ b/mozilla/editor/libeditor/text/nsEditorEventListeners.cpp
@@ -672,6 +672,8 @@ nsTextEditorDragListener::DragDrop(nsIDOMEvent* aMouseEvent)
aMouseEvent->StopPropagation();
aMouseEvent->PreventDefault();
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
return mEditor->InsertFromDrop(aMouseEvent);
}
diff --git a/mozilla/editor/libeditor/text/nsPlaintextDataTransfer.cpp b/mozilla/editor/libeditor/text/nsPlaintextDataTransfer.cpp
index 84e189cc17e..be84feeab98 100644
--- a/mozilla/editor/libeditor/text/nsPlaintextDataTransfer.cpp
+++ b/mozilla/editor/libeditor/text/nsPlaintextDataTransfer.cpp
@@ -136,6 +136,9 @@ NS_IMETHODIMP nsPlaintextEditor::InsertTextFromTransferable(nsITransferable *aTr
NS_Free(bestFlavor);
// Try to scroll the selection into view if the paste/drop succeeded
+
+ // After ScrollSelectionIntoView(), the pending notifications might be flushed
+ // and PresShell/PresContext/Frames may be dead. See bug 418470.
if (NS_SUCCEEDED(rv))
ScrollSelectionIntoView(PR_FALSE);
@@ -301,6 +304,8 @@ NS_IMETHODIMP nsPlaintextEditor::InsertFromDrop(nsIDOMEvent* aDropEvent)
if (!nsEditorHookUtils::DoInsertionHook(destdomdoc, aDropEvent, trans))
return NS_OK;
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
rv = InsertTextFromTransferable(trans, newSelectionParent, newSelectionOffset, deleteSelection);
}
@@ -450,6 +455,8 @@ NS_IMETHODIMP nsPlaintextEditor::Paste(PRInt32 aSelectionType)
if (!nsEditorHookUtils::DoInsertionHook(domdoc, nsnull, trans))
return NS_OK;
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
rv = InsertTextFromTransferable(trans, nsnull, nsnull, PR_TRUE);
}
}
diff --git a/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp b/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp
index b77aa94cea5..4248dc48d13 100644
--- a/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp
+++ b/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp
@@ -1831,6 +1831,8 @@ nsTextServicesDocument::ScrollSelectionIntoView()
LOCK_DOC(this);
+ // After ScrollSelectionIntoView(), the pending notifications might be flushed
+ // and PresShell/PresContext/Frames may be dead. See bug 418470.
result = mSelCon->ScrollSelectionIntoView(nsISelectionController::SELECTION_NORMAL, nsISelectionController::SELECTION_FOCUS_REGION, PR_TRUE);
UNLOCK_DOC(this);
diff --git a/mozilla/embedding/components/find/src/nsWebBrowserFind.cpp b/mozilla/embedding/components/find/src/nsWebBrowserFind.cpp
index fcac5da0cfa..ee901f267f8 100644
--- a/mozilla/embedding/components/find/src/nsWebBrowserFind.cpp
+++ b/mozilla/embedding/components/find/src/nsWebBrowserFind.cpp
@@ -151,6 +151,9 @@ NS_IMETHODIMP nsWebBrowserFind::FindNext(PRBool *outDidFind)
}
// next, look in the current frame. If found, return.
+
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
rv = SearchInFrame(searchFrame, PR_FALSE, outDidFind);
if (NS_FAILED(rv)) return rv;
if (*outDidFind)
@@ -199,6 +202,8 @@ NS_IMETHODIMP nsWebBrowserFind::FindNext(PRBool *outDidFind)
OnStartSearchFrame(searchFrame);
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
rv = SearchInFrame(searchFrame, PR_FALSE, outDidFind);
if (NS_FAILED(rv)) return rv;
if (*outDidFind)
@@ -239,6 +244,8 @@ NS_IMETHODIMP nsWebBrowserFind::FindNext(PRBool *outDidFind)
if (curItem.get() == startingItem.get())
{
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
rv = SearchInFrame(searchFrame, PR_TRUE, outDidFind);
if (NS_FAILED(rv)) return rv;
if (*outDidFind)
@@ -251,6 +258,8 @@ NS_IMETHODIMP nsWebBrowserFind::FindNext(PRBool *outDidFind)
OnStartSearchFrame(searchFrame);
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
rv = SearchInFrame(searchFrame, PR_FALSE, outDidFind);
if (NS_FAILED(rv)) return rv;
if (*outDidFind)
@@ -472,9 +481,12 @@ void nsWebBrowserFind::SetSelectionAndScroll(nsIDOMWindow* aWindow,
// Scroll if necessary to make the selection visible:
// Must be the last thing to do - bug 242056
+
+ // After ScrollSelectionIntoView(), the pending notifications might be
+ // flushed and PresShell/PresContext/Frames may be dead. See bug 418470.
