Bug 1550881. Prevent document.open() calls from descendant subframes' unload handlers triggered by document.open() from doing anything useful. r=hsivonen

Differential Revision: https://phabricator.services.mozilla.com/D30728

--HG--
extra : moz-landing-system : lando

dom/html/crashtests/1550881-1.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<iframe srcdoc="<iframe></iframe>"></iframe>
+<script>
+  onload = function() {
+      parent = frames[0];
+      child = parent[0];
+      child.onunload = function() {
+          parent.document.open();
+      }
+      parent.document.open();
+      parent.document.write("Hello");
+  }
+</script>

dom/html/crashtests/1550881-2.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<iframe srcdoc="<iframe></iframe>"></iframe>
+<script>
+  onload = function() {
+      parent = frames[0];
+      child = parent[0];
+      child.onunload = function() {
+          parent.document.open();
+          parent.document.write("Nested");
+      }
+      parent.document.open();
+      parent.document.write("Hello");
+  }
+</script>

dom/html/crashtests/crashtests.list

@@ -89,3 +89,5 @@ asserts(0-4) load 1401726.html
 load 1412173.html
 load 1440523.html
 load 1547057.html
+load 1550881-1.html
+load 1550881-2.html

dom/html/nsHTMLDocument.cpp

@@ -1098,7 +1098,15 @@ Document* nsHTMLDocument::Open(const Optional<nsAString>& /* unused */,
   }
 
   // Step 10 -- remove all our DOM kids without firing any mutation events.
-  DisconnectNodeTree();
+  {
+    // We want to ignore any recursive calls to Open() that happen while
+    // disconnecting the node tree.  The spec doesn't say to do this, but the
+    // spec also doesn't envision unload events on subframes firing while we do
+    // this, while all browsers fire them in practice.  See
+    // <https://github.com/whatwg/html/issues/4611>.
+    IgnoreOpensDuringUnload ignoreOpenGuard(this);
+    DisconnectNodeTree();
+  }
 
   // Step 11 -- if we're the current document in our docshell, do the
   // equivalent of pushState() with the new URL we should have.