Bug 1667491: Fix null pointer deref. r=nika

Differential Revision: https://phabricator.services.mozilla.com/D91834
iaxat · Sep 29, 2020 · c95f8d2 · c95f8d2
1 parent e3e31da
commit c95f8d2
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 8 deletions.
diff --git a/docshell/base/crashtests/1667491.html b/docshell/base/crashtests/1667491.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html class="reftest-wait">
+<head>
+  <meta charset="UTF-8">
+<script>
+  function go() {
+    const HTML = `
+<script>
+function go() {
+  document.body.appendChild(a)
+  window.frames[0].onbeforeunload = document.createElement("body").onload;
+  window.requestIdleCallback(() => {
+    window.close();
+    finish();
+  });
+}
+<\/script>
+<body onload="go()">
+<iframe id="a"></iframe>
+<iframe></iframe>
+    `;
+
+    let win = window.open(`data:text/html,${encodeURIComponent(HTML)}`);
+    win.finish = function() {
+      document.documentElement.removeAttribute("class");
+    };
+  }
+</script>
+</head>
+<body onload="go()">
+</body>
+</html>
diff --git a/docshell/base/crashtests/crashtests.list b/docshell/base/crashtests/crashtests.list
@@ -18,3 +18,4 @@ load 1341657.html
 load 1584467.html
 load 1614211-1.html
 load 1617315-1.html
+pref(dom.disable_open_during_load,false) pref(security.data_uri.unique_opaque_origin,false) pref(security.data_uri.block_toplevel_data_uri_navigations,false) load 1667491.html
diff --git a/layout/base/nsDocumentViewer.cpp b/layout/base/nsDocumentViewer.cpp
@@ -1223,18 +1223,18 @@ nsDocumentViewer::PermitUnload(PermitUnloadAction aAction,
   bool foundBlocker = false;
   bool foundOOPListener = false;
   bc->PreOrderWalk([&](BrowsingContext* aBC) {
-    if (aBC->IsInProcess()) {
-      nsCOMPtr<nsIContentViewer> contentViewer;
-      aBC->GetDocShell()->GetContentViewer(getter_AddRefs(contentViewer));
-      if (contentViewer &&
-          contentViewer->DispatchBeforeUnload() == eRequestBlockNavigation) {
-        foundBlocker = true;
-      }
-    } else {
+    if (!aBC->IsInProcess()) {
       WindowContext* wc = aBC->GetCurrentWindowContext();
       if (wc && wc->HasBeforeUnload()) {
         foundOOPListener = true;
       }
+    } else if (aBC->GetDocShell()) {
+      nsCOMPtr<nsIContentViewer> contentViewer(
+          aBC->GetDocShell()->GetContentViewer());
+      if (contentViewer &&
+          contentViewer->DispatchBeforeUnload() == eRequestBlockNavigation) {
+        foundBlocker = true;
+      }
     }
   });