commit 3ddaaf254633
Author: Boris Zbarsky <bzbarsky@mit.edu>
Date:   Thu Sep 28 22:04:34 2017 -0400

    Bug 1402218 - Make sure to clone our CSSDeclaration as needed when removing properties. r=emilio, a=sledru
    
    MozReview-Commit-ID: 6LRjLU3QQok
    
    --HG--
    extra : source : 76b6ae2fc6eb389810cb2a745f976be11516eb44
    extra : amend_source : 849900fa9c4e12b62cf73175666a672ca6ab3914
---
 layout/style/DeclarationBlockInlines.h  |  9 +++++++++
 layout/style/crashtests/1402218-1.html  | 15 +++++++++++++++
 layout/style/crashtests/crashtests.list |  3 ++-
 layout/style/nsDOMCSSDeclaration.cpp    | 12 +-----------
 4 files changed, 27 insertions(+), 12 deletions(-)

diff --git layout/style/DeclarationBlockInlines.h layout/style/DeclarationBlockInlines.h
index 5438bd1957c2..c9e0d4f82e31 100644
--- layout/style/DeclarationBlockInlines.h
+++ layout/style/DeclarationBlockInlines.h
@@ -46,6 +46,15 @@ DeclarationBlock::EnsureMutable()
     AsGecko()->AssertNotExpanded();
   }
 #endif
+  if (IsServo() && !IsDirty()) {
+    // In stylo, the old DeclarationBlock is stored in element's rule node tree
+    // directly, to avoid new values replacing the DeclarationBlock in the tree
+    // directly, we need to copy the old one here if we haven't yet copied.
+    // As a result the new value does not replace rule node tree until traversal
+    // happens.
+    return Clone();
+  }
+
   if (!IsMutable()) {
     return Clone();
   }
diff --git layout/style/crashtests/1402218-1.html layout/style/crashtests/1402218-1.html
new file mode 100644
index 000000000000..597c1c4d5e53
--- /dev/null
+++ layout/style/crashtests/1402218-1.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<style>
+#wrapper::first-line {}
+</style>
+<body>
+<div id="wrapper">
+  <div id="test"></div>
+</div>
+<script>
+  document.querySelector('#test').style.position = 'absolute';
+  document.body.offsetHeight;
+  document.querySelector('#wrapper').style.color = 'green';
+  document.querySelector('#test').style.position = '';
+</script>
+</body>
diff --git layout/style/crashtests/crashtests.list layout/style/crashtests/crashtests.list
index e0a7fe4a20c5..ab9b5a7a9a4e 100644
--- layout/style/crashtests/crashtests.list
+++ layout/style/crashtests/crashtests.list
@@ -202,3 +202,4 @@ load 1387481-1.html
 load 1387499.html
 load 1391577.html
 load 1398581.html
+load 1402218-1.html
diff --git layout/style/nsDOMCSSDeclaration.cpp layout/style/nsDOMCSSDeclaration.cpp
index a828f0e7b3dd..12e03c314fe9 100644
--- layout/style/nsDOMCSSDeclaration.cpp
+++ layout/style/nsDOMCSSDeclaration.cpp
@@ -305,17 +305,7 @@ nsDOMCSSDeclaration::ModifyDeclaration(GeckoFunc aGeckoFunc,
   // between when we mutate the declaration and when we set the new
   // rule (see stack in bug 209575).
   mozAutoDocConditionalContentUpdateBatch autoUpdate(DocToUpdate(), true);
-  RefPtr<DeclarationBlock> decl;
-  if (olddecl->IsServo() && !olddecl->IsDirty()) {
-    // In stylo, the old DeclarationBlock is stored in element's rule node tree
-    // directly, to avoid new values replacing the DeclarationBlock in the tree
-    // directly, we need to copy the old one here if we haven't yet copied.
-    // As a result the new value does not replace rule node tree until traversal
-    // happens.
-    decl = olddecl->Clone();
-  } else {
-    decl = olddecl->EnsureMutable();
-  }
+  RefPtr<DeclarationBlock> decl = olddecl->EnsureMutable();
 
   bool changed;
   if (decl->IsGecko()) {