<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[195625] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/195625">195625</a></dd>
<dt>Author</dt> <dd>beidson@apple.com</dd>
<dt>Date</dt> <dd>2016-01-26 14:48:15 -0800 (Tue, 26 Jan 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>History.pushState causes intense memory pressure.
https://bugs.webkit.org/show_bug.cgi?id=153435
Reviewed by Sam Weinig, Oliver Hunt, and Geoff Garen.
Source/WebCore:
Tests: fast/loader/stateobjects/pushstate-frequency-iframe.html
fast/loader/stateobjects/pushstate-frequency-with-user-gesture.html
fast/loader/stateobjects/pushstate-frequency.html
fast/loader/stateobjects/replacestate-frequency-iframe.html
fast/loader/stateobjects/replacestate-frequency-with-user-gesture.html
fast/loader/stateobjects/replacestate-frequency.html
loader/stateobjects/pushstate-size-iframe.html
loader/stateobjects/pushstate-size.html
loader/stateobjects/replacestate-size-iframe.html
loader/stateobjects/replacestate-size.html
Add restrictions on how frequently push/replaceState can be called,
as well as how much of a cumulative payload they can deliver.
* bindings/js/JSHistoryCustom.cpp:
(WebCore::JSHistory::pushState):
(WebCore::JSHistory::replaceState):
* page/History.cpp:
(WebCore::History::stateObjectAdded):
* page/History.h:
LayoutTests:
* TestExpectations: Mark some of the new tests as slow.
* fast/loader/stateobjects/pushstate-frequency-expected.txt: Added.
* fast/loader/stateobjects/pushstate-frequency-iframe-expected.txt: Added.
* fast/loader/stateobjects/pushstate-frequency-iframe.html: Added.
* fast/loader/stateobjects/pushstate-frequency-with-user-gesture-expected.txt: Added.
* fast/loader/stateobjects/pushstate-frequency-with-user-gesture.html: Added.
* fast/loader/stateobjects/pushstate-frequency.html: Added.
* fast/loader/stateobjects/replacestate-frequency-expected.txt: Added.
* fast/loader/stateobjects/replacestate-frequency-iframe-expected.txt: Added.
* fast/loader/stateobjects/replacestate-frequency-iframe.html: Added.
* fast/loader/stateobjects/replacestate-frequency-with-user-gesture-expected.txt: Added.
* fast/loader/stateobjects/replacestate-frequency-with-user-gesture.html: Added.
* fast/loader/stateobjects/replacestate-frequency.html: Added.
* fast/loader/stateobjects/resources/pushstate-iframe.html: Added.
* fast/loader/stateobjects/resources/replacestate-iframe.html: Added.
* loader/stateobjects/pushstate-size-expected.txt: Added.
* loader/stateobjects/pushstate-size-iframe-expected.txt: Added.
* loader/stateobjects/pushstate-size-iframe.html: Added.
* loader/stateobjects/pushstate-size.html: Added.
* loader/stateobjects/replacestate-size-expected.txt: Added.
* loader/stateobjects/replacestate-size-iframe-expected.txt: Added.
* loader/stateobjects/replacestate-size-iframe.html: Added.
* loader/stateobjects/replacestate-size.html: Added.
* loader/stateobjects/resources/pushstate-iframe.html: Added.
* loader/stateobjects/resources/replacestate-iframe.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsTestExpectations">trunk/LayoutTests/TestExpectations</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSHistoryCustomcpp">trunk/Source/WebCore/bindings/js/JSHistoryCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorepageHistorycpp">trunk/Source/WebCore/page/History.cpp</a></li>
<li><a href="#trunkSourceWebCorepageHistoryh">trunk/Source/WebCore/page/History.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsfastloaderstateobjectspushstatefrequencyexpectedtxt">trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastloaderstateobjectspushstatefrequencyiframeexpectedtxt">trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency-iframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastloaderstateobjectspushstatefrequencyiframehtml">trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency-iframe.html</a></li>
<li><a href="#trunkLayoutTestsfastloaderstateobjectspushstatefrequencywithusergestureexpectedtxt">trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency-with-user-gesture-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastloaderstateobjectspushstatefrequencywithusergesturehtml">trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency-with-user-gesture.html</a></li>
<li><a href="#trunkLayoutTestsfastloaderstateobjectspushstatefrequencyhtml">trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency.html</a></li>
<li><a href="#trunkLayoutTestsfastloaderstateobjectsreplacestatefrequencyexpectedtxt">trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastloaderstateobjectsreplacestatefrequencyiframeexpectedtxt">trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency-iframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastloaderstateobjectsreplacestatefrequencyiframehtml">trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency-iframe.html</a></li>
<li><a href="#trunkLayoutTestsfastloaderstateobjectsreplacestatefrequencywithusergestureexpectedtxt">trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency-with-user-gesture-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastloaderstateobjectsreplacestatefrequencywithusergesturehtml">trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency-with-user-gesture.html</a></li>
<li><a href="#trunkLayoutTestsfastloaderstateobjectsreplacestatefrequencyhtml">trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency.html</a></li>
<li><a href="#trunkLayoutTestsfastloaderstateobjectsresourcespushstateiframehtml">trunk/LayoutTests/fast/loader/stateobjects/resources/pushstate-iframe.html</a></li>
<li><a href="#trunkLayoutTestsfastloaderstateobjectsresourcesreplacestateiframehtml">trunk/LayoutTests/fast/loader/stateobjects/resources/replacestate-iframe.html</a></li>
<li>trunk/LayoutTests/loader/stateobjects/</li>
<li><a href="#trunkLayoutTestsloaderstateobjectspushstatesizeexpectedtxt">trunk/LayoutTests/loader/stateobjects/pushstate-size-expected.txt</a></li>
<li><a href="#trunkLayoutTestsloaderstateobjectspushstatesizeiframeexpectedtxt">trunk/LayoutTests/loader/stateobjects/pushstate-size-iframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestsloaderstateobjectspushstatesizeiframehtml">trunk/LayoutTests/loader/stateobjects/pushstate-size-iframe.html</a></li>
<li><a href="#trunkLayoutTestsloaderstateobjectspushstatesizehtml">trunk/LayoutTests/loader/stateobjects/pushstate-size.html</a></li>
<li><a href="#trunkLayoutTestsloaderstateobjectsreplacestatesizeexpectedtxt">trunk/LayoutTests/loader/stateobjects/replacestate-size-expected.txt</a></li>
<li><a href="#trunkLayoutTestsloaderstateobjectsreplacestatesizeiframeexpectedtxt">trunk/LayoutTests/loader/stateobjects/replacestate-size-iframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestsloaderstateobjectsreplacestatesizeiframehtml">trunk/LayoutTests/loader/stateobjects/replacestate-size-iframe.html</a></li>
<li><a href="#trunkLayoutTestsloaderstateobjectsreplacestatesizehtml">trunk/LayoutTests/loader/stateobjects/replacestate-size.html</a></li>
<li>trunk/LayoutTests/loader/stateobjects/resources/</li>
<li><a href="#trunkLayoutTestsloaderstateobjectsresourcespushstateiframehtml">trunk/LayoutTests/loader/stateobjects/resources/pushstate-iframe.html</a></li>
<li><a href="#trunkLayoutTestsloaderstateobjectsresourcesreplacestateiframehtml">trunk/LayoutTests/loader/stateobjects/resources/replacestate-iframe.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (195624 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-01-26 22:22:25 UTC (rev 195624)
+++ trunk/LayoutTests/ChangeLog 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -1,3 +1,37 @@
</span><ins>+2016-01-26 Brady Eidson <beidson@apple.com>
+
+ History.pushState causes intense memory pressure.
