Diff
Modified: trunk/LayoutTests/ChangeLog (202768 => 202769)
--- trunk/LayoutTests/ChangeLog 2016-07-02 00:59:38 UTC (rev 202768)
+++ trunk/LayoutTests/ChangeLog 2016-07-02 01:15:44 UTC (rev 202769)
@@ -1,3 +1,18 @@
+2016-07-01 Zalan Bujtas <[email protected]>
+
+ prepareForDestruction() always needs to be called before destroying the Document object.
+ https://bugs.webkit.org/show_bug.cgi?id=159372
+ rdar://problem/26788150
+
+ Reviewed by Antti Koivisto.
+
+ We should never start destroying the Document object without calling prepareForDestruction() first.
+ It ensures that render tree gets nuked before we start tearing down the node tree.
+
+ * fast/history/page-cache-destroy-document-expected.txt: Added.
+ * fast/history/page-cache-destroy-document.html: Added.
+ * fast/history/resources/page-cache-destroy-helper.html: Added.
+
2016-07-01 Saam Barati <[email protected]>
fix "ASSERTION FAILED: currentOffset() >= currentLineStartOffset()"
Modified: trunk/LayoutTests/TestExpectations (202768 => 202769)
--- trunk/LayoutTests/TestExpectations 2016-07-02 00:59:38 UTC (rev 202768)
+++ trunk/LayoutTests/TestExpectations 2016-07-02 01:15:44 UTC (rev 202769)
@@ -986,3 +986,5 @@
media/navigate-with-pip-should-not-crash.html [ WontFix ]
media/pip-video-going-into-fullscreen.html [ WontFix ]
media/video-contained-in-fullscreen-element-going-into-pip.html [ WontFix ]
+
+webkit.org/b/159370 [ Debug ] fast/history/page-cache-destroy-document.html [ Skip ]
Added: trunk/LayoutTests/fast/history/page-cache-destroy-document-expected.txt (0 => 202769)
--- trunk/LayoutTests/fast/history/page-cache-destroy-document-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/history/page-cache-destroy-document-expected.txt 2016-07-02 01:15:44 UTC (rev 202769)
@@ -0,0 +1 @@
+PASS if no crash in release.
Added: trunk/LayoutTests/fast/history/page-cache-destroy-document.html (0 => 202769)
--- trunk/LayoutTests/fast/history/page-cache-destroy-document.html (rev 0)
+++ trunk/LayoutTests/fast/history/page-cache-destroy-document.html 2016-07-02 01:15:44 UTC (rev 202769)
@@ -0,0 +1,37 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script>
+description('Tests that page can safely remove an iframe durin pagehide event.');
+if (window.testRunner) {
+ window.testRunner.overridePreference("WebKitUsesPageCachePreferenceKey", 1);
+ window.testRunner.waitUntilDone();
+}
+
+window.addEventListener("pagehide", function(event) {
+ debug("pagehide - entering cache");
+ debug("remove iframe");
+ var iframe = document.getElementById("removeThis");
+ iframe.parentNode.removeChild(iframe);
+ finishJSTest();
+ window.testRunner.notifyDone();
+}, false);
+
+function runTest() {
+ // Force a back navigation back to this page.
+ setTimeout(function() {
+ window.location.href = ""
+ }, 10);
+}
+
+var successfullyParsed = true;
+var jsTestIsAsync = true;
+</script>
+<iframe _onload_="runTest()" id=removeThis src=""
+</body>
+</html>
Added: trunk/LayoutTests/fast/history/resources/page-cache-destroy-helper.html (0 => 202769)
--- trunk/LayoutTests/fast/history/resources/page-cache-destroy-helper.html (rev 0)
+++ trunk/LayoutTests/fast/history/resources/page-cache-destroy-helper.html 2016-07-02 01:15:44 UTC (rev 202769)
@@ -0,0 +1,8 @@
+PASS if no crash in release.
+<script>
+ window.addEventListener("load", function() {
+ setTimeout(function() {
+ history.back();
+ }, 0);
+ }, false);
+</script>
Modified: trunk/Source/WebCore/ChangeLog (202768 => 202769)
--- trunk/Source/WebCore/ChangeLog 2016-07-02 00:59:38 UTC (rev 202768)
+++ trunk/Source/WebCore/ChangeLog 2016-07-02 01:15:44 UTC (rev 202769)
@@ -1,3 +1,19 @@
+2016-07-01 Zalan Bujtas <[email protected]>
+
+ prepareForDestruction() always needs to be called before destroying the Document object.
+ https://bugs.webkit.org/show_bug.cgi?id=159372
+ rdar://problem/26788150
+
+ Reviewed by Antti Koivisto.
+
+ We should never start destroying the Document object without calling prepareForDestruction() first.
+ It ensures that render tree gets nuked before we start tearing down the node tree.
+
+ Test: fast/history/page-cache-destroy-document.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::removedLastRef):
+
2016-07-01 Johan K. Jensen <[email protected]>
Web Inspector: Sending XHR with UTF8 encoded data shows garbled data in Resource sidebar
Modified: trunk/Source/WebCore/dom/Document.cpp (202768 => 202769)
--- trunk/Source/WebCore/dom/Document.cpp 2016-07-02 00:59:38 UTC (rev 202768)
+++ trunk/Source/WebCore/dom/Document.cpp 2016-07-02 01:15:44 UTC (rev 202769)
@@ -539,8 +539,6 @@
, m_cookieCacheExpiryTimer(*this, &Document::invalidateDOMCookieCache)
, m_disabledFieldsetElementsCount(0)
, m_hasInjectedPlugInsScript(false)
- , m_renderTreeBeingDestroyed(false)
- , m_hasPreparedForDestruction(false)
, m_hasStyleWithViewportUnits(false)
{
allDocuments().add(this);
@@ -675,6 +673,7 @@
// until after removeDetachedChildren returns, so we protect ourselves.
incrementReferencingNodeCount();
+ prepareForDestruction();
// We must make sure not to be retaining any of our children through
// these extra pointers or we will create a reference cycle.
m_focusedElement = nullptr;
Modified: trunk/Source/WebCore/dom/Document.h (202768 => 202769)
--- trunk/Source/WebCore/dom/Document.h 2016-07-02 00:59:38 UTC (rev 202768)
+++ trunk/Source/WebCore/dom/Document.h 2016-07-02 01:15:44 UTC (rev 202769)
@@ -1765,8 +1765,8 @@
unsigned m_disabledFieldsetElementsCount;
bool m_hasInjectedPlugInsScript;
- bool m_renderTreeBeingDestroyed;
- bool m_hasPreparedForDestruction;
+ bool m_renderTreeBeingDestroyed { false };
+ bool m_hasPreparedForDestruction { false };
bool m_hasStyleWithViewportUnits;
bool m_isTimerThrottlingEnabled { false };
