Bug 1314032 - Add null checks to fix crash in mozilla::dom::DOMIntersectionObserver::Update. r=mstange
authorTobias Schneider <schneider@jancona.com>
Mon, 31 Oct 2016 12:24:00 -0400
changeset 347039 1e58a5a4ba4a267fc43959b305dd1eb7640ee30e
parent 347038 5abd7301134e7d7cac66438986a436558506c030
child 347040 f0cee6a12df706e9f1eb6e6381d3c33967781b57
push id10298
push userraliiev@mozilla.com
push dateMon, 14 Nov 2016 12:33:03 +0000
treeherdermozilla-aurora@7e29173b1641 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmstange
bugs1314032
milestone52.0a1
Bug 1314032 - Add null checks to fix crash in mozilla::dom::DOMIntersectionObserver::Update. r=mstange
dom/base/DOMIntersectionObserver.cpp
dom/base/test/mochitest.ini
dom/base/test/test_bug1314032.html
--- a/dom/base/DOMIntersectionObserver.cpp
+++ b/dom/base/DOMIntersectionObserver.cpp
@@ -260,24 +260,26 @@ DOMIntersectionObserver::Update(nsIDocum
           nsLayoutUtils::GetContainingBlockForClientRect(rootFrame),
           nsLayoutUtils::RECTS_ACCOUNT_FOR_TRANSFORMS);
       }
     }
   } else {
     nsCOMPtr<nsIPresShell> presShell = aDocument->GetShell();
     if (presShell) {
       rootFrame = presShell->GetRootScrollFrame();
-      nsPresContext* presContext = rootFrame->PresContext();
-      while (!presContext->IsRootContentDocument()) {
-        presContext = rootFrame->PresContext()->GetParentPresContext();
-        rootFrame = presContext->PresShell()->GetRootScrollFrame();
+      if (rootFrame) {
+        nsPresContext* presContext = rootFrame->PresContext();
+        while (!presContext->IsRootContentDocument()) {
+          presContext = rootFrame->PresContext()->GetParentPresContext();
+          rootFrame = presContext->PresShell()->GetRootScrollFrame();
+        }
+        root = rootFrame->GetContent()->AsElement();
+        nsIScrollableFrame* scrollFrame = do_QueryFrame(rootFrame);
+        rootRect = scrollFrame->GetScrollPortRect();
       }
-      root = rootFrame->GetContent()->AsElement();
-      nsIScrollableFrame* scrollFrame = do_QueryFrame(rootFrame);
-      rootRect = scrollFrame->GetScrollPortRect();
     }
   }
 
   nsMargin rootMargin;
   NS_FOR_CSS_SIDES(side) {
     nscoord basis = side == NS_SIDE_TOP || side == NS_SIDE_BOTTOM ?
       rootRect.height : rootRect.width;
     nsCSSValue value = mRootMargin.*nsCSSRect::sides[side];
@@ -343,17 +345,18 @@ DOMIntersectionObserver::Update(nsIDocum
 
         // TODO: Apply clip-path.
 
         containerFrame = nsLayoutUtils::GetCrossDocParentFrame(containerFrame);
       }
     }
 
     nsRect rootIntersectionRect = rootRect;
-    bool isInSimilarOriginBrowsingContext = CheckSimilarOrigin(root, target);
+    bool isInSimilarOriginBrowsingContext = rootFrame && targetFrame &&
+                                            CheckSimilarOrigin(root, target);
 
     if (isInSimilarOriginBrowsingContext) {
       rootIntersectionRect.Inflate(rootMargin);
     }
 
     if (intersectionRect.isSome()) {
       nsRect intersectionRectRelativeToRoot =
         nsLayoutUtils::TransformFrameRectToAncestor(
--- a/dom/base/test/mochitest.ini
+++ b/dom/base/test/mochitest.ini
@@ -628,16 +628,17 @@ skip-if = buildapp == 'b2g'
 [test_bug1259588.html]
 [test_bug1263696.html]
 [test_bug1268962.html]
 [test_bug1274806.html]
 [test_bug1281963.html]
 [test_bug1295852.html]
 [test_bug1307730.html]
 [test_bug1308069.html]
+[test_bug1314032.html]
 [test_caretPositionFromPoint.html]
 [test_change_policy.html]
 skip-if = buildapp == 'b2g' #no ssl support
 [test_classList.html]
 [test_clearTimeoutIntervalNoArg.html]
 [test_constructor-assignment.html]
 [test_constructor.html]
 [test_copyimage.html]
new file mode 100644
--- /dev/null
+++ b/dom/base/test/test_bug1314032.html
@@ -0,0 +1,38 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 1314032</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1314032">Mozilla Bug 1243846</a>
+<p id="display"></p>
+<pre id="test">
+<script type="application/javascript">
+
+	let win = window.open(URL.createObjectURL(new Blob([
+		'<meta charset="utf-8">' +
+		'<script>' +
+		  'let observer = new IntersectionObserver(([entry]) => {' +
+		    'document.body.textContent += entry.time' +
+		  '});' +
+			'observer.observe(document.documentElement);' +
+		'<\/script>'
+	], {'type': 'text/html'})));
+	
+	win.onload = function () {
+		win.close();
+		ok(true);
+		SimpleTest.finish();
+	}
+	
+	SimpleTest.waitForExplicitFinish();
+
+</script>
+</pre>
+<div id="log">
+</div>
+</body>
+</html>