+ https://bugs.webkit.org/show_bug.cgi?id=153435
+
+ Reviewed by Sam Weinig, Oliver Hunt, and Geoff Garen.
+
+ * TestExpectations: Mark some of the new tests as slow.
+
+ * fast/loader/stateobjects/pushstate-frequency-expected.txt: Added.
+ * fast/loader/stateobjects/pushstate-frequency-iframe-expected.txt: Added.
+ * fast/loader/stateobjects/pushstate-frequency-iframe.html: Added.
+ * fast/loader/stateobjects/pushstate-frequency-with-user-gesture-expected.txt: Added.
+ * fast/loader/stateobjects/pushstate-frequency-with-user-gesture.html: Added.
+ * fast/loader/stateobjects/pushstate-frequency.html: Added.
+ * fast/loader/stateobjects/replacestate-frequency-expected.txt: Added.
+ * fast/loader/stateobjects/replacestate-frequency-iframe-expected.txt: Added.
+ * fast/loader/stateobjects/replacestate-frequency-iframe.html: Added.
+ * fast/loader/stateobjects/replacestate-frequency-with-user-gesture-expected.txt: Added.
+ * fast/loader/stateobjects/replacestate-frequency-with-user-gesture.html: Added.
+ * fast/loader/stateobjects/replacestate-frequency.html: Added.
+ * fast/loader/stateobjects/resources/pushstate-iframe.html: Added.
+ * fast/loader/stateobjects/resources/replacestate-iframe.html: Added.
+ * loader/stateobjects/pushstate-size-expected.txt: Added.
+ * loader/stateobjects/pushstate-size-iframe-expected.txt: Added.
+ * loader/stateobjects/pushstate-size-iframe.html: Added.
+ * loader/stateobjects/pushstate-size.html: Added.
+ * loader/stateobjects/replacestate-size-expected.txt: Added.
+ * loader/stateobjects/replacestate-size-iframe-expected.txt: Added.
+ * loader/stateobjects/replacestate-size-iframe.html: Added.
+ * loader/stateobjects/replacestate-size.html: Added.
+ * loader/stateobjects/resources/pushstate-iframe.html: Added.
+ * loader/stateobjects/resources/replacestate-iframe.html: Added.
+
</ins><span class="cx"> 2016-01-26 Ryan Haddad <ryanhaddad@apple.com>
</span><span class="cx">
</span><span class="cx"> Rebaselining cssom/subpixel-offsetleft-top-width-height-values.html for ios-simulator
</span></span></pre></div>
<a id="trunkLayoutTestsTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/TestExpectations (195624 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/TestExpectations 2016-01-26 22:22:25 UTC (rev 195624)
+++ trunk/LayoutTests/TestExpectations 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -847,3 +847,9 @@
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html # Needs expected file.
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html # Needs expected file.
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src.html # Needs expected file.
</span><ins>+
+# These state object tests purposefully stress a resource limit, and take multiple seconds to run.
+loader/stateobjects/pushstate-size-iframe.html [ Slow ]
+loader/stateobjects/pushstate-size.html [ Slow ]
+loader/stateobjects/replacestate-size-iframe.html [ Slow ]
+loader/stateobjects/replacestate-size.html [ Slow ]
</ins></span></pre></div>
<a id="trunkLayoutTestsfastloaderstateobjectspushstatefrequencyexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency-expected.txt (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency-expected.txt 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,104 @@
</span><ins>+Test should complete quickly and not crash.
+Successfully added item: 0
+Successfully added item: 1
+Successfully added item: 2
+Successfully added item: 3
+Successfully added item: 4
+Successfully added item: 5
+Successfully added item: 6
+Successfully added item: 7
+Successfully added item: 8
+Successfully added item: 9
+Successfully added item: 10
+Successfully added item: 11
+Successfully added item: 12
+Successfully added item: 13
+Successfully added item: 14
+Successfully added item: 15
+Successfully added item: 16
+Successfully added item: 17
+Successfully added item: 18
+Successfully added item: 19
+Successfully added item: 20
+Successfully added item: 21
+Successfully added item: 22
+Successfully added item: 23
+Successfully added item: 24
+Successfully added item: 25
+Successfully added item: 26
+Successfully added item: 27
+Successfully added item: 28
+Successfully added item: 29
+Successfully added item: 30
+Successfully added item: 31
+Successfully added item: 32
+Successfully added item: 33
+Successfully added item: 34
+Successfully added item: 35
+Successfully added item: 36
+Successfully added item: 37
+Successfully added item: 38
+Successfully added item: 39
+Successfully added item: 40
+Successfully added item: 41
+Successfully added item: 42
+Successfully added item: 43
+Successfully added item: 44
+Successfully added item: 45
+Successfully added item: 46
+Successfully added item: 47
+Successfully added item: 48
+Successfully added item: 49
+Successfully added item: 50
+Successfully added item: 51
+Successfully added item: 52
+Successfully added item: 53
+Successfully added item: 54
+Successfully added item: 55
+Successfully added item: 56
+Successfully added item: 57
+Successfully added item: 58
+Successfully added item: 59
+Successfully added item: 60
+Successfully added item: 61
+Successfully added item: 62
+Successfully added item: 63
+Successfully added item: 64
+Successfully added item: 65
+Successfully added item: 66
+Successfully added item: 67
+Successfully added item: 68
+Successfully added item: 69
+Successfully added item: 70
+Successfully added item: 71
+Successfully added item: 72
+Successfully added item: 73
+Successfully added item: 74
+Successfully added item: 75
+Successfully added item: 76
+Successfully added item: 77
+Successfully added item: 78
+Successfully added item: 79
+Successfully added item: 80
+Successfully added item: 81
+Successfully added item: 82
+Successfully added item: 83
+Successfully added item: 84
+Successfully added item: 85
+Successfully added item: 86
+Successfully added item: 87
+Successfully added item: 88
+Successfully added item: 89
+Successfully added item: 90
+Successfully added item: 91
+Successfully added item: 92
+Successfully added item: 93
+Successfully added item: 94
+Successfully added item: 95
+Successfully added item: 96
+Successfully added item: 97
+Successfully added item: 98
+Successfully added item: 99
+Error: SecurityError: DOM Exception 18
+Test complete
+
</ins></span></pre></div>
<a id="trunkLayoutTestsfastloaderstateobjectspushstatefrequencyiframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency-iframe-expected.txt (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency-iframe-expected.txt 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,111 @@
</span><ins>+Test should complete quickly and not crash.
+Test does pushStates both from the main frame and from an iframe and makes sure they both count against state object count limit.
