From 8f5e5aeae070eb8564d059fcd579184dd9276be9 Mon Sep 17 00:00:00 2001
From: Ehsan Akhgari <ehsan@mozilla.com>
Date: Fri, 24 Feb 2017 19:30:04 -0500
Subject: [PATCH] Bug 1341657 - Properly deal with not having a frame element
 in nsDocShell::InternalLoad(); r=smaug

---
 docshell/base/crashtests/1341657.html    | 14 +++++++++++++
 docshell/base/crashtests/crashtests.list |  1 +
 docshell/base/nsDocShell.cpp             | 25 +++++++++++++++---------
 3 files changed, 31 insertions(+), 9 deletions(-)
 create mode 100644 docshell/base/crashtests/1341657.html

diff --git a/docshell/base/crashtests/1341657.html b/docshell/base/crashtests/1341657.html
new file mode 100644
index 000000000000..852b8cc80dbc
--- /dev/null
+++ b/docshell/base/crashtests/1341657.html
@@ -0,0 +1,14 @@
+<html>
+    <head>
+        <script>
+            o1 = document.createElement("script");
+            o2 = document.implementation.createDocument('', '', null);
+            o3 = document.createElement("iframe");
+            document.documentElement.appendChild(o3);
+            o4 = o3.contentWindow;
+            o5 = document.createTextNode('o2.adoptNode(o3); try { o4.location = "" } catch(e) {}');
+            o1.appendChild(o5);
+            document.documentElement.appendChild(o1);
+        </script>
+    </head>
+</html>
\ No newline at end of file
diff --git a/docshell/base/crashtests/crashtests.list b/docshell/base/crashtests/crashtests.list
index 8169fc676c83..b5926649c5d8 100644
--- a/docshell/base/crashtests/crashtests.list
+++ b/docshell/base/crashtests/crashtests.list
@@ -14,3 +14,4 @@ load 678872-1.html
 skip-if(Android) pref(dom.disable_open_during_load,false) load 914521.html
 pref(browser.send_pings,true) load 1257730-1.html
 load 1331295.html
+load 1341657.html
diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
index 135d314015b1..89383deeecd3 100644
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -9892,9 +9892,14 @@ nsDocShell::InternalLoad(nsIURI* aURI,
   if (IsFrame() && !isTargetTopLevelDocShell) {
     nsCOMPtr<Element> requestingElement =
       mScriptGlobal->AsOuter()->GetFrameElementInternal();
-    NS_ASSERTION(requestingElement, "A frame but no DOM element!?");
-    contentType = requestingElement->IsHTMLElement(nsGkAtoms::iframe) ?
-      nsIContentPolicy::TYPE_INTERNAL_IFRAME : nsIContentPolicy::TYPE_INTERNAL_FRAME;
+    if (requestingElement) {
+      contentType = requestingElement->IsHTMLElement(nsGkAtoms::iframe) ?
+        nsIContentPolicy::TYPE_INTERNAL_IFRAME : nsIContentPolicy::TYPE_INTERNAL_FRAME;
+    } else {
+      // If we have lost our frame element by now, just assume we're
+      // an iframe since that's more common.
+      contentType = nsIContentPolicy::TYPE_INTERNAL_IFRAME;
+    }
   } else {
     contentType = nsIContentPolicy::TYPE_DOCUMENT;
     isTargetTopLevelDocShell = true;
@@ -9924,13 +9929,15 @@ nsDocShell::InternalLoad(nsIURI* aURI,
       requestingContext = requestingElement;
 
 #ifdef DEBUG
-      // Get the docshell type for requestingElement.
-      nsCOMPtr<nsIDocument> requestingDoc = requestingElement->OwnerDoc();
-      nsCOMPtr<nsIDocShell> elementDocShell = requestingDoc->GetDocShell();
+      if (requestingElement) {
+        // Get the docshell type for requestingElement.
+        nsCOMPtr<nsIDocument> requestingDoc = requestingElement->OwnerDoc();
+        nsCOMPtr<nsIDocShell> elementDocShell = requestingDoc->GetDocShell();
 
-      // requestingElement docshell type = current docshell type.
-      MOZ_ASSERT(mItemType == elementDocShell->ItemType(),
-                "subframes should have the same docshell type as their parent");
+        // requestingElement docshell type = current docshell type.
+        MOZ_ASSERT(mItemType == elementDocShell->ItemType(),
+                  "subframes should have the same docshell type as their parent");
+      }
 #endif
     }