tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit f5e10c041cc3a8ec5577990a415870a35f8508af
parent bd4fd98495758979cc35b28d2c9af6b96b456d5a
Author: Vincent Hilla <vhilla@mozilla.com>
Date:   Fri, 12 Dec 2025 11:19:12 +0000

Bug 2005094 - Don't fail assertion if docshell is broken after initialization. r=hsivonen,dom-core,smaug

Differential Revision: https://phabricator.services.mozilla.com/D275960

Diffstat:

Adocshell/base/crashtests/2005094.html | 24++++++++++++++++++++++++


Mdocshell/base/crashtests/crashtests.list | 1+


Mdocshell/base/nsDocShell.cpp | 11++++++++---


Mdocshell/base/nsDocShell.h | 5+++--


4 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/docshell/base/crashtests/2005094.html b/docshell/base/crashtests/2005094.html
@@ -0,0 +1,24 @@
+<div id=l1>
+ <div id=l2>
+  <iframe id="ifr"></iframe>
+ </div>
+</div>
+<script>
+document.addEventListener("DOMContentLoaded", () => {
+  // On load, synchronously re-bind the iframe to cause another synchronous load
+  ifr.onload = () => l1.appendChild(l2)
+  try {
+    // Start a synchronous load that nests itself indefinitely
+    ifr.parentNode.appendChild(ifr)
+  } catch (e) {
+    if (e.name == "RangeError") {
+        // Silence stack overflow errors
+    } else {
+        throw e;
+    }
+  }
+  // Once we're here, something interrupted the infinite recursion
+  // Don't crash when trying to access the possibly broken document
+  window.frames[0].document.body
+})
+</script>
diff --git a/docshell/base/crashtests/crashtests.list b/docshell/base/crashtests/crashtests.list
@@ -25,3 +25,4 @@ HTTP load 1804803.html
 load 1927517-1.html
 load 1927517-2.html
 load 1927517-3.html
+load 2005094.html
diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
@@ -6613,9 +6613,14 @@ bool nsDocShell::VerifyDocumentViewer() {
   if (mIsBeingDestroyed) {
     return false;
   }
-  // The viewer should be created during docshell initialization. So unless
-  // we're being destroyed, there always needs to be a viewer.
-  MOZ_ASSERT_UNREACHABLE("The content viewer should've been created eagerly.");
+  if (!mInitialized) {
+    // The viewer should be created during docshell initialization. If something
+    // wants a viewer or document, it has to initialize the docshell first.
+    MOZ_ASSERT_UNREACHABLE(
+        "The docshell should be initialized to get a viewer.");
+  } else {
+    NS_WARNING("No document viewer, docshell failed to initialize.");
+  }
   return false;
 }
 
diff --git a/docshell/base/nsDocShell.h b/docshell/base/nsDocShell.h
@@ -581,8 +581,9 @@ class nsDocShell final : public nsDocLoader,
   // Content Viewer Management
   //
 
-  // Assert the document viewer exists or we are being destroyed
-  // and return true if a viewer exists.
+  // Return whether a viewer exists and assert that we aren't
+  // trying to get a viewer before it's eager creation during docshell
+  // initialization.
   bool VerifyDocumentViewer();
 
   void DestroyDocumentViewer();