+Click to test pushState through a user gesture
+Successfully added item: 0
+Successfully added item: 1
+Successfully added item: 2
+Successfully added item: 3
+Successfully added item: 4
+Successfully added item: 5
+Successfully added item: 6
+Successfully added item: 7
+Successfully added item: 8
+Successfully added item: 9
+Successfully added item: 10
+Successfully added item: 11
+Successfully added item: 12
+Successfully added item: 13
+Successfully added item: 14
+Successfully added item: 15
+Successfully added item: 16
+Successfully added item: 17
+Successfully added item: 18
+Successfully added item: 19
+Successfully added item: 20
+Successfully added item: 21
+Successfully added item: 22
+Successfully added item: 23
+Successfully added item: 24
+Successfully added item: 25
+Successfully added item: 26
+Successfully added item: 27
+Successfully added item: 28
+Successfully added item: 29
+Successfully added item: 30
+Successfully added item: 31
+Successfully added item: 32
+Successfully added item: 33
+Successfully added item: 34
+Successfully added item: 35
+Successfully added item: 36
+Successfully added item: 37
+Successfully added item: 38
+Successfully added item: 39
+Successfully added item: 40
+Successfully added item: 41
+Successfully added item: 42
+Successfully added item: 43
+Successfully added item: 44
+Successfully added item: 45
+Successfully added item: 46
+Successfully added item: 47
+Successfully added item: 48
+Successfully added item: 49
+Successfully added item: 50
+Successfully added item: 51
+Successfully added item: 52
+Successfully added item: 53
+Successfully added item: 54
+Successfully added item: 55
+Successfully added item: 56
+Successfully added item: 57
+Successfully added item: 58
+Successfully added item: 59
+Successfully added item: 60
+Successfully added item: 61
+Successfully added item: 62
+Successfully added item: 63
+Successfully added item: 64
+Successfully added item: 65
+Successfully added item: 66
+Successfully added item: 67
+Successfully added item: 68
+Successfully added item: 69
+Successfully added item: 70
+Successfully added item: 71
+Successfully added item: 72
+Successfully added item: 73
+Successfully added item: 74
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+Adding state objects in iframe
+Successfully added item: 0
+Successfully added item: 1
+Successfully added item: 2
+Successfully added item: 3
+Successfully added item: 4
+Successfully added item: 5
+Successfully added item: 6
+Successfully added item: 7
+Successfully added item: 8
+Successfully added item: 9
+Successfully added item: 10
+Successfully added item: 11
+Successfully added item: 12
+Successfully added item: 13
+Successfully added item: 14
+Successfully added item: 15
+Successfully added item: 16
+Successfully added item: 17
+Successfully added item: 18
+Successfully added item: 19
+Successfully added item: 20
+Successfully added item: 21
+Successfully added item: 22
+Successfully added item: 23
+Successfully added item: 24
+Expected exception: Error: SecurityError: DOM Exception 18
+
</ins></span></pre></div>
<a id="trunkLayoutTestsfastloaderstateobjectspushstatefrequencyiframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency-iframe.html (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency-iframe.html (rev 0)
+++ trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency-iframe.html 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,40 @@
</span><ins>+<script>
+
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+}
+
+function log(msg) {
+ document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+window.onload = function()
+{
+ try {
+ for( var i = 0; i < 75; ++i ) {
+ history.pushState(0, 0, i.toString());
+ log("Successfully added item: " + i);
+ }
+ } catch (e) {
+ log(e);
+ }
+
+ openFrame();
+}
+
+function openFrame()
+{
+ var iframe = document.createElement('iframe');
+ iframe.src = 'resources/pushstate-iframe.html'
+ document.body.appendChild(iframe);
+}
+
+</script>
+<body>
+Test should complete quickly and not crash.<br>
+Test does pushStates both from the main frame and from an iframe and makes sure they both count against state object count limit.<br>
+<button id="button" onclick="clicked();">Click to test pushState through a user gesture</button>
+<div id="logger"></div>
+</body>
</ins></span></pre></div>
<a id="trunkLayoutTestsfastloaderstateobjectspushstatefrequencywithusergestureexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency-with-user-gesture-expected.txt (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency-with-user-gesture-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency-with-user-gesture-expected.txt 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,206 @@
</span><ins>+Test should complete quickly and not crash.
+Click to test pushState through a user gesture
+Successfully added item: 0
+Successfully added item: 1
+Successfully added item: 2
+Successfully added item: 3
+Successfully added item: 4
+Successfully added item: 5
+Successfully added item: 6
+Successfully added item: 7
+Successfully added item: 8
+Successfully added item: 9
+Successfully added item: 10
+Successfully added item: 11
+Successfully added item: 12
+Successfully added item: 13
+Successfully added item: 14
+Successfully added item: 15
+Successfully added item: 16
+Successfully added item: 17
+Successfully added item: 18
+Successfully added item: 19
+Successfully added item: 20
+Successfully added item: 21
+Successfully added item: 22
+Successfully added item: 23
+Successfully added item: 24
+Successfully added item: 25
+Successfully added item: 26
+Successfully added item: 27
+Successfully added item: 28
+Successfully added item: 29
+Successfully added item: 30
+Successfully added item: 31
+Successfully added item: 32
+Successfully added item: 33
+Successfully added item: 34
+Successfully added item: 35
+Successfully added item: 36
+Successfully added item: 37
+Successfully added item: 38
+Successfully added item: 39
+Successfully added item: 40
+Successfully added item: 41
+Successfully added item: 42
+Successfully added item: 43
+Successfully added item: 44
+Successfully added item: 45
+Successfully added item: 46
+Successfully added item: 47
+Successfully added item: 48
+Successfully added item: 49
+Successfully added item: 50
+Successfully added item: 51
+Successfully added item: 52
+Successfully added item: 53
+Successfully added item: 54
+Successfully added item: 55
+Successfully added item: 56
+Successfully added item: 57
+Successfully added item: 58
+Successfully added item: 59
+Successfully added item: 60
+Successfully added item: 61
+Successfully added item: 62
+Successfully added item: 63
+Successfully added item: 64
+Successfully added item: 65
+Successfully added item: 66
+Successfully added item: 67
+Successfully added item: 68
+Successfully added item: 69
+Successfully added item: 70
+Successfully added item: 71
+Successfully added item: 72
+Successfully added item: 73
+Successfully added item: 74
+Successfully added item: 75
+Successfully added item: 76
+Successfully added item: 77
+Successfully added item: 78
+Successfully added item: 79
+Successfully added item: 80
+Successfully added item: 81
+Successfully added item: 82
+Successfully added item: 83
+Successfully added item: 84
+Successfully added item: 85
+Successfully added item: 86
+Successfully added item: 87
+Successfully added item: 88
+Successfully added item: 89
+Successfully added item: 90
+Successfully added item: 91
+Successfully added item: 92
+Successfully added item: 93
+Successfully added item: 94
+Successfully added item: 95
+Successfully added item: 96
+Successfully added item: 97
+Successfully added item: 98
+Successfully added item: 99
+Error: SecurityError: DOM Exception 18
+Successfully added user gesture item: 0
+Successfully added user gesture item: 1
+Successfully added user gesture item: 2
+Successfully added user gesture item: 3
+Successfully added user gesture item: 4
+Successfully added user gesture item: 5
+Successfully added user gesture item: 6
+Successfully added user gesture item: 7
+Successfully added user gesture item: 8
+Successfully added user gesture item: 9
+Successfully added user gesture item: 10
+Successfully added user gesture item: 11
+Successfully added user gesture item: 12
+Successfully added user gesture item: 13
+Successfully added user gesture item: 14
+Successfully added user gesture item: 15
+Successfully added user gesture item: 16
+Successfully added user gesture item: 17
+Successfully added user gesture item: 18
+Successfully added user gesture item: 19
+Successfully added user gesture item: 20
+Successfully added user gesture item: 21
+Successfully added user gesture item: 22
+Successfully added user gesture item: 23
+Successfully added user gesture item: 24
+Successfully added user gesture item: 25
+Successfully added user gesture item: 26
+Successfully added user gesture item: 27
+Successfully added user gesture item: 28
+Successfully added user gesture item: 29
+Successfully added user gesture item: 30
