-
commit-queue@webkit.org authored
https://bugs.webkit.org/show_bug.cgi?id=64741 Patch by Scott Graham <scottmg@chromium.org> on 2011-08-04 Reviewed by Adam Barth. Source/WebCore: Three different errors triggered by this test case. The case to consider is a subdocument with an onunload on an element, that destroys the parent document during the onunload. One fix was a lifetime issue fixed by a protecting RefPtr, and another was an additional cancel of event triggers. The main fix was that during the transition to commited state, the documentLoader is being replaced by the provisionalDocumentLoader. But, because during firing events in the subdocument the parent is destroyed, that subevent caused the provisionalDocumentLoader to be detached from its frame. By marking the page as being in committed state before the parent documentLoader is set, this is avoided. Test: loader/document-destruction-within-unload.html * dom/Document.cpp: (WebCore::Document::implicitOpen): * loader/FrameLoader.cpp: (WebCore::FrameLoader::transitionToCommitted): (WebCore::FrameLoader::detachChildren): LayoutTests: * loader/document-destruction-within-unload-expected.txt: Added. * loader/document-destruction-within-unload.html: Added. * loader/resources/document-destruction-within-unload-iframe.html: Added. * loader/resources/document-destruction-within-unload.svg: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@92439 268f45cc-cd09-0410-ab3c-d52691b4dbfc
0fb5e568