Bug 1314032 - Add null checks to fix crash in mozilla::dom::DOMIntersectionObserver::Update. r=mstange
authorTobias Schneider <schneider@jancona.com>
Mon, 31 Oct 2016 12:24:00 -0400
changeset 320308 1e58a5a4ba4a267fc43959b305dd1eb7640ee30e
parent 320307 5abd7301134e7d7cac66438986a436558506c030
child 320309 f0cee6a12df706e9f1eb6e6381d3c33967781b57
push id83359
push userryanvm@gmail.com
push dateMon, 31 Oct 2016 20:24:30 +0000
treeherdermozilla-inbound@1e58a5a4ba4a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmstange
bugs1314032
milestone52.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1314032 - Add null checks to fix crash in mozilla::dom::DOMIntersectionObserver::Update. r=mstange
dom/base/DOMIntersectionObserver.cpp
dom/base/test/mochitest.ini
dom/base/test/test_bug1314032.html
--- a/dom/base/DOMIntersectionObserver.cpp
+++ b/dom/base/DOMIntersectionObserver.cpp
@@ -260,24 +260,26 @@ DOMIntersectionObserver::Update(nsIDocum
           nsLayoutUtils::GetContainingBlockForClientRect(rootFrame),
           nsLayoutUtils::RECTS_ACCOUNT_FOR_TRANSFORMS);
       }
     }
   } else {
     nsCOMPtr<nsIPresShell> presShell = aDocument->GetShell();
     if (presShell) {
       rootFrame = presShell->GetRootScrollFrame();
-      nsPresContext* presContext = rootFrame->PresContext();
-      while (!presContext->IsRootContentDocument()) {
-        presContext = rootFrame->PresContext()->GetParentPresContext();
-        rootFrame = presContext->PresShell()->GetRootScrollFrame();
+      if (rootFrame) {
+        nsPresContext* presContext = rootFrame->PresContext();
+        while (!presContext->IsRootContentDocument()) {
+          presContext = rootFrame->PresContext()->GetParentPresContext();
+          rootFrame = presContext->PresShell()->GetRootScrollFrame();
+        }
+        root = rootFrame->GetContent()->AsElement();
+        nsIScrollableFrame* scrollFrame = do_QueryFrame(rootFrame);
+        rootRect = scrollFrame->GetScrollPortRect();
       }
-      root = rootFrame->GetContent()->AsElement();
-      nsIScrollableFrame* scrollFrame = do_QueryFrame(rootFrame);
-      rootRect = scrollFrame->GetScrollPortRect();
     }
   }
 
   nsMargin rootMargin;
   NS_FOR_CSS_SIDES(side) {
     nscoord basis = side == NS_SIDE_TOP || side == NS_SIDE_BOTTOM ?
       rootRect.height : rootRect.width;
     nsCSSValue value = mRootMargin.*nsCSSRect::sides[side];
@@ -343,17 +345,18 @@ DOMIntersectionObserver::Update(nsIDocum
 
         // TODO: Apply clip-path.
 
         containerFrame = nsLayoutUtils::GetCrossDocParentFrame(containerFrame);
       }
     }
 
     nsRect rootIntersectionRect = rootRect;
-    bool isInSimilarOriginBrowsingContext = CheckSimilarOrigin(root, target);
+    bool isInSimilarOriginBrowsingContext = rootFrame && targetFrame &&
+                                            CheckSimilarOrigin(root, target);
 
     if (isInSimilarOriginBrowsingContext) {
       rootIntersectionRect.Inflate(rootMargin);
     }
 
     if (intersectionRect.isSome()) {
       nsRect intersectionRectRelativeToRoot =
         nsLayoutUtils::TransformFrameRectToAncestor(
--- a/dom/base/test/mochitest.ini
+++ b/dom/base/test/mochitest.ini
@@ -628,16 +628,17 @@ skip-if = buildapp == 'b2g'
 [test_bug1259588.html]
 [test_bug1263696.html]
 [test_bug1268962.html]
 [test_bug1274806.html]
 [test_bug1281963.html]
 [test_bug1295852.html]
 [test_bug1307730.html]
 [test_bug1308069.html]
+[test_bug1314032.html]
 [test_caretPositionFromPoint.html]
 [test_change_policy.html]
 skip-if = buildapp == 'b2g' #no ssl support
 [test_classList.html]
 [test_clearTimeoutIntervalNoArg.html]
 [test_constructor-assignment.html]
 [test_constructor.html]
 [test_copyimage.html]
new file mode 100644
--- /dev/null
+++ b/dom/base/test/test_bug1314032.html
@@ -0,0 +1,38 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 1314032</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1314032">Mozilla Bug 1243846</a>
+<p id="display"></p>
+<pre id="test">
+<script type="application/javascript">
+
+	let win = window.open(URL.createObjectURL(new Blob([
+		'<meta charset="utf-8">' +
+		'<script>' +
+		  'let observer = new IntersectionObserver(([entry]) => {' +
+		    'document.body.textContent += entry.time' +
+		  '});' +
+			'observer.observe(document.documentElement);' +
+		'<\/script>'
+	], {'type': 'text/html'})));
+	
+	win.onload = function () {
+		win.close();
+		ok(true);
+		SimpleTest.finish();
+	}
+	
+	SimpleTest.waitForExplicitFinish();
+
+</script>
+</pre>
+<div id="log">
+</div>
+</body>
+</html>