+Successfully added user gesture item: 31
+Successfully added user gesture item: 32
+Successfully added user gesture item: 33
+Successfully added user gesture item: 34
+Successfully added user gesture item: 35
+Successfully added user gesture item: 36
+Successfully added user gesture item: 37
+Successfully added user gesture item: 38
+Successfully added user gesture item: 39
+Successfully added user gesture item: 40
+Successfully added user gesture item: 41
+Successfully added user gesture item: 42
+Successfully added user gesture item: 43
+Successfully added user gesture item: 44
+Successfully added user gesture item: 45
+Successfully added user gesture item: 46
+Successfully added user gesture item: 47
+Successfully added user gesture item: 48
+Successfully added user gesture item: 49
+Successfully added user gesture item: 50
+Successfully added user gesture item: 51
+Successfully added user gesture item: 52
+Successfully added user gesture item: 53
+Successfully added user gesture item: 54
+Successfully added user gesture item: 55
+Successfully added user gesture item: 56
+Successfully added user gesture item: 57
+Successfully added user gesture item: 58
+Successfully added user gesture item: 59
+Successfully added user gesture item: 60
+Successfully added user gesture item: 61
+Successfully added user gesture item: 62
+Successfully added user gesture item: 63
+Successfully added user gesture item: 64
+Successfully added user gesture item: 65
+Successfully added user gesture item: 66
+Successfully added user gesture item: 67
+Successfully added user gesture item: 68
+Successfully added user gesture item: 69
+Successfully added user gesture item: 70
+Successfully added user gesture item: 71
+Successfully added user gesture item: 72
+Successfully added user gesture item: 73
+Successfully added user gesture item: 74
+Successfully added user gesture item: 75
+Successfully added user gesture item: 76
+Successfully added user gesture item: 77
+Successfully added user gesture item: 78
+Successfully added user gesture item: 79
+Successfully added user gesture item: 80
+Successfully added user gesture item: 81
+Successfully added user gesture item: 82
+Successfully added user gesture item: 83
+Successfully added user gesture item: 84
+Successfully added user gesture item: 85
+Successfully added user gesture item: 86
+Successfully added user gesture item: 87
+Successfully added user gesture item: 88
+Successfully added user gesture item: 89
+Successfully added user gesture item: 90
+Successfully added user gesture item: 91
+Successfully added user gesture item: 92
+Successfully added user gesture item: 93
+Successfully added user gesture item: 94
+Successfully added user gesture item: 95
+Successfully added user gesture item: 96
+Successfully added user gesture item: 97
+Successfully added user gesture item: 98
+Successfully added user gesture item: 99
+User gesture: Error: SecurityError: DOM Exception 18
+Test complete
+
</ins></span></pre></div>
<a id="trunkLayoutTestsfastloaderstateobjectspushstatefrequencywithusergesturehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency-with-user-gesture.html (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency-with-user-gesture.html (rev 0)
+++ trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency-with-user-gesture.html 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,51 @@
</span><ins>+<script>
+
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function log(msg) {
+ document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+window.onload = function()
+{
+ try {
+ for( var i = 0; i < 100000; ++i ) {
+ history.pushState(0, 0, i);
+ log("Successfully added item: " + i);
+ }
+ } catch (e) {
+ log(e);
+ }
+
+ var button = document.getElementById("button");
+ eventSender.mouseMoveTo(button.offsetLeft + 5, button.offsetTop + 5);
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+}
+
+function clicked()
+{
+ try {
+ for( var i = 0; i < 100000; ++i ) {
+ history.pushState(0, 0, i);
+ log("Successfully added user gesture item: " + i);
+ }
+ } catch (e) {
+ log("User gesture: " + e);
+ }
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+
+ log("Test complete");
+}
+
+</script>
+<body>
+Test should complete quickly and not crash.<br>
+<button id="button" onclick="clicked();">Click to test pushState through a user gesture</button>
+<div id="logger"></div>
+</body>
</ins></span></pre></div>
<a id="trunkLayoutTestsfastloaderstateobjectspushstatefrequencyhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency.html (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency.html (rev 0)
+++ trunk/LayoutTests/fast/loader/stateobjects/pushstate-frequency.html 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,32 @@
</span><ins>+<script>
+
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function log(msg) {
+ document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+window.onload = function() {
+ try {
+ for( var i = 0; i < 100000; ++i ) {
+ history.pushState(0, 0, i.toString());
+ log("Successfully added item: " + i);
+ }
+ } catch (e) {
+ log(e);
+ }
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+
+ log("Test complete");
+}
+
+</script>
+<body>
+Test should complete quickly and not crash.<br>
+<div id="logger"></div>
+</body>
</ins></span></pre></div>
<a id="trunkLayoutTestsfastloaderstateobjectsreplacestatefrequencyexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency-expected.txt (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency-expected.txt 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,104 @@
</span><ins>+Test should complete quickly and not crash.
+Successfully added item: 0
+Successfully added item: 1
+Successfully added item: 2
+Successfully added item: 3
+Successfully added item: 4
+Successfully added item: 5
+Successfully added item: 6
+Successfully added item: 7
+Successfully added item: 8
+Successfully added item: 9
+Successfully added item: 10
+Successfully added item: 11
+Successfully added item: 12
+Successfully added item: 13
+Successfully added item: 14
+Successfully added item: 15
+Successfully added item: 16
+Successfully added item: 17
+Successfully added item: 18
+Successfully added item: 19
+Successfully added item: 20
+Successfully added item: 21
+Successfully added item: 22
+Successfully added item: 23
+Successfully added item: 24
+Successfully added item: 25
+Successfully added item: 26
+Successfully added item: 27
+Successfully added item: 28
+Successfully added item: 29
+Successfully added item: 30
+Successfully added item: 31
+Successfully added item: 32
+Successfully added item: 33
+Successfully added item: 34
+Successfully added item: 35
+Successfully added item: 36
+Successfully added item: 37
+Successfully added item: 38
+Successfully added item: 39
+Successfully added item: 40
+Successfully added item: 41
+Successfully added item: 42
+Successfully added item: 43
+Successfully added item: 44
+Successfully added item: 45
+Successfully added item: 46
+Successfully added item: 47
+Successfully added item: 48
+Successfully added item: 49
+Successfully added item: 50
+Successfully added item: 51
+Successfully added item: 52
+Successfully added item: 53
+Successfully added item: 54
+Successfully added item: 55
+Successfully added item: 56
+Successfully added item: 57
+Successfully added item: 58
+Successfully added item: 59
+Successfully added item: 60
+Successfully added item: 61
+Successfully added item: 62
+Successfully added item: 63
+Successfully added item: 64
+Successfully added item: 65
+Successfully added item: 66
+Successfully added item: 67
+Successfully added item: 68
+Successfully added item: 69
+Successfully added item: 70
+Successfully added item: 71
+Successfully added item: 72
+Successfully added item: 73
+Successfully added item: 74
+Successfully added item: 75
+Successfully added item: 76
+Successfully added item: 77
+Successfully added item: 78
+Successfully added item: 79
+Successfully added item: 80
+Successfully added item: 81
+Successfully added item: 82
+Successfully added item: 83
+Successfully added item: 84
+Successfully added item: 85
+Successfully added item: 86
+Successfully added item: 87
+Successfully added item: 88
+Successfully added item: 89
+Successfully added item: 90
+Successfully added item: 91
+Successfully added item: 92
+Successfully added item: 93
+Successfully added item: 94
+Successfully added item: 95
+Successfully added item: 96
+Successfully added item: 97
+Successfully added item: 98
+Successfully added item: 99
+Error: SecurityError: DOM Exception 18
+Test complete
+
</ins></span></pre></div>
<a id="trunkLayoutTestsfastloaderstateobjectsreplacestatefrequencyiframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency-iframe-expected.txt (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency-iframe-expected.txt 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,111 @@
</span><ins>+Test should not crash.
+Test does replaceStates both from the main frame and from an iframe and makes sure they both count against state object count limit.