selCon->ScrollSelectionIntoView
(nsISelectionController::SELECTION_NORMAL,
- nsISelectionController::SELECTION_FOCUS_REGION, PR_FALSE);
+ nsISelectionController::SELECTION_FOCUS_REGION, PR_TRUE);
}
}
@@ -821,6 +833,8 @@ nsresult nsWebBrowserFind::SearchInFrame(nsIDOMWindow* aWindow,
{
*aDidFind = PR_TRUE;
sel->RemoveAllRanges();
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
SetSelectionAndScroll(aWindow, foundRange);
}
diff --git a/mozilla/extensions/spellcheck/src/mozSpellChecker.cpp b/mozilla/extensions/spellcheck/src/mozSpellChecker.cpp
index 5f02f457aba..c4544067b40 100644
--- a/mozilla/extensions/spellcheck/src/mozSpellChecker.cpp
+++ b/mozilla/extensions/spellcheck/src/mozSpellChecker.cpp
@@ -112,6 +112,9 @@ mozSpellChecker::NextMisspelledWord(nsAString &aWord, nsStringArray *aSuggestion
if(isMisspelled){
aWord = currWord;
mTsDoc->SetSelection(begin, end-begin);
+ // After ScrollSelectionIntoView(), the pending notifications might
+ // be flushed and PresShell/PresContext/Frames may be dead.
+ // See bug 418470.
mTsDoc->ScrollSelectionIntoView();
return NS_OK;
}
diff --git a/mozilla/extensions/typeaheadfind/src/nsTypeAheadFind.cpp b/mozilla/extensions/typeaheadfind/src/nsTypeAheadFind.cpp
index 6408a466271..621ca6569c3 100644
--- a/mozilla/extensions/typeaheadfind/src/nsTypeAheadFind.cpp
+++ b/mozilla/extensions/typeaheadfind/src/nsTypeAheadFind.cpp
@@ -716,6 +716,9 @@ nsTypeAheadFind::KeyPress(nsIDOMEvent* aEvent)
// 1) Chrome, 2) Typeahead, 3) [platform]HTMLBindings.xml
// If chrome handles backspace, it needs to do this work
// Otherwise, we handle backspace here.
+
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
PRBool backspaceUsed;
BackOneChar(&backspaceUsed);
if (backspaceUsed) {
@@ -744,6 +747,8 @@ nsTypeAheadFind::KeyPress(nsIDOMEvent* aEvent)
// We're using this key, no one else should
aEvent->PreventDefault();
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
return HandleChar(charCode);
}
@@ -867,6 +872,8 @@ nsTypeAheadFind::BackOneChar(PRBool *aIsBackspaceUsed)
// ----------- Perform the find ------------------
mIsFindingText = PR_TRUE; // so selection won't call CancelFind()
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
if (NS_FAILED(FindItNow(presShell, findBackwards, mLinksOnly, PR_FALSE))) {
DisplayStatus(PR_FALSE, nsnull, PR_FALSE); // Display failure status
}
@@ -985,6 +992,8 @@ nsTypeAheadFind::HandleChar(PRUnichar aChar)
// Regular find, not repeated char find
// Prefer to find exact match
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
rv = FindItNow(nsnull, PR_FALSE, mLinksOnly, mIsFirstVisiblePreferred);
}
@@ -993,6 +1002,8 @@ nsTypeAheadFind::HandleChar(PRUnichar aChar)
mTypeAheadBuffer.Length() > 1) {
mRepeatingMode = eRepeatingChar;
mDontTryExactMatch = PR_TRUE; // Repeated character find mode
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
rv = FindItNow(nsnull, PR_TRUE, PR_TRUE, mIsFirstVisiblePreferred);
}
#endif
@@ -1200,6 +1211,8 @@ nsTypeAheadFind::HandleEndComposition(nsIDOMEvent* aCompositionEvent)
// Handle the characters one at a time
while (iter != iterEnd) {
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
if (NS_FAILED(HandleChar(*iter))) {
// Character not found, exit loop early
break;
@@ -1387,10 +1400,12 @@ nsTypeAheadFind::FindItNow(nsIPresShell *aPresShell,
// Select the found text and focus it
mFocusedDocSelection->RemoveAllRanges();
mFocusedDocSelection->AddRange(returnRange);
+ // After ScrollSelectionIntoView(), the pending notifications might be
+ // flushed and PresShell/PresContext/Frames may be dead. See bug 418470.
