From f9501b14d9fafe65883ca96ddea3f7c4b922237a Mon Sep 17 00:00:00 2001
From: Ting-Yu Lin <tlin@mozilla.com>
Date: Thu, 28 May 2020 22:49:24 +0000
Subject: [PATCH] Bug 1405896 - Properly destroy OverflowContainersProperty()
 in NormalizeChildLists(). r=mats

mozilla::Unused is going to be removed in bug 1628542. We can cast the
return value of `TakeProperty` into void to suppress the warning.

In bug 1641085, we can add `DestroyOverflowContainersList` (similar to
DestroyOverflowList(), and audit the caller.

Differential Revision: https://phabricator.services.mozilla.com/D76981
---
 layout/generic/crashtests/1405896.html    | 31 +++++++++++++++++++++++
 layout/generic/crashtests/crashtests.list |  1 +
 layout/generic/nsContainerFrame.cpp       |  3 ++-
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 layout/generic/crashtests/1405896.html

diff --git a/layout/generic/crashtests/1405896.html b/layout/generic/crashtests/1405896.html
new file mode 100644
index 000000000000..0d3b6ddb24ca
--- /dev/null
+++ b/layout/generic/crashtests/1405896.html
@@ -0,0 +1,31 @@
+<!-- a -->
+<style>
+* {
+  height: 0vmin;
+  display: grid
+}
+.class1 {
+  columns: 0px;
+  page-break-before: always;
+  grid-row-start: last
+}
+</style>
+<script>
+function jsfuzzer() {
+  try { htmlvar00045.replaceChild(htmlvar00013,htmlvar00045.childNodes[6]); } catch(e) { }
+}
+</script>
+<body onload=jsfuzzer()>
+<details id="htmlvar00013" class="class1"></details>
+<details class="class1" open="">
+<form>
+<h6 id="htmlvar00045">
+>
+<link>
+<content>
+<embed>
+>
+#
+K
+</content>
+<!-- a -->
diff --git a/layout/generic/crashtests/crashtests.list b/layout/generic/crashtests/crashtests.list
index 7ca90f4fe668..2ea66cb0cfcb 100644
--- a/layout/generic/crashtests/crashtests.list
+++ b/layout/generic/crashtests/crashtests.list
@@ -683,6 +683,7 @@ load 1401709.html
 load 1401807.html
 load 1404222-empty-shape.html
 load 1405443.html
+load 1405896.html
 load 1406252-1.html
 load 1415185.html
 load 1416544.html
diff --git a/layout/generic/nsContainerFrame.cpp b/layout/generic/nsContainerFrame.cpp
index ced95fd4e345..6590c7948e64 100644
--- a/layout/generic/nsContainerFrame.cpp
+++ b/layout/generic/nsContainerFrame.cpp
@@ -1668,7 +1668,8 @@ void nsContainerFrame::NormalizeChildLists() {
           f = next;
         }
         if (overflowContainers->IsEmpty()) {
-          RemoveProperty(OverflowContainersProperty());
+          (void)TakeProperty(OverflowContainersProperty());
+          overflowContainers->Delete(PresShell());
         }
         MergeSortedExcessOverflowContainers(moveToEOC);
       }