+Click to test replaceState through a user gesture
+Successfully added item: 0
+Successfully added item: 1
+Successfully added item: 2
+Successfully added item: 3
+Successfully added item: 4
+Successfully added item: 5
+Successfully added item: 6
+Successfully added item: 7
+Successfully added item: 8
+Successfully added item: 9
+Successfully added item: 10
+Successfully added item: 11
+Successfully added item: 12
+Successfully added item: 13
+Successfully added item: 14
+Successfully added item: 15
+Successfully added item: 16
+Successfully added item: 17
+Successfully added item: 18
+Successfully added item: 19
+Successfully added item: 20
+Successfully added item: 21
+Successfully added item: 22
+Successfully added item: 23
+Successfully added item: 24
+Successfully added item: 25
+Successfully added item: 26
+Successfully added item: 27
+Successfully added item: 28
+Successfully added item: 29
+Successfully added item: 30
+Successfully added item: 31
+Successfully added item: 32
+Successfully added item: 33
+Successfully added item: 34
+Successfully added item: 35
+Successfully added item: 36
+Successfully added item: 37
+Successfully added item: 38
+Successfully added item: 39
+Successfully added item: 40
+Successfully added item: 41
+Successfully added item: 42
+Successfully added item: 43
+Successfully added item: 44
+Successfully added item: 45
+Successfully added item: 46
+Successfully added item: 47
+Successfully added item: 48
+Successfully added item: 49
+Successfully added item: 50
+Successfully added item: 51
+Successfully added item: 52
+Successfully added item: 53
+Successfully added item: 54
+Successfully added item: 55
+Successfully added item: 56
+Successfully added item: 57
+Successfully added item: 58
+Successfully added item: 59
+Successfully added item: 60
+Successfully added item: 61
+Successfully added item: 62
+Successfully added item: 63
+Successfully added item: 64
+Successfully added item: 65
+Successfully added item: 66
+Successfully added item: 67
+Successfully added item: 68
+Successfully added item: 69
+Successfully added item: 70
+Successfully added item: 71
+Successfully added item: 72
+Successfully added item: 73
+Successfully added item: 74
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+Adding state objects in iframe
+Successfully added item: 0
+Successfully added item: 1
+Successfully added item: 2
+Successfully added item: 3
+Successfully added item: 4
+Successfully added item: 5
+Successfully added item: 6
+Successfully added item: 7
+Successfully added item: 8
+Successfully added item: 9
+Successfully added item: 10
+Successfully added item: 11
+Successfully added item: 12
+Successfully added item: 13
+Successfully added item: 14
+Successfully added item: 15
+Successfully added item: 16
+Successfully added item: 17
+Successfully added item: 18
+Successfully added item: 19
+Successfully added item: 20
+Successfully added item: 21
+Successfully added item: 22
+Successfully added item: 23
+Successfully added item: 24
+Expected exception: Error: SecurityError: DOM Exception 18
+
</ins></span></pre></div>
<a id="trunkLayoutTestsfastloaderstateobjectsreplacestatefrequencyiframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency-iframe.html (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency-iframe.html (rev 0)
+++ trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency-iframe.html 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,40 @@
</span><ins>+<script>
+
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+}
+
+function log(msg) {
+ document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+window.onload = function()
+{
+ try {
+ for( var i = 0; i < 75; ++i ) {
+ history.replaceState(0, 0, i.toString());
+ log("Successfully added item: " + i);
+ }
+ } catch (e) {
+ log(e);
+ }
+
+ openFrame();
+}
+
+function openFrame()
+{
+ var iframe = document.createElement('iframe');
+ iframe.src = 'resources/replaceState-iframe.html'
+ document.body.appendChild(iframe);
+}
+
+</script>
+<body>
+Test should not crash.<br>
+Test does replaceStates both from the main frame and from an iframe and makes sure they both count against state object count limit.<br>
+<button id="button" onclick="clicked();">Click to test replaceState through a user gesture</button>
+<div id="logger"></div>
+</body>
</ins></span></pre></div>
<a id="trunkLayoutTestsfastloaderstateobjectsreplacestatefrequencywithusergestureexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency-with-user-gesture-expected.txt (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency-with-user-gesture-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency-with-user-gesture-expected.txt 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,206 @@
</span><ins>+Test should complete quickly and not crash.
+Click to test replaceState through a user gesture
+Successfully added item: 0
+Successfully added item: 1
+Successfully added item: 2
+Successfully added item: 3
+Successfully added item: 4
+Successfully added item: 5
+Successfully added item: 6
+Successfully added item: 7
+Successfully added item: 8
+Successfully added item: 9
+Successfully added item: 10
+Successfully added item: 11
+Successfully added item: 12
+Successfully added item: 13
+Successfully added item: 14
+Successfully added item: 15
+Successfully added item: 16
+Successfully added item: 17
+Successfully added item: 18
+Successfully added item: 19
+Successfully added item: 20
+Successfully added item: 21
+Successfully added item: 22
+Successfully added item: 23
+Successfully added item: 24
+Successfully added item: 25
+Successfully added item: 26
+Successfully added item: 27
+Successfully added item: 28
+Successfully added item: 29
+Successfully added item: 30
+Successfully added item: 31
+Successfully added item: 32
+Successfully added item: 33
+Successfully added item: 34
+Successfully added item: 35
+Successfully added item: 36
+Successfully added item: 37
+Successfully added item: 38
+Successfully added item: 39
+Successfully added item: 40
+Successfully added item: 41
+Successfully added item: 42
+Successfully added item: 43
+Successfully added item: 44
+Successfully added item: 45
+Successfully added item: 46
+Successfully added item: 47
+Successfully added item: 48
+Successfully added item: 49
+Successfully added item: 50
+Successfully added item: 51
+Successfully added item: 52
+Successfully added item: 53
+Successfully added item: 54
+Successfully added item: 55
+Successfully added item: 56
+Successfully added item: 57
+Successfully added item: 58
+Successfully added item: 59
+Successfully added item: 60
+Successfully added item: 61
+Successfully added item: 62
+Successfully added item: 63
+Successfully added item: 64
+Successfully added item: 65
+Successfully added item: 66
+Successfully added item: 67
+Successfully added item: 68
+Successfully added item: 69
+Successfully added item: 70
+Successfully added item: 71
+Successfully added item: 72
+Successfully added item: 73
+Successfully added item: 74
+Successfully added item: 75
+Successfully added item: 76
+Successfully added item: 77
+Successfully added item: 78
+Successfully added item: 79
+Successfully added item: 80
+Successfully added item: 81
+Successfully added item: 82
+Successfully added item: 83
+Successfully added item: 84
+Successfully added item: 85
+Successfully added item: 86
+Successfully added item: 87
+Successfully added item: 88
+Successfully added item: 89
+Successfully added item: 90
+Successfully added item: 91
+Successfully added item: 92
+Successfully added item: 93
+Successfully added item: 94
+Successfully added item: 95
+Successfully added item: 96
+Successfully added item: 97
+Successfully added item: 98
+Successfully added item: 99
+Error: SecurityError: DOM Exception 18
+Successfully added user gesture item: 0
+Successfully added user gesture item: 1
+Successfully added user gesture item: 2
+Successfully added user gesture item: 3
+Successfully added user gesture item: 4
+Successfully added user gesture item: 5
+Successfully added user gesture item: 6
+Successfully added user gesture item: 7
+Successfully added user gesture item: 8
+Successfully added user gesture item: 9
+Successfully added user gesture item: 10
+Successfully added user gesture item: 11
+Successfully added user gesture item: 12
+Successfully added user gesture item: 13
+Successfully added user gesture item: 14
+Successfully added user gesture item: 15
+Successfully added user gesture item: 16
+Successfully added user gesture item: 17
+Successfully added user gesture item: 18
+Successfully added user gesture item: 19
+Successfully added user gesture item: 20
+Successfully added user gesture item: 21
+Successfully added user gesture item: 22
+Successfully added user gesture item: 23
+Successfully added user gesture item: 24
+Successfully added user gesture item: 25
+Successfully added user gesture item: 26
+Successfully added user gesture item: 27
+Successfully added user gesture item: 28
+Successfully added user gesture item: 29