mFocusedDocSelCon->ScrollSelectionIntoView(
nsISelectionController::SELECTION_NORMAL,
nsISelectionController::SELECTION_FOCUS_REGION,
- PR_FALSE);
+ PR_TRUE);
SetSelectionLook(presShell, PR_TRUE, mRepeatingMode != eRepeatingForward
&& mRepeatingMode != eRepeatingReverse);
@@ -1830,6 +1845,8 @@ nsTypeAheadFind::FindNext(PRBool aFindBackwards, nsISupportsInterfacePointer *aC
mIsFindingText = PR_TRUE; // prevent our listeners from calling CancelFind()
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
if (NS_FAILED(FindItNow(nsnull, repeatingSameChar, mLinksOnly, PR_FALSE))) {
DisplayStatus(PR_FALSE, nsnull, PR_FALSE); // Display failure status
mRepeatingMode = eRepeatingNone;
diff --git a/mozilla/layout/base/nsPresShell.cpp b/mozilla/layout/base/nsPresShell.cpp
index 149ff625df5..779723060c2 100644
--- a/mozilla/layout/base/nsPresShell.cpp
+++ b/mozilla/layout/base/nsPresShell.cpp
@@ -2773,7 +2773,8 @@ PresShell::PageMove(PRBool aForward, PRBool aExtend)
nsIView *scrolledView;
result = scrollableView->GetScrolledView(scrolledView);
mSelection->CommonPageMove(aForward, aExtend, scrollableView);
- // do ScrollSelectionIntoView()
+ // After ScrollSelectionIntoView(), the pending notifications might be
+ // flushed and PresShell/PresContext/Frames may be dead. See bug 418470.
return ScrollSelectionIntoView(nsISelectionController::SELECTION_NORMAL, nsISelectionController::SELECTION_FOCUS_REGION, PR_TRUE);
}
@@ -2849,6 +2850,8 @@ PresShell::CompleteScroll(PRBool aForward)
NS_IMETHODIMP
PresShell::CompleteMove(PRBool aForward, PRBool aExtend)
{
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
return CompleteMoveInner(aForward, aExtend, PR_TRUE);
}
@@ -2886,6 +2889,8 @@ PresShell::CompleteMoveInner(PRBool aForward, PRBool aExtend, PRBool aScrollInto
mSelection->SetAncestorLimiter(root);
if (aScrollIntoView) {
+ // After ScrollSelectionIntoView(), the pending notifications might be
+ // flushed and PresShell/PresContext/Frames may be dead. See bug 418470.
return
ScrollSelectionIntoView(nsISelectionController::SELECTION_NORMAL,
nsISelectionController::SELECTION_FOCUS_REGION,
@@ -2930,6 +2935,8 @@ PresShell::CompleteMoveInner(PRBool aForward, PRBool aExtend, PRBool aScrollInto
mSelection->HandleClick(pos.mResultContent ,pos.mContentOffset ,pos.mContentOffset/*End*/ ,aExtend, PR_FALSE, aForward);
if (aScrollIntoView) {
+ // After ScrollSelectionIntoView(), the pending notifications might be
+ // flushed and PresShell/PresContext/Frames may be dead. See bug 418470.
result = ScrollSelectionIntoView(nsISelectionController::SELECTION_NORMAL,
nsISelectionController::SELECTION_FOCUS_REGION, PR_TRUE);
if (NS_FAILED(result))
diff --git a/mozilla/layout/forms/nsTextControlFrame.cpp b/mozilla/layout/forms/nsTextControlFrame.cpp
index 0820e1da0fe..fafafb139a7 100644
--- a/mozilla/layout/forms/nsTextControlFrame.cpp
+++ b/mozilla/layout/forms/nsTextControlFrame.cpp
@@ -670,6 +670,8 @@ NS_IMETHODIMP
nsTextInputSelectionImpl::ScrollSelectionIntoView(PRInt16 aType, PRInt16 aRegion, PRBool aIsSynchronous)
{
if (mFrameSelection) {
+ // After ScrollSelectionIntoView(), the pending notifications might be
+ // flushed and PresShell/PresContext/Frames may be dead. See bug 418470.
