Ensure template elements in inactive documents don't crash.

Bug: 1090561 Test: html/semantics/scripting-1/the-template-element/template-element/template-content-in-inactive-document-crash.html Test: html/semantics/scripting-1/the-template-element/template-element/template-content-move-to-inactive-document-crash.html Change-Id: Idfdc343b177fcd81b208d98b0f66799abee5e4d8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2229368 Commit-Queue: Nate Chapin <japhet@chromium.org> Commit-Queue: Kentaro Hara <haraken@chromium.org> Auto-Submit: Nate Chapin <japhet@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Cr-Commit-Position: refs/heads/master@{#774926}

Ensure template elements in inactive documents don't crash.
Bug: 1090561 Test: html/semantics/scripting-1/the-template-element/template-element/template-content-in-inactive-document-crash.html Test: html/semantics/scripting-1/the-template-element/template-element/template-content-move-to-inactive-document-crash.html Change-Id: Idfdc343b177fcd81b208d98b0f66799abee5e4d8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2229368 Commit-Queue: Nate Chapin <japhet@chromium.org> Commit-Queue: Kentaro Hara <haraken@chromium.org> Auto-Submit: Nate Chapin <japhet@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Cr-Commit-Position: refs/heads/master@{#774926}
03e10196 · Nate Chapin · Commit Bot · 73081e5e · 03e10196 · 03e10196
Commit 03e10196 authored Jun 04, 2020 by Nate Chapin Committed by Commit Bot Jun 04, 2020
3 changed files
--- a/third_party/blink/renderer/core/html/html_template_element.cc
+++ b/third_party/blink/renderer/core/html/html_template_element.cc
@@ -46,7 +46,7 @@ HTMLTemplateElement::HTMLTemplateElement(Document& document)
 HTMLTemplateElement::~HTMLTemplateElement() = default;

 DocumentFragment* HTMLTemplateElement::ContentInternal() const {
-  if (!content_)
+  if (!content_ && GetExecutionContext())
    content_ = MakeGarbageCollected<TemplateContentDocumentFragment>(
        GetDocument().EnsureTemplateDocument(),
        const_cast<HTMLTemplateElement*>(this));
@@ -76,7 +76,7 @@ void HTMLTemplateElement::CloneNonAttributePropertiesFrom(

 void HTMLTemplateElement::DidMoveToNewDocument(Document& old_document) {
  HTMLElement::DidMoveToNewDocument(old_document);
-  if (!content_)
+  if (!content_ || !GetExecutionContext())
    return;
  GetDocument().EnsureTemplateDocument().AdoptIfNeeded(*content_);
 }

--- a/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-template-element/template-element/template-content-in-inactive-document-crash.html
+++ b/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-template-element/template-element/template-content-in-inactive-document-crash.html
+<iframe id="i"></iframe>
+<script>
+var t = i.contentDocument.createElement("template");
+i.contentDocument.documentElement.appendChild(t);
+i.remove();
+t.content;
+</script>
--- a/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-template-element/template-element/template-content-move-to-inactive-document-crash.html
+++ b/third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-template-element/template-element/template-content-move-to-inactive-document-crash.html
+<div id="d">
+<iframe id="i"></iframe>
+<template id="t"> </template>
+</div>
+<script>
+i.contentDocument.documentElement.appendChild(d);
+</script>