+Successfully added user gesture item: 30
+Successfully added user gesture item: 31
+Successfully added user gesture item: 32
+Successfully added user gesture item: 33
+Successfully added user gesture item: 34
+Successfully added user gesture item: 35
+Successfully added user gesture item: 36
+Successfully added user gesture item: 37
+Successfully added user gesture item: 38
+Successfully added user gesture item: 39
+Successfully added user gesture item: 40
+Successfully added user gesture item: 41
+Successfully added user gesture item: 42
+Successfully added user gesture item: 43
+Successfully added user gesture item: 44
+Successfully added user gesture item: 45
+Successfully added user gesture item: 46
+Successfully added user gesture item: 47
+Successfully added user gesture item: 48
+Successfully added user gesture item: 49
+Successfully added user gesture item: 50
+Successfully added user gesture item: 51
+Successfully added user gesture item: 52
+Successfully added user gesture item: 53
+Successfully added user gesture item: 54
+Successfully added user gesture item: 55
+Successfully added user gesture item: 56
+Successfully added user gesture item: 57
+Successfully added user gesture item: 58
+Successfully added user gesture item: 59
+Successfully added user gesture item: 60
+Successfully added user gesture item: 61
+Successfully added user gesture item: 62
+Successfully added user gesture item: 63
+Successfully added user gesture item: 64
+Successfully added user gesture item: 65
+Successfully added user gesture item: 66
+Successfully added user gesture item: 67
+Successfully added user gesture item: 68
+Successfully added user gesture item: 69
+Successfully added user gesture item: 70
+Successfully added user gesture item: 71
+Successfully added user gesture item: 72
+Successfully added user gesture item: 73
+Successfully added user gesture item: 74
+Successfully added user gesture item: 75
+Successfully added user gesture item: 76
+Successfully added user gesture item: 77
+Successfully added user gesture item: 78
+Successfully added user gesture item: 79
+Successfully added user gesture item: 80
+Successfully added user gesture item: 81
+Successfully added user gesture item: 82
+Successfully added user gesture item: 83
+Successfully added user gesture item: 84
+Successfully added user gesture item: 85
+Successfully added user gesture item: 86
+Successfully added user gesture item: 87
+Successfully added user gesture item: 88
+Successfully added user gesture item: 89
+Successfully added user gesture item: 90
+Successfully added user gesture item: 91
+Successfully added user gesture item: 92
+Successfully added user gesture item: 93
+Successfully added user gesture item: 94
+Successfully added user gesture item: 95
+Successfully added user gesture item: 96
+Successfully added user gesture item: 97
+Successfully added user gesture item: 98
+Successfully added user gesture item: 99
+User gesture: Error: SecurityError: DOM Exception 18
+Test complete
+
</ins></span></pre></div>
<a id="trunkLayoutTestsfastloaderstateobjectsreplacestatefrequencywithusergesturehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency-with-user-gesture.html (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency-with-user-gesture.html (rev 0)
+++ trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency-with-user-gesture.html 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,51 @@
</span><ins>+<script>
+
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function log(msg) {
+ document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+window.onload = function()
+{
+ try {
+ for( var i = 0; i < 100000; ++i ) {
+ history.replaceState(0, 0, i);
+ log("Successfully added item: " + i);
+ }
+ } catch (e) {
+ log(e);
+ }
+
+ var button = document.getElementById("button");
+ eventSender.mouseMoveTo(button.offsetLeft + 5, button.offsetTop + 5);
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+}
+
+function clicked()
+{
+ try {
+ for( var i = 0; i < 100000; ++i ) {
+ history.replaceState(0, 0, i);
+ log("Successfully added user gesture item: " + i);
+ }
+ } catch (e) {
+ log("User gesture: " + e);
+ }
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+
+ log("Test complete");
+}
+
+</script>
+<body>
+Test should complete quickly and not crash.<br>
+<button id="button" onclick="clicked();">Click to test replaceState through a user gesture</button>
+<div id="logger"></div>
+</body>
</ins></span></pre></div>
<a id="trunkLayoutTestsfastloaderstateobjectsreplacestatefrequencyhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency.html (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency.html (rev 0)
+++ trunk/LayoutTests/fast/loader/stateobjects/replacestate-frequency.html 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,32 @@
</span><ins>+<script>
+
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function log(msg) {
+ document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+window.onload = function() {
+ try {
+ for( var i = 0; i < 100000; ++i ) {
+ history.replaceState(0, 0, i.toString());
+ log("Successfully added item: " + i);
+ }
+ } catch (e) {
+ log(e);
+ }
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+
+ log("Test complete");
+}
+
+</script>
+<body>
+Test should complete quickly and not crash.<br>
+<div id="logger"></div>
+</body>
</ins></span></pre></div>
<a id="trunkLayoutTestsfastloaderstateobjectsresourcespushstateiframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/loader/stateobjects/resources/pushstate-iframe.html (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/loader/stateobjects/resources/pushstate-iframe.html (rev 0)
+++ trunk/LayoutTests/fast/loader/stateobjects/resources/pushstate-iframe.html 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,30 @@
</span><ins>+<script>
+
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function log(msg) {
+ document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+window.onload = function()
+{
+ log("Adding state objects in iframe");
+ try {
+ for( var i = 0; i < 75; ++i ) {
+ history.pushState(0, 0, i.toString());
+ log("Successfully added item: " + i);
+ }
+ } catch (e) {
+ log("Expected exception: " + e);
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+}
+
+</script>
+<body>
+<div id="logger"></div>
+</body>
</ins></span></pre></div>
<a id="trunkLayoutTestsfastloaderstateobjectsresourcesreplacestateiframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/loader/stateobjects/resources/replacestate-iframe.html (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/loader/stateobjects/resources/replacestate-iframe.html (rev 0)
+++ trunk/LayoutTests/fast/loader/stateobjects/resources/replacestate-iframe.html 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,30 @@
</span><ins>+<script>
+
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function log(msg) {
+ document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+window.onload = function()
+{
+ log("Adding state objects in iframe");
+ try {
+ for( var i = 0; i < 75; ++i ) {
+ history.replaceState(0, 0, i.toString());
+ log("Successfully added item: " + i);
+ }
+ } catch (e) {
+ log("Expected exception: " + e);
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+}
+
+</script>
+<body>
+<div id="logger"></div>
+</body>
</ins></span></pre></div>
<a id="trunkLayoutTestsloaderstateobjectspushstatesizeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/loader/stateobjects/pushstate-size-expected.txt (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/loader/stateobjects/pushstate-size-expected.txt (rev 0)
+++ trunk/LayoutTests/loader/stateobjects/pushstate-size-expected.txt 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,24 @@
</span><ins>+Test should not crash.
+Click to test pushState through a user gesture
+Successfully added item: 1 times
+Successfully added item: 2 times
+Successfully added item: 3 times
+Successfully added item: 4 times
+Successfully added item: 5 times
+Successfully added item: 6 times
+Successfully added item: 7 times
+Successfully added item: 8 times
+Successfully added item: 9 times
+Successfully added item: 10 times
+Successfully added item: 11 times
+Successfully added item: 12 times
+Successfully added item: 13 times
+Successfully added item: 14 times
+Successfully added item: 15 times
+Successfully added item: 16 times
+Successfully added item: 17 times
+Successfully added item: 18 times
+Successfully added item: 19 times
+Successfully added item: 20 times
+User gesture: Error: QuotaExceededError: DOM Exception 22
+
</ins></span></pre></div>
<a id="trunkLayoutTestsloaderstateobjectspushstatesizeiframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/loader/stateobjects/pushstate-size-iframe-expected.txt (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/loader/stateobjects/pushstate-size-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/loader/stateobjects/pushstate-size-iframe-expected.txt 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,30 @@
</span><ins>+Test should not crash.
