From 1b098bf39a36557b7fccbf4d32bc8fcca4da9b6e Mon Sep 17 00:00:00 2001 From: "masayuki%d-toybox.com" Date: Thu, 28 Feb 2008 15:28:40 +0000 Subject: [PATCH] Bug 418470 Go to line in View Source broken (NS_ERROR_UNEXPECTED at nsISelectionController.scrollSelectionIntoView) (retry) r+sr=roc, a1.9b4=beltzner git-svn-id: svn://10.0.0.236/trunk@246727 18797224-902f-48f8-a5cc-f745e15eee43 --- .../src/html/nsHyperTextAccessible.cpp | 4 +++- .../base/public/nsISelectionController.idl | 3 +++ .../events/src/nsEventListenerManager.cpp | 6 ++++++ .../composer/src/nsEditorSpellCheck.cpp | 2 ++ mozilla/editor/libeditor/base/nsEditor.cpp | 5 +++++ .../libeditor/html/nsHTMLDataTransfer.cpp | 9 +++++++++ .../libeditor/text/nsEditorEventListeners.cpp | 2 ++ .../text/nsPlaintextDataTransfer.cpp | 7 +++++++ .../txtsvc/src/nsTextServicesDocument.cpp | 2 ++ .../components/find/src/nsWebBrowserFind.cpp | 16 +++++++++++++++- .../spellcheck/src/mozSpellChecker.cpp | 3 +++ .../typeaheadfind/src/nsTypeAheadFind.cpp | 19 ++++++++++++++++++- mozilla/layout/base/nsPresShell.cpp | 9 ++++++++- mozilla/layout/forms/nsTextControlFrame.cpp | 4 ++++ mozilla/layout/generic/nsSelection.cpp | 4 +++- mozilla/mailnews/compose/src/nsMsgCompose.cpp | 4 +++- .../typeaheadfind/src/nsTypeAheadFind.cpp | 8 +++++++- 17 files changed, 100 insertions(+), 7 deletions(-) diff --git a/mozilla/accessible/src/html/nsHyperTextAccessible.cpp b/mozilla/accessible/src/html/nsHyperTextAccessible.cpp index f3b0c2aadbb..9fb800330f4 100644 --- a/mozilla/accessible/src/html/nsHyperTextAccessible.cpp +++ b/mozilla/accessible/src/html/nsHyperTextAccessible.cpp @@ -1480,8 +1480,10 @@ nsresult nsHyperTextAccessible::SetSelectionRange(PRInt32 aStartPos, PRInt32 aEn } if (selCon) { + // XXX I'm not sure this can do synchronous scrolling. If the last param is + // set to true, this calling might flush the pending reflow. See bug 418470. selCon->ScrollSelectionIntoView(nsISelectionController::SELECTION_NORMAL, - nsISelectionController::SELECTION_FOCUS_REGION, PR_FALSE); + nsISelectionController::SELECTION_FOCUS_REGION, PR_FALSE); } return NS_OK; diff --git a/mozilla/content/base/public/nsISelectionController.idl b/mozilla/content/base/public/nsISelectionController.idl index 0144db0e2af..4c9f4b6bec2 100644 --- a/mozilla/content/base/public/nsISelectionController.idl +++ b/mozilla/content/base/public/nsISelectionController.idl @@ -102,6 +102,9 @@ interface nsISelectionController : nsISelectionDisplay * @param aIsSynchronous when true, scrolls the selection into view * before returning. If false, posts a request which is processed * at some point after the method returns. + * + * Note that if isSynchronous is true, then this might flush the pending + * reflow. It's dangerous for some objects. See bug 418470 comment 12. */ void scrollSelectionIntoView(in short type, in short region, in boolean isSynchronous); /** diff --git a/mozilla/content/events/src/nsEventListenerManager.cpp b/mozilla/content/events/src/nsEventListenerManager.cpp index b963cbb54bf..60a27e0a5b6 100644 --- a/mozilla/content/events/src/nsEventListenerManager.cpp +++ b/mozilla/content/events/src/nsEventListenerManager.cpp @@ -1118,6 +1118,8 @@ nsEventListenerManager::HandleEvent(nsPresContext* aPresContext, } PRUint16 currentGroup = aFlags & NS_EVENT_FLAG_SYSTEM_EVENT; + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. if (aEvent->message == NS_CONTEXTMENU && NS_FAILED(FixContextMenuEvent(aPresContext, aCurrentTarget, aEvent, aDOMEvent))) { @@ -1380,6 +1382,8 @@ nsEventListenerManager::FixContextMenuEvent(nsPresContext* aPresContext, // see if we should use the caret position for the popup if (contextMenuKey) { nsPoint caretPoint; + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. if (PrepareToUseCaretPosition(((nsGUIEvent*)aEvent)->widget, shell, caretPoint)) { // caret position is good @@ -1507,6 +1511,8 @@ nsEventListenerManager::PrepareToUseCaretPosition(nsIWidget* aEventWidget, else selCon = do_QueryInterface(aShell); if (selCon) { + // After ScrollSelectionIntoView(), the pending notifications might be + // flushed and PresShell/PresContext/Frames may be dead. See bug 418470. rv = selCon->ScrollSelectionIntoView(nsISelectionController::SELECTION_NORMAL, nsISelectionController::SELECTION_FOCUS_REGION, PR_TRUE); NS_ENSURE_SUCCESS(rv, PR_FALSE); diff --git a/mozilla/editor/composer/src/nsEditorSpellCheck.cpp b/mozilla/editor/composer/src/nsEditorSpellCheck.cpp index b67bc112e2a..270aee47c39 100644 --- a/mozilla/editor/composer/src/nsEditorSpellCheck.cpp +++ b/mozilla/editor/composer/src/nsEditorSpellCheck.cpp @@ -247,6 +247,8 @@ nsEditorSpellCheck::GetNextMisspelledWord(PRUnichar **aNextMisspelledWord) nsAutoString nextMisspelledWord; DeleteSuggestedWordList(); + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. nsresult rv = mSpellChecker->NextMisspelledWord(nextMisspelledWord, &mSuggestedWordList); diff --git a/mozilla/editor/libeditor/base/nsEditor.cpp b/mozilla/editor/libeditor/base/nsEditor.cpp index 961690518c3..f440a5f00d0 100644 --- a/mozilla/editor/libeditor/base/nsEditor.cpp +++ b/mozilla/editor/libeditor/base/nsEditor.cpp @@ -991,6 +991,9 @@ nsEditor::EndPlaceHolderTransaction() // time to turn off the batch EndUpdateViewBatch(); // make sure selection is in view + + // After ScrollSelectionIntoView(), the pending notifications might be + // flushed and PresShell/PresContext/Frames may be dead. See bug 418470. ScrollSelectionIntoView(PR_FALSE); // cached for frame offset are Not available now @@ -2560,6 +2563,8 @@ NS_IMETHODIMP nsEditor::ScrollSelectionIntoView(PRBool aScrollToAnchor) syncScroll = !(flags & nsIPlaintextEditor::eEditorUseAsyncUpdatesMask); } + // After ScrollSelectionIntoView(), the pending notifications might be + // flushed and PresShell/PresContext/Frames may be dead. See bug 418470. selCon->ScrollSelectionIntoView(nsISelectionController::SELECTION_NORMAL, region, syncScroll); } diff --git a/mozilla/editor/libeditor/html/nsHTMLDataTransfer.cpp b/mozilla/editor/libeditor/html/nsHTMLDataTransfer.cpp index 4def0986f83..5cb082d753d 100644 --- a/mozilla/editor/libeditor/html/nsHTMLDataTransfer.cpp +++ b/mozilla/editor/libeditor/html/nsHTMLDataTransfer.cpp @@ -1439,6 +1439,9 @@ NS_IMETHODIMP nsHTMLEditor::InsertFromTransferable(nsITransferable *transferable } // Try to scroll the selection