Bug 1341657 - Properly deal with not having a frame element in nsDocShell::InternalLoad(); r=smaug

2025-02-27 21:00:50 +00:00 · 2017-02-24 19:30:04 -05:00 · 2017-02-24 19:30:04 -05:00 · 8f5e5aeae0
commit 8f5e5aeae0
parent 4f4a529bd2
3 changed files with 31 additions and 9 deletions
--- a/docshell/base/crashtests/1341657.html
+++ b/docshell/base/crashtests/1341657.html
@ -0,0 +1,14 @@
+<html>
+    <head>
+        <script>
+            o1 = document.createElement("script");
+            o2 = document.implementation.createDocument('', '', null);
+            o3 = document.createElement("iframe");
+            document.documentElement.appendChild(o3);
+            o4 = o3.contentWindow;
+            o5 = document.createTextNode('o2.adoptNode(o3); try { o4.location = "" } catch(e) {}');
+            o1.appendChild(o5);
+            document.documentElement.appendChild(o1);
+        </script>
+    </head>
+</html>
--- a/docshell/base/crashtests/crashtests.list
+++ b/docshell/base/crashtests/crashtests.list
@ -14,3 +14,4 @@ load 678872-1.html
 skip-if(Android) pref(dom.disable_open_during_load,false) load 914521.html
 pref(browser.send_pings,true) load 1257730-1.html
 load 1331295.html
+load 1341657.html
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@ -9892,9 +9892,14 @@ nsDocShell::InternalLoad(nsIURI* aURI,
  if (IsFrame() && !isTargetTopLevelDocShell) {
    nsCOMPtr<Element> requestingElement =
      mScriptGlobal->AsOuter()->GetFrameElementInternal();
-    NS_ASSERTION(requestingElement, "A frame but no DOM element!?");
+    if (requestingElement) {
      contentType = requestingElement->IsHTMLElement(nsGkAtoms::iframe) ?
        nsIContentPolicy::TYPE_INTERNAL_IFRAME : nsIContentPolicy::TYPE_INTERNAL_FRAME;
+    } else {
+      // If we have lost our frame element by now, just assume we're
+      // an iframe since that's more common.
+      contentType = nsIContentPolicy::TYPE_INTERNAL_IFRAME;
+    }
  } else {
    contentType = nsIContentPolicy::TYPE_DOCUMENT;
    isTargetTopLevelDocShell = true;
@ -9924,6 +9929,7 @@ nsDocShell::InternalLoad(nsIURI* aURI,
      requestingContext = requestingElement;

 #ifdef DEBUG
+      if (requestingElement) {
        // Get the docshell type for requestingElement.
        nsCOMPtr<nsIDocument> requestingDoc = requestingElement->OwnerDoc();
        nsCOMPtr<nsIDocShell> elementDocShell = requestingDoc->GetDocShell();
@ -9931,6 +9937,7 @@ nsDocShell::InternalLoad(nsIURI* aURI,
        // requestingElement docshell type = current docshell type.
        MOZ_ASSERT(mItemType == elementDocShell->ItemType(),
                  "subframes should have the same docshell type as their parent");
+      }
 #endif
    }