+Test does pushState both from the main frame and from an iframe and makes sure they both count against the main frame document's size limit.
+Click to test pushState through a user gesture
+Parent frame successfully added item: 1 times
+Parent frame successfully added item: 2 times
+Parent frame successfully added item: 3 times
+Parent frame successfully added item: 4 times
+Parent frame successfully added item: 5 times
+Parent frame successfully added item: 6 times
+Parent frame successfully added item: 7 times
+Parent frame successfully added item: 8 times
+Parent frame successfully added item: 9 times
+Parent frame successfully added item: 10 times
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+iFrame successfully added item: 1 times
+iFrame successfully added item: 2 times
+iFrame successfully added item: 3 times
+iFrame successfully added item: 4 times
+iFrame successfully added item: 5 times
+iFrame successfully added item: 6 times
+iFrame successfully added item: 7 times
+iFrame successfully added item: 8 times
+iFrame successfully added item: 9 times
+iFrame successfully added item: 10 times
+Expected exception: Error: QuotaExceededError: DOM Exception 22
+
</ins></span></pre></div>
<a id="trunkLayoutTestsloaderstateobjectspushstatesizeiframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/loader/stateobjects/pushstate-size-iframe.html (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/loader/stateobjects/pushstate-size-iframe.html (rev 0)
+++ trunk/LayoutTests/loader/stateobjects/pushstate-size-iframe.html 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,73 @@
</span><ins>+<script>
+
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+}
+
+function log(msg) {
+ document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+var object = "aaaaaaaaaa";
+for (var i = 0; i < 16; ++i)
+ object += object;
+
+function click()
+{
+ if (!eventSender)
+ return;
+
+ var button = document.getElementById("button");
+ eventSender.mouseMoveTo(button.offsetLeft + 5, button.offsetTop + 5);
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+}
+
+window.onload = click;
+
+var count = 1;
+
+function clicked()
+{
+ try {
+ history.pushState(object, object, object);
+ } catch (e) {
+ log("Unexpected exception: " + e);
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+
+ log("Parent frame successfully added item: " + count + " times");
+ ++count;
+
+ if (count > 10) {
+ openFrame();
+ return;
+ }
+
+ setTimeout(click, 0);
+}
+
+function iframeLoaded()
+{
+ document.getElementById("button").onclick = window.frames[0].iframeClicked;
+ click();
+}
+
+function openFrame()
+{
+ var iframe = document.createElement('iframe');
+ iframe.src = 'resources/pushstate-iframe.html'
+ iframe.onload = iframeLoaded;
+ document.body.appendChild(iframe);
+}
+
+</script>
+<body>
+Test should not crash.<br>
+Test does pushState both from the main frame and from an iframe and makes sure they both count against the main frame document's size limit.<br>
+<button id="button" onclick="clicked();">Click to test pushState through a user gesture</button>
+<div id="logger"></div>
+</body>
</ins></span></pre></div>
<a id="trunkLayoutTestsloaderstateobjectspushstatesizehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/loader/stateobjects/pushstate-size.html (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/loader/stateobjects/pushstate-size.html (rev 0)
+++ trunk/LayoutTests/loader/stateobjects/pushstate-size.html 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,49 @@
</span><ins>+<script>
+
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function log(msg) {
+ document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+var object = "aaaaaaaaaa";
+for (var i = 0; i < 16; ++i)
+ object += object;
+
+function click()
+{
+ var testDiv = document.getElementById("test");
+ eventSender.mouseMoveTo(testDiv.offsetLeft + 5, testDiv.offsetTop + 5);
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+}
+
+window.onload = click;
+
+var count = 1;
+
+function clicked()
+{
+ try {
+ history.pushState(object, object, object);
+ } catch (e) {
+ log("User gesture: " + e);
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+
+ log("Successfully added item: " + count + " times");
+ ++count;
+
+ setTimeout(click, 0);
+}
+
+</script>
+<body>
+Test should not crash.<br>
+<div id="test" onclick="clicked();">Click to test pushState through a user gesture</div>
+<div id="logger"></div>
+</body>
</ins></span></pre></div>
<a id="trunkLayoutTestsloaderstateobjectsreplacestatesizeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/loader/stateobjects/replacestate-size-expected.txt (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/loader/stateobjects/replacestate-size-expected.txt (rev 0)
+++ trunk/LayoutTests/loader/stateobjects/replacestate-size-expected.txt 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,8 @@
</span><ins>+Test should not crash.
+replaceState() should not always count against the global quota. Instead it should literally replace the most recent state object added.
+Pushing 63+mb of state objects (but less than 64mb)
+Replacing the last state object with one that should fit
+It fit
+Replacing the last state object with one that should not fit
+Expected exception replacing the last state object: Error: QuotaExceededError: DOM Exception 22
+
</ins></span></pre></div>
<a id="trunkLayoutTestsloaderstateobjectsreplacestatesizeiframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/loader/stateobjects/replacestate-size-iframe-expected.txt (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/loader/stateobjects/replacestate-size-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/loader/stateobjects/replacestate-size-iframe-expected.txt 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,17 @@
</span><ins>+Test should not crash.
+replaceState() in any frame should not always count against the global quota. Instead it should literally replace the most recent state object added from that frame.
+Pushing 59+mb of state objects (but less than 61mb)
+Replace the last 1mb object with a 2mb object, bringing the total to 60+mb
+It fit.
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+The total payload is currently 60+mb. Pushing a 1mb object brings that 61+mb.
+It fit.
+The total payload is currently 61+mb. Replacing the last 1mb with 2mb brings that to 62+mb.
+It fit.
+The total payload is currently 62+mb. Replacing the last 2mb with 4mb brings that to 64+mb, and should not fit.
+Expected exception replacing 2mb with 4mb:Error: QuotaExceededError: DOM Exception 22
+
</ins></span></pre></div>
<a id="trunkLayoutTestsloaderstateobjectsreplacestatesizeiframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/loader/stateobjects/replacestate-size-iframe.html (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/loader/stateobjects/replacestate-size-iframe.html (rev 0)
+++ trunk/LayoutTests/loader/stateobjects/replacestate-size-iframe.html 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,52 @@
</span><ins>+<script>
+
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+}
+
+function log(msg) {
+ document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+function loaded()
+{
+ // Make a 512k character string, which computes as 1mb of payload.
+ var object = "12345678";
+ for (var i = 0; i < 16; ++i)
+ object += object;
+
+ log("Pushing 59+mb of state objects (but less than 61mb)");
+
+ try {
+ // Push 59+mb of state objects (while the string is exactly 1mb, it counts for a little more than 1mb)
+ for (var i = 1; i < 60; ++i)
+ history.pushState(0, 0, object);
+ } catch (e) {
+ log("Unexpected exception pushing > 59mb but < 60mb of state objects: " + e);
+ }
+
+ log("Replace the last 1mb object with a 2mb object, bringing the total to 60+mb");
+ object += object;
+ try {
+ history.replaceState(0, 0, object);
+ log("It fit.");
+ } catch (e) {
+ log("Unexpected exception replacing 1mb with 2mb, bringing the total to 60mb: " + e);
+ }
+
+
+ var iframe = document.createElement('iframe');
+ iframe.src = 'resources/replacestate-iframe.html'
+ document.body.appendChild(iframe);
+}
+
+window.onload = loaded;
+
+</script>
+<body>
+Test should not crash.<br>
+replaceState() in any frame should not always count against the global quota. Instead it should literally replace the most recent state object added from that frame.<br>
+<div id="logger"></div>
+</body>
</ins></span></pre></div>
<a id="trunkLayoutTestsloaderstateobjectsreplacestatesizehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/loader/stateobjects/replacestate-size.html (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/loader/stateobjects/replacestate-size.html (rev 0)
+++ trunk/LayoutTests/loader/stateobjects/replacestate-size.html 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,66 @@
</span><ins>+<script>
+
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function log(msg) {
+ document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+function loaded()
+{
+ // Make a 512k character string, which computes as 1mb of payload.
