Bug 1496673. Fix crash in custom element data memory reporting code. r=jdai

While iterating the list in CustomElementReactionsStack::InvokeReactions we can have null pointers in mReactionQueue for reactions that have already been invoked. Differential Revision: https://phabricator.services.mozilla.com/D7923 --HG-- extra : moz-landing-system : lando
2018-10-05 21:27:14 +00:00 · 2018-10-05 21:27:14 +00:00 · e6bab07f1b
--- a/dom/base/CustomElementRegistry.cpp
+++ b/dom/base/CustomElementRegistry.cpp
@ -260,7 +260,12 @@ CustomElementData::SizeOfIncludingThis(MallocSizeOf aMallocSizeOf) const
  n += mReactionQueue.ShallowSizeOfExcludingThis(aMallocSizeOf);

  for (auto& reaction : mReactionQueue) {
-    n += reaction->SizeOfIncludingThis(aMallocSizeOf);
+    // "reaction" can be null if we're being called indirectly from
+    // InvokeReactions (e.g. due to a reaction causing a memory report to be
+    // captured somehow).
+    if (reaction) {
+      n += reaction->SizeOfIncludingThis(aMallocSizeOf);
+    }
  }

  return n;