Diff
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (204776 => 204777)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-08-23 07:35:25 UTC (rev 204776)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-08-23 08:22:25 UTC (rev 204777)
@@ -1,3 +1,18 @@
+2016-07-01 Zalan Bujtas <[email protected]>
+
+ prepareForDestruction() always needs to be called before destroying the Document object.
+ https://bugs.webkit.org/show_bug.cgi?id=159372
+ rdar://problem/26788150
+
+ Reviewed by Antti Koivisto.
+
+ We should never start destroying the Document object without calling prepareForDestruction() first.
+ It ensures that render tree gets nuked before we start tearing down the node tree.
+
+ * fast/history/page-cache-destroy-document-expected.txt: Added.
+ * fast/history/page-cache-destroy-document.html: Added.
+ * fast/history/resources/page-cache-destroy-helper.html: Added.
+
2016-06-20 Zalan Bujtas <[email protected]>
Set the end position on the placeholder BidiRun properly.
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/history/page-cache-destroy-document-expected.txt (0 => 204777)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/history/page-cache-destroy-document-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/history/page-cache-destroy-document-expected.txt 2016-08-23 08:22:25 UTC (rev 204777)
@@ -0,0 +1 @@
+PASS if no crash in release.
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/history/page-cache-destroy-document.html (0 => 204777)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/history/page-cache-destroy-document.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/history/page-cache-destroy-document.html 2016-08-23 08:22:25 UTC (rev 204777)
@@ -0,0 +1,37 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script>
+description('Tests that page can safely remove an iframe durin pagehide event.');
+if (window.testRunner) {
+ window.testRunner.overridePreference("WebKitUsesPageCachePreferenceKey", 1);
+ window.testRunner.waitUntilDone();
+}
+
+window.addEventListener("pagehide", function(event) {
+ debug("pagehide - entering cache");
+ debug("remove iframe");
+ var iframe = document.getElementById("removeThis");
+ iframe.parentNode.removeChild(iframe);
+ finishJSTest();
+ window.testRunner.notifyDone();
+}, false);
+
+function runTest() {
+ // Force a back navigation back to this page.
+ setTimeout(function() {
+ window.location.href = ""
+ }, 10);
+}
+
+var successfullyParsed = true;
+var jsTestIsAsync = true;
+</script>
+<iframe _onload_="runTest()" id=removeThis src=""
+</body>
+</html>
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/history/resources/page-cache-destroy-helper.html (0 => 204777)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/history/resources/page-cache-destroy-helper.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/history/resources/page-cache-destroy-helper.html 2016-08-23 08:22:25 UTC (rev 204777)
@@ -0,0 +1,8 @@
+PASS if no crash in release.
+<script>
+ window.addEventListener("load", function() {
+ setTimeout(function() {
+ history.back();
+ }, 0);
+ }, false);
+</script>
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (204776 => 204777)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-08-23 07:35:25 UTC (rev 204776)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-08-23 08:22:25 UTC (rev 204777)
@@ -1,3 +1,19 @@
+2016-07-01 Zalan Bujtas <[email protected]>
+
+ prepareForDestruction() always needs to be called before destroying the Document object.
+ https://bugs.webkit.org/show_bug.cgi?id=159372
+ rdar://problem/26788150
+
+ Reviewed by Antti Koivisto.
+
+ We should never start destroying the Document object without calling prepareForDestruction() first.
+ It ensures that render tree gets nuked before we start tearing down the node tree.
+
+ Test: fast/history/page-cache-destroy-document.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::removedLastRef):
+
2016-06-20 Zalan Bujtas <[email protected]>
Set the end position on the placeholder BidiRun properly.
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/dom/Document.cpp (204776 => 204777)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/dom/Document.cpp 2016-08-23 07:35:25 UTC (rev 204776)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/dom/Document.cpp 2016-08-23 08:22:25 UTC (rev 204777)
@@ -546,8 +546,6 @@
, m_cookieCacheExpiryTimer(*this, &Document::invalidateDOMCookieCache)
, m_disabledFieldsetElementsCount(0)
, m_hasInjectedPlugInsScript(false)
- , m_renderTreeBeingDestroyed(false)
- , m_hasPreparedForDestruction(false)
, m_hasStyleWithViewportUnits(false)
{
allDocuments().add(this);
@@ -680,6 +678,7 @@
// until after removeDetachedChildren returns, so we protect ourselves.
incrementReferencingNodeCount();
+ prepareForDestruction();
// We must make sure not to be retaining any of our children through
// these extra pointers or we will create a reference cycle.
m_focusedElement = nullptr;
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/dom/Document.h (204776 => 204777)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/dom/Document.h 2016-08-23 07:35:25 UTC (rev 204776)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/dom/Document.h 2016-08-23 08:22:25 UTC (rev 204777)
@@ -1759,8 +1759,8 @@
unsigned m_disabledFieldsetElementsCount;
bool m_hasInjectedPlugInsScript;
- bool m_renderTreeBeingDestroyed;
- bool m_hasPreparedForDestruction;
+ bool m_renderTreeBeingDestroyed { false };
+ bool m_hasPreparedForDestruction { false };
bool m_hasStyleWithViewportUnits;
bool m_isTimerThrottlingEnabled { false };
