Bug 1840191 - Fix a crash where nsContentSink::DidBuildModelImpl gets called with incorrect state r=hsivonen,dom-core

The autofocus algorithm made this noticeable because we now can run scripts at an earlier time. Differential Revision: https://phabricator.services.mozilla.com/D182734
2023-08-17 18:22:57 +00:00
parent ba299f226a
commit d34aa2d18b
6 changed files with 80 additions and 1 deletions
--- a/dom/base/crashtests/1840191.html
+++ b/dom/base/crashtests/1840191.html
@@ -0,0 +1,68 @@
+<head>
+<script>
+function go() {
+    document.onreadystatechange = () => { a.submit() }
+    window.stop()
+}
+</script>
+</head>
+<!-- a -->
+<body>
+<wbr>
+<map>
+<output>
+<fieldset>
+<keygen>
+</fieldset>
+<iframe></iframe>
+<h1>
+<form>
+</bgsound>
+</option>
+</form>
+<data>
+<form id="a" target="b">
+<output>
+<output>
+<picture>
+<pre></pre>
+</data>
+<output>
+<textarea onfocus="go()" autofocus="">
+</textarea>
+<dl>
+<dt>
+<input>
+</dt>
+<dt>
+<dd>
+<table>
+<marquee>
+<frameset>
+<frame>
+</frame>
+</frameset>
+<bdo>
+<canvas>
+<video>
+<input>
+<time>
+<keygen>
+<audio>
+<track>
+<source>
+<select>
+<optgroup>
+<option>
+<option>
+</select>
+<bdi>
+<h4>
+<img>
+<sub>
+<picture>
+<h4>
+<link>
+<link>
+<!-- a -->
+</html>
--- a/dom/base/crashtests/crashtests.list
+++ b/dom/base/crashtests/crashtests.list
@@ -270,3 +270,4 @@ load 1822717.html
 load 1835886.html
 load 1836824.html
 skip-if(Android) load 1838484.html
+load 1840191.html
--- a/dom/base/nsContentSink.cpp
+++ b/dom/base/nsContentSink.cpp
@@ -815,7 +815,7 @@ void nsContentSink::EndUpdate(Document* aDocument) {
 }

 void nsContentSink::DidBuildModelImpl(bool aTerminated) {
-  MOZ_ASSERT(aTerminated ||
+  MOZ_ASSERT(aTerminated || (mParser && mParser->IsParserClosed()) ||
                 mDocument->GetReadyStateEnum() == Document::READYSTATE_LOADING,
             "Bad readyState");
  mDocument->SetReadyStateInternal(Document::READYSTATE_INTERACTIVE);
--- a/parser/html/nsHtml5Parser.cpp
+++ b/parser/html/nsHtml5Parser.cpp
@@ -147,6 +147,9 @@ nsHtml5Parser::ContinueInterruptedParsingAsync() {
 NS_IMETHODIMP_(bool)
 nsHtml5Parser::IsParserEnabled() { return !mBlocked; }

+NS_IMETHODIMP_(bool)
+nsHtml5Parser::IsParserClosed() { return mDocumentClosed; }
+
 NS_IMETHODIMP_(bool)
 nsHtml5Parser::IsComplete() { return mExecutor->IsComplete(); }

--- a/parser/html/nsHtml5Parser.h
+++ b/parser/html/nsHtml5Parser.h
@@ -105,6 +105,12 @@ class nsHtml5Parser final : public nsIParser, public nsSupportsWeakReference {
   */
  NS_IMETHOD_(bool) IsParserEnabled() override;

+  /**
+   * Query whether the parser is closed (i.e. document.closed() is called) or
+   * not.
+   */
+  NS_IMETHOD_(bool) IsParserClosed() override;
+
  /**
   * Query whether the parser thinks it's done with parsing.
   */
--- a/parser/htmlparser/nsParserBase.h
+++ b/parser/htmlparser/nsParserBase.h
@@ -10,6 +10,7 @@
 class nsParserBase : public nsISupports {
 public:
  NS_IMETHOD_(bool) IsParserEnabled() { return true; }
+  NS_IMETHOD_(bool) IsParserClosed() { return false; }
 };

 #endif  // nsParserBase_h_