Bug 745495 - Fix crash when using screen object from removed iframe. r=smaug
authorMounir Lamouri <mounir.lamouri@gmail.com>
Mon, 16 Apr 2012 11:33:35 +0200
changeset 91749 61088f8aa842fb7042453ce2b2565492b32322d8
parent 91748 5972e57175a560315683a098c0e57563027db456
child 91750 904830fc136772c0060912c17a0833a55d4ffca5
push id22472
push usereakhgari@mozilla.com
push dateMon, 16 Apr 2012 15:03:21 +0000
treeherdermozilla-central@0066df252596 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssmaug
bugs745495
milestone14.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 745495 - Fix crash when using screen object from removed iframe. r=smaug
dom/base/crashtests/745495.html
dom/base/crashtests/crashtests.list
layout/base/nsLayoutUtils.cpp
new file mode 100644
--- /dev/null
+++ b/dom/base/crashtests/745495.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+
+function boom()
+{
+  var frame = document.createElementNS("http://www.w3.org/1999/xhtml", "iframe");
+  document.body.appendChild(frame);
+  var frameScreen = frame.contentWindow.screen;
+  document.body.removeChild(frame);
+  frameScreen.top;
+}
+
+</script>
+</head>
+
+<body onload="boom();"></body>
+</html>
--- a/dom/base/crashtests/crashtests.list
+++ b/dom/base/crashtests/crashtests.list
@@ -32,8 +32,9 @@ load 675621-1.html
 load 693894.html
 load 693811-1.html
 load 693811-2.html
 load 693811-3.html
 load 695867.html
 load 697643.html
 load 706283-1.html
 load 708405-1.html
+load 745495.html
--- a/layout/base/nsLayoutUtils.cpp
+++ b/layout/base/nsLayoutUtils.cpp
@@ -3986,16 +3986,20 @@ nsLayoutUtils::GetRectDifferenceStrips(c
   *aHStrip = unionRect;
   aHStrip->y += HStripStart;
   aHStrip->height -= HStripStart;
 }
 
 nsDeviceContext*
 nsLayoutUtils::GetDeviceContextForScreenInfo(nsPIDOMWindow* aWindow)
 {
+  if (!aWindow) {
+    return nsnull;
+  }
+
   nsCOMPtr<nsIDocShell> docShell = aWindow->GetDocShell();
   while (docShell) {
     // Now make sure our size is up to date.  That will mean that the device
     // context does the right thing on multi-monitor systems when we return it to
     // the caller.  It will also make sure that our prescontext has been created,
     // if we're supposed to have one.
     nsCOMPtr<nsPIDOMWindow> win = do_GetInterface(docShell);
     if (!win) {