into view if the paste/drop succeeded + + // After ScrollSelectionIntoView(), the pending notifications might be + // flushed and PresShell/PresContext/Frames may be dead. See bug 418470. if (NS_SUCCEEDED(rv)) ScrollSelectionIntoView(PR_FALSE); @@ -1667,6 +1670,8 @@ NS_IMETHODIMP nsHTMLEditor::InsertFromDrop(nsIDOMEvent* aDropEvent) if (!nsEditorHookUtils::DoInsertionHook(domdoc, aDropEvent, trans)) return NS_OK; + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. rv = InsertFromTransferable(trans, srcdomdoc, contextStr, infoStr, newSelectionParent, newSelectionOffset, deleteSelection); @@ -1887,6 +1892,8 @@ NS_IMETHODIMP nsHTMLEditor::Paste(PRInt32 aSelectionType) if (!nsEditorHookUtils::DoInsertionHook(domdoc, nsnull, trans)) return NS_OK; + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. rv = InsertFromTransferable(trans, nsnull, contextStr, infoStr, nsnull, 0, PR_TRUE); } @@ -1918,6 +1925,8 @@ NS_IMETHODIMP nsHTMLEditor::PasteNoFormatting(PRInt32 aSelectionType) if (NS_SUCCEEDED(clipboard->GetData(trans, aSelectionType)) && IsModifiable()) { const nsAFlatString& empty = EmptyString(); + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. rv = InsertFromTransferable(trans, nsnull, empty, empty, nsnull, 0, PR_TRUE); } diff --git a/mozilla/editor/libeditor/text/nsEditorEventListeners.cpp b/mozilla/editor/libeditor/text/nsEditorEventListeners.cpp index 5c66a26efff..b6dc1866a3a 100644 --- a/mozilla/editor/libeditor/text/nsEditorEventListeners.cpp +++ b/mozilla/editor/libeditor/text/nsEditorEventListeners.cpp @@ -672,6 +672,8 @@ nsTextEditorDragListener::DragDrop(nsIDOMEvent* aMouseEvent) aMouseEvent->StopPropagation(); aMouseEvent->PreventDefault(); + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. return mEditor->InsertFromDrop(aMouseEvent); } diff --git a/mozilla/editor/libeditor/text/nsPlaintextDataTransfer.cpp b/mozilla/editor/libeditor/text/nsPlaintextDataTransfer.cpp index 84e189cc17e..be84feeab98 100644 --- a/mozilla/editor/libeditor/text/nsPlaintextDataTransfer.cpp +++ b/mozilla/editor/libeditor/text/nsPlaintextDataTransfer.cpp @@ -136,6 +136,9 @@ NS_IMETHODIMP nsPlaintextEditor::InsertTextFromTransferable(nsITransferable *aTr NS_Free(bestFlavor); // Try to scroll the selection into view if the paste/drop succeeded + + // After ScrollSelectionIntoView(), the pending notifications might be flushed + // and PresShell/PresContext/Frames may be dead. See bug 418470. if (NS_SUCCEEDED(rv)) ScrollSelectionIntoView(PR_FALSE); @@ -301,6 +304,8 @@ NS_IMETHODIMP nsPlaintextEditor::InsertFromDrop(nsIDOMEvent* aDropEvent) if (!nsEditorHookUtils::DoInsertionHook(destdomdoc, aDropEvent, trans)) return NS_OK; + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. rv = InsertTextFromTransferable(trans, newSelectionParent, newSelectionOffset, deleteSelection); } @@ -450,6 +455,8 @@ NS_IMETHODIMP nsPlaintextEditor::Paste(PRInt32 aSelectionType) if (!nsEditorHookUtils::DoInsertionHook(domdoc, nsnull, trans)) return NS_OK; + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. rv = InsertTextFromTransferable(trans, nsnull, nsnull, PR_TRUE); } } diff --git a/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp b/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp index b77aa94cea5..4248dc48d13 100644 --- a/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp +++ b/mozilla/editor/txtsvc/src/nsTextServicesDocument.cpp @@ -1831,6 +1831,8 @@ nsTextServicesDocument::ScrollSelectionIntoView() LOCK_DOC(this); + // After ScrollSelectionIntoView(), the pending notifications might be flushed + // and PresShell/PresContext/Frames may be dead. See bug 418470. result = mSelCon->ScrollSelectionIntoView(nsISelectionController::SELECTION_NORMAL, nsISelectionController::SELECTION_FOCUS_REGION, PR_TRUE); UNLOCK_DOC(this); diff --git a/mozilla/embedding/components/find/src/nsWebBrowserFind.cpp b/mozilla/embedding/components/find/src/nsWebBrowserFind.cpp index fcac5da0cfa..ee901f267f8 100644 --- a/mozilla/embedding/components/find/src/nsWebBrowserFind.cpp +++ b/mozilla/embedding/components/find/src/nsWebBrowserFind.cpp @@ -151,6 +151,9 @@ NS_IMETHODIMP nsWebBrowserFind::FindNext(PRBool *outDidFind) } // next, look in the current frame. If found, return. + + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. rv = SearchInFrame(searchFrame, PR_FALSE, outDidFind); if (NS_FAILED(rv)) return rv; if (*outDidFind) @@ -199,6 +202,8 @@ NS_IMETHODIMP nsWebBrowserFind::FindNext(PRBool *outDidFind) OnStartSearchFrame(searchFrame); + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. rv = SearchInFrame(searchFrame, PR_FALSE, outDidFind); if (NS_FAILED(rv)) return rv; if (*outDidFind) @@ -239,6 +244,8 @@ NS_IMETHODIMP nsWebBrowserFind::FindNext(PRBool *outDidFind) if (curItem.get() == startingItem.get()) { + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. rv = SearchInFrame(searchFrame, PR_TRUE, outDidFind); if (NS_FAILED(rv)) return rv; if (*outDidFind) @@ -251,6 +258,8 @@ NS_IMETHODIMP nsWebBrowserFind::FindNext(PRBool *outDidFind) OnStartSearchFrame(searchFrame); + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. rv = SearchInFrame(searchFrame, PR_FALSE, outDidFind); if (NS_FAILED(rv)) return rv; if (*outDidFind) @@ -472,9 +481,12 @@ void nsWebBrowserFind::SetSelectionAndScroll(nsIDOMWindow* aWindow, // Scroll if necessary to make the selection visible: // Must be the last thing to do - bug 242056 + + // After ScrollSelectionIntoView(), the pending notifications might be + // flushed and PresShell/PresContext/Frames may be dead. See bug 418470. selCon->ScrollSelectionIntoView (nsISelectionController::SELECTION_NORMAL, - nsISelectionController::SELECTION_FOCUS_REGION, PR_FALSE); + nsISelectionController::SELECTION_FOCUS_REGION, PR_TRUE); } } @@ -821,6 +833,8 @@ nsresult nsWebBrowserFind::SearchInFrame(nsIDOMWindow* aWindow, { *aDidFind = PR_TRUE; sel->RemoveAllRanges(); + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. SetSelectionAndScroll(aWindow, foundRange); } diff --git a/mozilla/extensions/spellcheck/src/mozSpellChecker.cpp b/mozilla/extensions/spellcheck/src/mozSpellChecker.cpp index 5f02f457aba..c4544067b40 100644 --- a/mozilla/extensions/spellcheck/src/mozSpellChecker.cpp +++ b/mozilla/extensions/spellcheck/src/mozSpellChecker.cpp @@ -112,6 +112,9 @@ mozSpellChecker::NextMisspelledWord(nsAString &aWord, nsStringArray *aSuggestion if(isMisspelled){ aWord = currWord; mTsDoc->SetSelection(begin, end-begin); + // After ScrollSelectionIntoView(), the pending notifications might + // be flushed and PresShell/PresContext/Frames may be dead. + // See bug 418470. mTsDoc->ScrollSelectionIntoView(); return NS_OK; } diff --git a/mozilla/extensions/typeaheadfind/src/nsTypeAheadFind.cpp b/mozilla/extensions/typeaheadfind/src/nsTypeAheadFind.cpp index 6408a466271..621ca6569c3 100644 --- a/mozilla/extensions/typeaheadfind/src/nsTypeAheadFind.cpp +++ b/mozilla/extensions/typeaheadfind/src/nsTypeAheadFind.cpp @@ -716,6 +716,9 @@ nsTypeAheadFind::KeyPress(nsIDOMEvent* aEvent) // 1) Chrome, 2) Typeahead, 3) [platform]HTMLBindings.xml // If chrome handles backspace, it needs to do this work // Otherwise, we handle backspace here. + + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. PRBool backspaceUsed; BackOneChar(&backspaceUsed); if (backspaceUsed) { @@ -744,6 +747,8 @@ nsTypeAheadFind::KeyPress(nsIDOMEvent* aEvent) // We're using this key, no one else should aEvent->PreventDefault(); + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. return HandleChar(charCode); } @@ -867,6 +872,8 @@ nsTypeAheadFind::BackOneChar(PRBool *aIsBackspaceUsed) // ----------- Perform the find ------------------ mIsFindingText = PR_TRUE; // so selection won't call CancelFind() + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. if (NS_FAILED(FindItNow(presShell, findBackwards, mLinksOnly, PR_FALSE))) { DisplayStatus(PR_FALSE, nsnull, PR_FALSE); // Display failure status } @@ -985,6 +992,8 @@ nsTypeAheadFind::HandleChar(PRUnichar aChar) // Regular find, not repeated char find // Prefer to find exact match + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. rv = FindItNow(nsnull, PR_FALSE, mLinksOnly, mIsFirstVisiblePreferred); } @@ -993,6 +1002,8 @@ nsTypeAheadFind::HandleChar(PRUnichar aChar) mTypeAheadBuffer.Length() > 1) { mRepeatingMode = eRepeatingChar; mDontTryExactMatch = PR_TRUE; // Repeated character find mode + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. rv = FindItNow(nsnull, PR_TRUE, PR_TRUE, mIsFirstVisiblePreferred); } #endif @@ -1200,6 +1211,8 @@ nsTypeAheadFind::HandleEndComposition(nsIDOMEvent* aCompositionEvent) // Handle the characters one at a time while (iter != iterEnd) { + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. if (NS_FAILED(HandleChar(*iter))) { // Character not found, exit loop early break; @@ -1387,10 +1400,12 @@ nsTypeAheadFind::FindItNow(nsIPresShell *aPresShell, // Select the found text and focus it mFocusedDocSelection->RemoveAllRanges(); mFocusedDocSelection->AddRange(returnRange); + // After ScrollSelectionIntoView(), the pending notifications might be + // flushed and PresShell/PresContext/Frames may be dead. See bug 418470. mFocusedDocSelCon->ScrollSelectionIntoView( nsISelectionController::SELECTION_NORMAL, nsISelectionController::SELECTION_FOCUS_REGION, - PR_FALSE); + PR_TRUE); SetSelectionLook(presShell, PR_TRUE, mRepeatingMode != eRepeatingForward && mRepeatingMode != eRepeatingReverse); @@ -1830,6 +1845,8 @@ nsTypeAheadFind::FindNext(PRBool aFindBackwards, nsISupportsInterfacePointer *aC mIsFindingText = PR_TRUE; // prevent our listeners from calling CancelFind() + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. if (NS_FAILED(FindItNow(nsnull, repeatingSameChar, mLinksOnly, PR_FALSE))) { DisplayStatus(PR_FALSE, nsnull, PR_FALSE); // Display failure status mRepeatingMode = eRepeatingNone; diff --git a/mozilla/layout/base/nsPresShell.cpp b/mozilla/layout/base/nsPresShell.cpp index 149ff625df5..779723060c2 100644 --- a/mozilla/layout/base/nsPresShell.cpp +++ b/mozilla/layout/base/nsPresShell.cpp @@ -2773,7 +2773,8 @@ PresShell::PageMove(PRBool aForward, PRBool aExtend) nsIView *scrolledView; result = scrollableView->GetScrolledView(scrolledView); mSelection->CommonPageMove(aForward, aExtend, scrollableView); - // do ScrollSelectionIntoView() + // After ScrollSelectionIntoView(), the pending notifications might be + // flushed and PresShell/PresContext/Frames may be dead. See bug 418470. return ScrollSelectionIntoView(nsISelectionController::SELECTION_NORMAL, nsISelectionController::SELECTION_FOCUS_REGION, PR_TRUE); } @@ -2849,6 +2850,8 @@ PresShell::CompleteScroll(PRBool aForward) NS_IMETHODIMP PresShell::CompleteMove(PRBool aForward, PRBool aExtend) { + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. return CompleteMoveInner(aForward, aExtend, PR_TRUE); } @@ -2886,6 +2889,8 @@ PresShell::CompleteMoveInner(PRBool aForward, PRBool aExtend, PRBool aScrollInto mSelection->SetAncestorLimiter(root); if (aScrollIntoView) { + // After ScrollSelectionIntoView(), the pending notifications might be + // flushed and PresShell/PresContext/Frames may be dead. See bug 418470. return ScrollSelectionIntoView(nsISelectionController::SELECTION_NORMAL, nsISelectionController::SELECTION_FOCUS_REGION, @@ -2930,6 +2935,8 @@ PresShell::CompleteMoveInner(PRBool aForward, PRBool aExtend, PRBool aScrollInto mSelection->HandleClick(pos.mResultContent ,pos.mContentOffset ,pos.mContentOffset/*End*/ ,aExtend, PR_FALSE, aForward); if (aScrollIntoView) { + // After ScrollSelectionIntoView(), the pending notifications might be + // flushed and PresShell/PresContext/Frames may be dead. See bug 418470. result = ScrollSelectionIntoView(nsISelectionController::SELECTION_NORMAL, nsISelectionController::SELECTION_FOCUS_REGION, PR_TRUE); if (NS_FAILED(result)) diff --git a/mozilla/layout/forms/nsTextControlFrame.cpp b/mozilla/layout/forms/nsTextControlFrame.cpp index 0820e1da0fe..fafafb139a7 100644 --- a/mozilla/layout/forms/nsTextControlFrame.cpp +++ b/mozilla/layout/forms/nsTextControlFrame.cpp @@ -670,6 +670,8 @@ NS_IMETHODIMP nsTextInputSelectionImpl::ScrollSelectionIntoView(PRInt16 aType, PRInt16 aRegion, PRBool aIsSynchronous) { if (mFrameSelection) { + // After ScrollSelectionIntoView(), the pending notifications might be + // flushed and PresShell/PresContext/Frames may be dead. See bug 418470. nsresult rv = mFrameSelection->ScrollSelectionIntoView(aType, aRegion, aIsSynchronous); nsIScrollableView* scrollableView = mFrameSelection->GetScrollableView(); @@ -859,6 +861,8 @@ nsTextInputSelectionImpl::PageMove(PRBool aForward, PRBool aExtend) if (scrollableView) mFrameSelection->CommonPageMove(aForward, aExtend, scrollableView); } + // After