Fix nullptr crash in fragment navigation

The focus call in fragment navigation can run arbitrary script which can cause the document to become detached. Thus, we need to check whether we're still attached before continuing. Bug: 837255 Change-Id: I4b35f66e39ace801a59230234264757ba4d6be04 Reviewed-on: https://chromium-review.googlesource.com/1033958Reviewed-by: Steve Kobes <skobes@chromium.org> Commit-Queue: David Bokan <bokan@chromium.org> Cr-Commit-Position: refs/heads/master@{#554775}

Fix nullptr crash in fragment navigation
The focus call in fragment navigation can run arbitrary script which can cause the document to become detached. Thus, we need to check whether we're still attached before continuing. Bug: 837255 Change-Id: I4b35f66e39ace801a59230234264757ba4d6be04 Reviewed-on: https://chromium-review.googlesource.com/1033958Reviewed-by: Steve Kobes <skobes@chromium.org> Commit-Queue: David Bokan <bokan@chromium.org> Cr-Commit-Position: refs/heads/master@{#554775}
61966fae · David Bokan · Commit Bot · 01dc60ba · 61966fae · 61966fae
Commit 61966fae authored Apr 30, 2018 by David Bokan Committed by Commit Bot Apr 30, 2018
2 changed files
--- a/third_party/WebKit/LayoutTests/fast/scrolling/detach-during-scroll-to-fragment-doesnt-crash.html
+++ b/third_party/WebKit/LayoutTests/fast/scrolling/detach-during-scroll-to-fragment-doesnt-crash.html
+<!DOCTYPE>
+<script src="../../resources/testharness.js"></script>
+<script src="../../resources/testharnessreport.js"></script>
+<body>
+  <script>
+    test( () => {
+      const iframe = document.createElement('iframe')
+      document.body.appendChild(iframe);
+      const button = document.createElement('button');
+      iframe.contentDocument.body.appendChild(button);
+      button.id = 'button';
+      button.onfocus = () => {
+        // This will detach the iframe's document from its frame before
+        // reattaching to the DOM and creating a new document. Ensure nothing
+        // touches the cleared frame.
+        document.body.appendChild(iframe);
+      };
+      // Cause the button to be focused and scrolled into view.
+      iframe.contentWindow.location.hash = 'button';
+    }, "Detaching document during scroll to fragment doesn't crash");
+  </script>
+</body>
--- a/third_party/blink/renderer/core/dom/document.cc
+++ b/third_party/blink/renderer/core/dom/document.cc
@@ -2366,10 +2366,15 @@ void Document::UpdateStyleAndLayout() {
 }
 void Document::LayoutUpdated() {
+  DCHECK(GetFrame());
+  DCHECK(View());
+  // If we're restoring a scroll position from history, that takes precedence
+  // over scrolling to the anchor in the URL.
+  View()->ScrollAndFocusFragmentAnchor();
+  // Script run in the call above may detach the document.
  if (GetFrame() && View()) {
-    // If we're restoring a scroll position from history, that takes precedence
-    // over scrolling to the anchor in the URL.
-    View()->ScrollAndFocusFragmentAnchor();
    GetFrame()->Loader().RestoreScrollPositionAndViewState();
    // The focus call above can execute JS which can dirty layout. Ensure