nsresult rv = mFrameSelection->ScrollSelectionIntoView(aType, aRegion, aIsSynchronous);
nsIScrollableView* scrollableView = mFrameSelection->GetScrollableView();
@@ -859,6 +861,8 @@ nsTextInputSelectionImpl::PageMove(PRBool aForward, PRBool aExtend)
if (scrollableView)
mFrameSelection->CommonPageMove(aForward, aExtend, scrollableView);
}
+ // After ScrollSelectionIntoView(), the pending notifications might be
+ // flushed and PresShell/PresContext/Frames may be dead. See bug 418470.
return ScrollSelectionIntoView(nsISelectionController::SELECTION_NORMAL, nsISelectionController::SELECTION_FOCUS_REGION, PR_TRUE);
}
diff --git a/mozilla/layout/generic/nsSelection.cpp b/mozilla/layout/generic/nsSelection.cpp
index 2a526d32887..5249898bd24 100644
--- a/mozilla/layout/generic/nsSelection.cpp
+++ b/mozilla/layout/generic/nsSelection.cpp
@@ -2558,8 +2558,10 @@ nsFrameSelection::ScrollSelectionIntoView(SelectionType aType,
if (!mDomSelections[index])
return NS_ERROR_NULL_POINTER;
+ // After ScrollSelectionIntoView(), the pending notifications might be
+ // flushed and PresShell/PresContext/Frames may be dead. See bug 418470.
return mDomSelections[index]->ScrollIntoView(aRegion, aIsSynchronous,
- PR_FALSE);
+ PR_TRUE);
}
nsresult
diff --git a/mozilla/mailnews/compose/src/nsMsgCompose.cpp b/mozilla/mailnews/compose/src/nsMsgCompose.cpp
index dafcaca5fce..b93a943d782 100644
--- a/mozilla/mailnews/compose/src/nsMsgCompose.cpp
+++ b/mozilla/mailnews/compose/src/nsMsgCompose.cpp
@@ -2780,10 +2780,12 @@ QuotingOutputStreamListener::InsertToCompose(nsIEditor *aEditor,
aEditor->GetSelectionController(getter_AddRefs(selCon));
if (selCon)
+ // After ScrollSelectionIntoView(), the pending notifications might be
+ // flushed and PresShell/PresContext/Frames may be dead. See bug 418470.
selCon->ScrollSelectionIntoView(
nsISelectionController::SELECTION_NORMAL,
nsISelectionController::SELECTION_ANCHOR_REGION,
- PR_FALSE);
+ PR_TRUE);
}
}
diff --git a/mozilla/toolkit/components/typeaheadfind/src/nsTypeAheadFind.cpp b/mozilla/toolkit/components/typeaheadfind/src/nsTypeAheadFind.cpp
index 7cd0622f00c..f084814ed0f 100755
--- a/mozilla/toolkit/components/typeaheadfind/src/nsTypeAheadFind.cpp
+++ b/mozilla/toolkit/components/typeaheadfind/src/nsTypeAheadFind.cpp
@@ -575,10 +575,12 @@ nsTypeAheadFind::FindItNow(nsIPresShell *aPresShell, PRBool aIsLinksOnly,
// ATTENTION, or when we MoveFocusToCaret() and the selection is not on a
// link, we'll blur, which will lose the ATTENTION.
if (selectionController) {
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
SetSelectionModeAndRepaint(nsISelectionController::SELECTION_ATTENTION);
selectionController->ScrollSelectionIntoView(
nsISelectionController::SELECTION_NORMAL,
- nsISelectionController::SELECTION_FOCUS_REGION, PR_FALSE);
+ nsISelectionController::SELECTION_FOCUS_REGION, PR_TRUE);
}
mCurrentWindow = window;
@@ -901,6 +903,8 @@ nsTypeAheadFind::FindAgain(PRBool aFindBackwards, PRBool aLinksOnly,
mLinksOnly = aLinksOnly;
if (!mTypeAheadBuffer.IsEmpty())
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
FindItNow(nsnull, mLinksOnly, PR_FALSE, aFindBackwards, aResult);
return NS_OK;
@@ -1024,6 +1028,8 @@ nsTypeAheadFind::Find(const nsAString& aSearchString, PRBool aLinksOnly,
}
// ----------- Find the text! ---------------------
+ // Beware! This may flush notifications via synchronous
+ // ScrollSelectionIntoView.
nsresult rv = FindItNow(nsnull, mLinksOnly, isFirstVisiblePreferred,
PR_FALSE, aResult);