Bug 1314032 - Add null checks to fix crash in mozilla::dom::DOMIntersectionObserver::Update. r=mstange

2016-10-31 12:24:00 -04:00 · 2016-10-31 12:24:00 -04:00 · af7da87e7d
--- a/dom/base/DOMIntersectionObserver.cpp
+++ b/dom/base/DOMIntersectionObserver.cpp
@ -265,14 +265,16 @@ DOMIntersectionObserver::Update(nsIDocument* aDocument, DOMHighResTimeStamp time
    nsCOMPtr<nsIPresShell> presShell = aDocument->GetShell();
    if (presShell) {
      rootFrame = presShell->GetRootScrollFrame();
-      nsPresContext* presContext = rootFrame->PresContext();
-      while (!presContext->IsRootContentDocument()) {
-        presContext = rootFrame->PresContext()->GetParentPresContext();
-        rootFrame = presContext->PresShell()->GetRootScrollFrame();
+      if (rootFrame) {
+        nsPresContext* presContext = rootFrame->PresContext();
+        while (!presContext->IsRootContentDocument()) {
+          presContext = rootFrame->PresContext()->GetParentPresContext();
+          rootFrame = presContext->PresShell()->GetRootScrollFrame();
+        }
+        root = rootFrame->GetContent()->AsElement();
+        nsIScrollableFrame* scrollFrame = do_QueryFrame(rootFrame);
+        rootRect = scrollFrame->GetScrollPortRect();
      }
-      root = rootFrame->GetContent()->AsElement();
-      nsIScrollableFrame* scrollFrame = do_QueryFrame(rootFrame);
-      rootRect = scrollFrame->GetScrollPortRect();
    }
  }

@ -348,7 +350,8 @@ DOMIntersectionObserver::Update(nsIDocument* aDocument, DOMHighResTimeStamp time
    }

    nsRect rootIntersectionRect = rootRect;
-    bool isInSimilarOriginBrowsingContext = CheckSimilarOrigin(root, target);
+    bool isInSimilarOriginBrowsingContext = rootFrame && targetFrame &&
+                                            CheckSimilarOrigin(root, target);

    if (isInSimilarOriginBrowsingContext) {
      rootIntersectionRect.Inflate(rootMargin);
--- a/dom/base/test/mochitest.ini
+++ b/dom/base/test/mochitest.ini
@ -633,6 +633,7 @@ skip-if = buildapp == 'b2g'
 [test_bug1295852.html]
 [test_bug1307730.html]
 [test_bug1308069.html]
+[test_bug1314032.html]
 [test_caretPositionFromPoint.html]
 [test_change_policy.html]
 skip-if = buildapp == 'b2g' #no ssl support
--- a/dom/base/test/test_bug1314032.html
+++ b/dom/base/test/test_bug1314032.html
@ -0,0 +1,38 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 1314032</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1314032">Mozilla Bug 1243846</a>
+<p id="display"></p>
+<pre id="test">
+<script type="application/javascript">
+
+	let win = window.open(URL.createObjectURL(new Blob([
+		'<meta charset="utf-8">' +
+		'<script>' +
+		  'let observer = new IntersectionObserver(([entry]) => {' +
+		    'document.body.textContent += entry.time' +
+		  '});' +
+			'observer.observe(document.documentElement);' +
+		'<\/script>'
+	], {'type': 'text/html'})));
+	
+	win.onload = function () {
+		win.close();
+		ok(true);
+		SimpleTest.finish();
+	}
+	
+	SimpleTest.waitForExplicitFinish();
+
+</script>
+</pre>
+<div id="log">
+</div>
+</body>
+</html>