Skip to content
  • commit-queue@webkit.org's avatar
    Bad interaction between document destruction and unload events · 0fb5e568
    commit-queue@webkit.org authored
    https://bugs.webkit.org/show_bug.cgi?id=64741
    
    Patch by Scott Graham <scottmg@chromium.org> on 2011-08-04
    Reviewed by Adam Barth.
    
    Source/WebCore:
    
    Three different errors triggered by this test case. The case to
    consider is a subdocument with an onunload on an element, that
    destroys the parent document during the onunload. One fix was a
    lifetime issue fixed by a protecting RefPtr, and another was an
    additional cancel of event triggers. The main fix was that during the
    transition to commited state, the documentLoader is being replaced by
    the provisionalDocumentLoader. But, because during firing events in
    the subdocument the parent is destroyed, that subevent caused the
    provisionalDocumentLoader to be detached from its frame. By marking
    the page as being in committed state before the parent documentLoader
    is set, this is avoided.
    
    Test: loader/document-destruction-within-unload.html
    
    * dom/Document.cpp:
    (WebCore::Document::implicitOpen):
    * loader/FrameLoader.cpp:
    (WebCore::FrameLoader::transitionToCommitted):
    (WebCore::FrameLoader::detachChildren):
    
    LayoutTests:
    
    * loader/document-destruction-within-unload-expected.txt: Added.
    * loader/document-destruction-within-unload.html: Added.
    * loader/resources/document-destruction-within-unload-iframe.html: Added.
    * loader/resources/document-destruction-within-unload.svg: Added.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@92439 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    0fb5e568