From 921890154c82d1560329764df3f45fc03a01e62a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= <emilio@crisal.io>
Date: Wed, 4 Mar 2020 21:11:43 +0000
Subject: [PATCH] Bug 1619858 - Use an intersection observer per document for
 lazyload. r=hiro

We can't observe when the sub-document gets detached from the root document to
drop the observation, so this is the sound thing to do.

Differential Revision: https://phabricator.services.mozilla.com/D65362

--HG--
extra : moz-landing-system : lando
---
 dom/base/Document.cpp                         | 17 +++++-------
 ...-loading-lazy-subframe-detached-crash.html | 26 +++++++++++++++++++
 2 files changed, 32 insertions(+), 11 deletions(-)
 create mode 100644 testing/web-platform/tests/html/semantics/embedded-content/the-img-element/image-loading-lazy-subframe-detached-crash.html

diff --git a/dom/base/Document.cpp b/dom/base/Document.cpp
index 2a71d9662eb2..021ddcc9cc5c 100644
--- a/dom/base/Document.cpp
+++ b/dom/base/Document.cpp
@@ -14688,19 +14688,14 @@ void Document::NotifyIntersectionObservers() {
 }
 
 DOMIntersectionObserver* Document::GetLazyLoadImageObserver() {
-  Document* rootDoc = nsContentUtils::GetRootDocument(this);
-  MOZ_ASSERT(rootDoc);
-
-  if (rootDoc->mLazyLoadImageObserver) {
-    return rootDoc->mLazyLoadImageObserver;
+  if (!mLazyLoadImageObserver) {
+    if (nsPIDOMWindowInner* inner = GetInnerWindow()) {
+      mLazyLoadImageObserver =
+          DOMIntersectionObserver::CreateLazyLoadObserver(inner);
+    }
   }
 
-  if (nsPIDOMWindowInner* inner = rootDoc->GetInnerWindow()) {
-    rootDoc->mLazyLoadImageObserver =
-        DOMIntersectionObserver::CreateLazyLoadObserver(inner);
-  }
-
-  return rootDoc->mLazyLoadImageObserver;
+  return mLazyLoadImageObserver;
 }
 
 static CallState NotifyLayerManagerRecreatedCallback(Document& aDocument,
diff --git a/testing/web-platform/tests/html/semantics/embedded-content/the-img-element/image-loading-lazy-subframe-detached-crash.html b/testing/web-platform/tests/html/semantics/embedded-content/the-img-element/image-loading-lazy-subframe-detached-crash.html
new file mode 100644
index 000000000000..86a290d50db1
--- /dev/null
+++ b/testing/web-platform/tests/html/semantics/embedded-content/the-img-element/image-loading-lazy-subframe-detached-crash.html
@@ -0,0 +1,26 @@
+<!doctype html>
+<html class="test-wait">
+<title>Crash when detaching a frame during a lazy-load operation</title>
+<link rel="author" href="mailto:emilio@crisal.io" title="Emilio Cobos Álvarez">
+<link rel="author" href="https://mozilla.org" title="Mozilla">
+<link rel="help" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1619858">
+<iframe srcdoc=""></iframe>
+<script>
+onload = function() {
+  let frame = document.querySelector("iframe");
+  frame.contentDocument.body.innerHTML = `
+    <div style="height: 300vh"></div>
+    <img loading="lazy" src="/images/blue96x96.png" width=96 height=96>
+  `;
+  let img = frame.contentDocument.querySelector("img");
+  new IntersectionObserver(() => {
+    frame.remove();
+    requestAnimationFrame(function() {
+      requestAnimationFrame(function() {
+        document.documentElement.className = "";
+      });
+    });
+  }).observe(img);
+  frame.contentWindow.scrollTo(0, img.getBoundingClientRect().top);
+};
+</script>