From 5b4533cab8854032947b358e270092dbaabe7f81 Mon Sep 17 00:00:00 2001
From: Tim Ledbetter <timledbetter@gmail.com>
Date: Thu, 29 Feb 2024 21:53:58 +0000
Subject: [PATCH] LibWeb: Don't crash in offset_parent() if no ancestor element
 found

The specification says the final step of this algorithm is to return
null. Previously, the browser would crash if the content of an iframe
was appended to the document before its offsetParent property was
queried.
---
 .../Element-offsetParent-of-iframe.txt        |  1 +
 .../input/Element-offsetParent-of-iframe.html | 22 +++++++++++++++++++
 .../Libraries/LibWeb/HTML/HTMLElement.cpp     |  3 ++-
 3 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 Tests/LibWeb/Text/expected/Element-offsetParent-of-iframe.txt
 create mode 100644 Tests/LibWeb/Text/input/Element-offsetParent-of-iframe.html

diff --git a/Tests/LibWeb/Text/expected/Element-offsetParent-of-iframe.txt b/Tests/LibWeb/Text/expected/Element-offsetParent-of-iframe.txt
new file mode 100644
index 00000000000..4c43e847960
--- /dev/null
+++ b/Tests/LibWeb/Text/expected/Element-offsetParent-of-iframe.txt
@@ -0,0 +1 @@
+iframe offsetParent value: null
diff --git a/Tests/LibWeb/Text/input/Element-offsetParent-of-iframe.html b/Tests/LibWeb/Text/input/Element-offsetParent-of-iframe.html
new file mode 100644
index 00000000000..5bd23ec53a1
--- /dev/null
+++ b/Tests/LibWeb/Text/input/Element-offsetParent-of-iframe.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<script src="include.js"></script>
+<script>
+    function offsetParentOfChildDocument() {
+        const frameDocument = document.querySelector("iframe").contentDocument;
+        const frameRoot = frameDocument.documentElement;
+        document.documentElement.append(frameRoot);
+        document.dispatchEvent(new CustomEvent("offsetParentCalled", { detail: { iframeOffsetParent: frameRoot.offsetParent }}));
+    }
+
+    asyncTest(done => {
+        document.addEventListener("offsetParentCalled", event => {
+            println(`iframe offsetParent value: ${event.detail.iframeOffsetParent}`);
+            done();
+        });
+    });
+</script>
+<iframe srcdoc="
+<script>
+    window.parent.offsetParentOfChildDocument();
+</script>
+">
diff --git a/Userland/Libraries/LibWeb/HTML/HTMLElement.cpp b/Userland/Libraries/LibWeb/HTML/HTMLElement.cpp
index 690ed956d51..839e4e838c9 100644
--- a/Userland/Libraries/LibWeb/HTML/HTMLElement.cpp
+++ b/Userland/Libraries/LibWeb/HTML/HTMLElement.cpp
@@ -205,7 +205,8 @@ JS::GCPtr<DOM::Element> HTMLElement::offset_parent() const
             return const_cast<Element*>(ancestor);
     }
 
-    VERIFY_NOT_REACHED();
+    // 3. Return null.
+    return nullptr;
 }
 
 // https://www.w3.org/TR/cssom-view-1/#dom-htmlelement-offsettop