From 1b37e8e3d227ee4267f4863e6a99c1a83efa7769 Mon Sep 17 00:00:00 2001
From: Nate Chapin <japhet@chromium.org>
Date: Thu, 7 Nov 2024 15:17:18 -0800
Subject: [PATCH] Ensure XMLDocumentParser doesn't hit a nullptr isolate while
 parsing a fragment

Bug: 376320342
Change-Id: I2be68f5bab0158121abf82aea1f5b6b71fab585c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6003358
Auto-Submit: Nate Chapin <japhet@chromium.org>
Reviewed-by: Joey Arhar <jarhar@chromium.org>
Commit-Queue: Joey Arhar <jarhar@chromium.org>
Commit-Queue: Nate Chapin <japhet@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1379994}
---
 ...ualFragment-in-detached-xml-document-crash.html | 14 ++++++++++++++
 domparsing/resources/dummy-xml.xml                 |  1 +
 2 files changed, 15 insertions(+)
 create mode 100644 domparsing/createContextualFragment-in-detached-xml-document-crash.html
 create mode 100644 domparsing/resources/dummy-xml.xml

diff --git a/domparsing/createContextualFragment-in-detached-xml-document-crash.html b/domparsing/createContextualFragment-in-detached-xml-document-crash.html
new file mode 100644
index 00000000000000..d7c7e0033ebd20
--- /dev/null
+++ b/domparsing/createContextualFragment-in-detached-xml-document-crash.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<body>
+<iframe id="i" src="resources/dummy-xml.xml"></iframe>
+<script>
+window.onload = () => {
+  let i = document.getElementById("i");
+  var range = i.contentDocument.createRange();
+  range.setStart(i.contentDocument.firstElementChild, 0);
+  i.remove();
+
+  range.createContextualFragment('<p>Should not crash</p>');
+}
+</script>
+</body>
diff --git a/domparsing/resources/dummy-xml.xml b/domparsing/resources/dummy-xml.xml
new file mode 100644
index 00000000000000..46f36c60b66400
--- /dev/null
+++ b/domparsing/resources/dummy-xml.xml
@@ -0,0 +1 @@
+<?xml version='1.0' encoding='UTF-8'?><body/>