ScrollSelectionIntoView(), the pending notifications might be + // flushed and PresShell/PresContext/Frames may be dead. See bug 418470. return ScrollSelectionIntoView(nsISelectionController::SELECTION_NORMAL, nsISelectionController::SELECTION_FOCUS_REGION, PR_TRUE); } diff --git a/mozilla/layout/generic/nsSelection.cpp b/mozilla/layout/generic/nsSelection.cpp index 2a526d32887..5249898bd24 100644 --- a/mozilla/layout/generic/nsSelection.cpp +++ b/mozilla/layout/generic/nsSelection.cpp @@ -2558,8 +2558,10 @@ nsFrameSelection::ScrollSelectionIntoView(SelectionType aType, if (!mDomSelections[index]) return NS_ERROR_NULL_POINTER; + // After ScrollSelectionIntoView(), the pending notifications might be + // flushed and PresShell/PresContext/Frames may be dead. See bug 418470. return mDomSelections[index]->ScrollIntoView(aRegion, aIsSynchronous, - PR_FALSE); + PR_TRUE); } nsresult diff --git a/mozilla/mailnews/compose/src/nsMsgCompose.cpp b/mozilla/mailnews/compose/src/nsMsgCompose.cpp index dafcaca5fce..b93a943d782 100644 --- a/mozilla/mailnews/compose/src/nsMsgCompose.cpp +++ b/mozilla/mailnews/compose/src/nsMsgCompose.cpp @@ -2780,10 +2780,12 @@ QuotingOutputStreamListener::InsertToCompose(nsIEditor *aEditor, aEditor->GetSelectionController(getter_AddRefs(selCon)); if (selCon) + // After ScrollSelectionIntoView(), the pending notifications might be + // flushed and PresShell/PresContext/Frames may be dead. See bug 418470. selCon->ScrollSelectionIntoView( nsISelectionController::SELECTION_NORMAL, nsISelectionController::SELECTION_ANCHOR_REGION, - PR_FALSE); + PR_TRUE); } } diff --git a/mozilla/toolkit/components/typeaheadfind/src/nsTypeAheadFind.cpp b/mozilla/toolkit/components/typeaheadfind/src/nsTypeAheadFind.cpp index 7cd0622f00c..f084814ed0f 100755 --- a/mozilla/toolkit/components/typeaheadfind/src/nsTypeAheadFind.cpp +++ b/mozilla/toolkit/components/typeaheadfind/src/nsTypeAheadFind.cpp @@ -575,10 +575,12 @@ nsTypeAheadFind::FindItNow(nsIPresShell *aPresShell, PRBool aIsLinksOnly, // ATTENTION, or when we MoveFocusToCaret() and the selection is not on a // link, we'll blur, which will lose the ATTENTION. if (selectionController) { + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. SetSelectionModeAndRepaint(nsISelectionController::SELECTION_ATTENTION); selectionController->ScrollSelectionIntoView( nsISelectionController::SELECTION_NORMAL, - nsISelectionController::SELECTION_FOCUS_REGION, PR_FALSE); + nsISelectionController::SELECTION_FOCUS_REGION, PR_TRUE); } mCurrentWindow = window; @@ -901,6 +903,8 @@ nsTypeAheadFind::FindAgain(PRBool aFindBackwards, PRBool aLinksOnly, mLinksOnly = aLinksOnly; if (!mTypeAheadBuffer.IsEmpty()) + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. FindItNow(nsnull, mLinksOnly, PR_FALSE, aFindBackwards, aResult); return NS_OK; @@ -1024,6 +1028,8 @@ nsTypeAheadFind::Find(const nsAString& aSearchString, PRBool aLinksOnly, } // ----------- Find the text! --------------------- + // Beware! This may flush notifications via synchronous + // ScrollSelectionIntoView. nsresult rv = FindItNow(nsnull, mLinksOnly, isFirstVisiblePreferred, PR_FALSE, aResult);