Fix nullptr deref in maybeRenderFallbackContent()

third_party/WebKit/Source/web/tests/WebFrameTest.cpp

 /*
  * Copyright (C) 2010 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 11547 matching lines @@
 TEST_F(WebFrameTest, ContextMenuData) {
   EXPECT_FALSE(testSelectAll("<textarea></textarea>"));
   EXPECT_TRUE(testSelectAll("<textarea>nonempty</textarea>"));
   EXPECT_FALSE(testSelectAll("<input>"));
   EXPECT_TRUE(testSelectAll("<input value='nonempty'>"));
   // TODO(amaralp): Empty contenteditable should not have select all enabled.
   EXPECT_TRUE(testSelectAll("<div contenteditable></div>"));
   EXPECT_TRUE(testSelectAll("<div contenteditable>nonempty</div>"));
 }
 
+class TestFallbackWebFrameClient : public FrameTestHelpers::TestWebFrameClient {
+ public:
+  explicit TestFallbackWebFrameClient() : m_childClient(nullptr) {}
+
+  void setChildWebFrameClient(TestFallbackWebFrameClient* client) {
+    m_childClient = client;
+  }
+
+  WebLocalFrame* createChildFrame(
+      WebLocalFrame* parent,
+      WebTreeScopeType scope,
+      const WebString&,
+      const WebString&,
+      WebSandboxFlags,
+      const WebFrameOwnerProperties& frameOwnerProperties) override {
+    DCHECK(m_childClient);
+    WebLocalFrame* frame =
+        WebLocalFrame::create(scope, m_childClient, nullptr, nullptr);
+    parent->appendChild(frame);
+    return frame;
+  }
+
+  WebNavigationPolicy decidePolicyForNavigation(
+      const NavigationPolicyInfo& info) override {
+    if (m_childClient || KURL(info.urlRequest.url()) == blankURL())
+      return WebNavigationPolicyCurrentTab;
+    return WebNavigationPolicyHandledByClient;
+  }
+
+ private:
+  TestFallbackWebFrameClient* m_childClient;
+};
+
+TEST_F(WebFrameTest, FallbackForNonexistentProvisionalNavigation) {
+  registerMockedHttpURLLoad("fallback.html");
+  TestFallbackWebFrameClient mainClient;
+  TestFallbackWebFrameClient childClient;
+  mainClient.setChildWebFrameClient(&childClient);
+
+  FrameTestHelpers::WebViewHelper webViewHelper;
+  webViewHelper.initialize(true, &mainClient);
+
+  WebLocalFrameImpl* mainFrame = webViewHelper.webView()->mainFrameImpl();
+  WebURLRequest request(toKURL(m_baseURL + "fallback.html"));
+  mainFrame->loadRequest(request);
+
+  // Because the child frame will be HandledByClient, the main frame will not
+  // finish loading, so we cant use
+  // FrameTestHelpers::pumpPendingRequestsForFrameToLoad.
+  Platform::current()->getURLLoaderMockFactory()->serveAsynchronousRequests();
+
+  // Overwrite the client-handled child frame navigation with about:blank

[arthursonzogni, 2017/03/31 09:16:33]

Nit: maybe a dot at the end of the line.

[Nate Chapin, 2017/03/31 23:59:59]

Done.

+  WebLocalFrame* child = mainFrame->firstChild()->toWebLocalFrame();
+  child->loadRequest(WebURLRequest(blankURL()));
+
+  // Failing the original child frame navigation and trying to render fallback
+  // content shouldn't crash. It should return true as though it showed
+  // fallback. This is so the caller won't attempt to replace the correctly
+  // empty frame with an error page.
+  EXPECT_TRUE(child->maybeRenderFallbackContent(WebURLError()));
+}
+
 }  // namespace blink