+ var object = "12345678";
+ for (var i = 0; i < 16; ++i)
+ object += object;
+
+ log("Pushing 63+mb of state objects (but less than 64mb)");
+
+ try {
+ // Push 63+mb of state objects (while the string is exactly 1mb, it counts for a little more than 1mb)
+ for (var i = 1; i < 64; ++i)
+ history.pushState(0, 0, object);
+ } catch (e) {
+ log("Unexpected exception pushing > 63mb but < 64mb of state objects: " + e);
+ }
+
+ log ("Replacing the last state object with one that should fit");
+
+ try {
+ // replaceState with a 1mb state object.
+ // If replaceState counts against the global limit, this will cause an exception.
+ // But it should work.
+ history.replaceState(0, 0, object);
+
+ log("It fit");
+ } catch (e) {
+ log("Unexpected exception replacing the last state object: " + e);
+ }
+
+ // Make the string be 1024k characters, which computes as 2mb of payload.
+ object += object;
+
+ log ("Replacing the last state object with one that should not fit");
+
+ try {
+ // Replacing the 63rd 1mb string with a 2mb string *should* still trigger the limit.
+ history.replaceState(0, 0, object);
+ log("It fit, but should not have");
+ } catch (e) {
+ log("Expected exception replacing the last state object: " + e);
+ }
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+window.onload = loaded;
+
+</script>
+<body>
+Test should not crash.<br>
+replaceState() should not always count against the global quota. Instead it should literally replace the most recent state object added.<br>
+<div id="logger"></div>
+</body>
</ins></span></pre></div>
<a id="trunkLayoutTestsloaderstateobjectsresourcespushstateiframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/loader/stateobjects/resources/pushstate-iframe.html (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/loader/stateobjects/resources/pushstate-iframe.html (rev 0)
+++ trunk/LayoutTests/loader/stateobjects/resources/pushstate-iframe.html 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,43 @@
</span><ins>+<script>
+
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function log(msg) {
+ document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+var object = "aaaaaaaaaa";
+for (var i = 0; i < 16; ++i)
+ object += object;
+
+var count = 1;
+
+function iframeClicked()
+{
+ try {
+ history.pushState(object, object, object);
+ } catch (e) {
+ log("Expected exception: " + e);
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+
+ log("iFrame successfully added item: " + count + " times");
+ ++count;
+
+ if (count > 50) {
+ log("This has gone on for way too long");
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+
+ setTimeout(window.parent.click, 0);
+}
+
+</script>
+<body>
+<div id="logger"></div>
+</body>
</ins></span></pre></div>
<a id="trunkLayoutTestsloaderstateobjectsresourcesreplacestateiframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/loader/stateobjects/resources/replacestate-iframe.html (0 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/loader/stateobjects/resources/replacestate-iframe.html (rev 0)
+++ trunk/LayoutTests/loader/stateobjects/resources/replacestate-iframe.html 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -0,0 +1,57 @@
</span><ins>+<script>
+
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function log(msg) {
+ document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+function loaded()
+{
+ // Make a 512k character string, which computes as 1mb of payload.
+ var object = "12345678";
+ for (var i = 0; i < 16; ++i)
+ object += object;
+
+ log("The total payload is currently 60+mb. Pushing a 1mb object brings that 61+mb.");
+
+ try {
+ history.pushState(0, 0, object);
+ log("It fit.");
+ } catch (e) {
+ log("Unexpected exception pushing 1mb:" + e);
+ }
+
+ log("The total payload is currently 61+mb. Replacing the last 1mb with 2mb brings that to 62+mb.");
+
+ object += object;
+ try {
+ history.replaceState(0, 0, object);
+ log("It fit.");
+ } catch (e) {
+ log("Unexpected exception replacing 1mb with 2mb:" + e);
+ }
+
+ log("The total payload is currently 62+mb. Replacing the last 2mb with 4mb brings that to 64+mb, and should not fit.");
+
+ object += object;
+ try {
+ history.replaceState(0, 0, object);
+ log("It fit, but should not have.");
+ } catch (e) {
+ log("Expected exception replacing 2mb with 4mb:" + e);
+ }
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+window.onload = loaded;
+
+</script>
+<body>
+<div id="logger"></div>
+</body>
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (195624 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-01-26 22:22:25 UTC (rev 195624)
+++ trunk/Source/WebCore/ChangeLog 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -1,3 +1,32 @@
</span><ins>+2016-01-26 Brady Eidson <beidson@apple.com>
+
+ History.pushState causes intense memory pressure.
+ https://bugs.webkit.org/show_bug.cgi?id=153435
+
+ Reviewed by Sam Weinig, Oliver Hunt, and Geoff Garen.
+
+ Tests: fast/loader/stateobjects/pushstate-frequency-iframe.html
+ fast/loader/stateobjects/pushstate-frequency-with-user-gesture.html
+ fast/loader/stateobjects/pushstate-frequency.html
+ fast/loader/stateobjects/replacestate-frequency-iframe.html
+ fast/loader/stateobjects/replacestate-frequency-with-user-gesture.html
+ fast/loader/stateobjects/replacestate-frequency.html
+ loader/stateobjects/pushstate-size-iframe.html
+ loader/stateobjects/pushstate-size.html
+ loader/stateobjects/replacestate-size-iframe.html
+ loader/stateobjects/replacestate-size.html
+
+ Add restrictions on how frequently push/replaceState can be called,
+ as well as how much of a cumulative payload they can deliver.
+
+ * bindings/js/JSHistoryCustom.cpp:
+ (WebCore::JSHistory::pushState):
+ (WebCore::JSHistory::replaceState):
+
+ * page/History.cpp:
+ (WebCore::History::stateObjectAdded):
+ * page/History.h:
+
</ins><span class="cx"> 2016-01-26 Anders Carlsson <andersca@apple.com>
</span><span class="cx">
</span><span class="cx"> Add a Dictionary overload that returns an Optional result
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSHistoryCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSHistoryCustom.cpp (195624 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSHistoryCustom.cpp 2016-01-26 22:22:25 UTC (rev 195624)
+++ trunk/Source/WebCore/bindings/js/JSHistoryCustom.cpp 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -29,6 +29,7 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "JSHistory.h"
</span><span class="cx">
</span><ins>+#include "ExceptionCode.h"
</ins><span class="cx"> #include "Frame.h"
</span><span class="cx"> #include "JSDOMBinding.h"
</span><span class="cx"> #include "SerializedScriptValue.h"
</span><span class="lines">@@ -139,7 +140,7 @@
</span><span class="cx"> return jsUndefined();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- ExceptionCode ec = 0;
</del><ins>+ ExceptionCodeWithMessage ec;
</ins><span class="cx"> wrapped().stateObjectAdded(historyState.release(), title, url, History::StateObjectType::Push, ec);
</span><span class="cx"> setDOMException(&state, ec);
</span><span class="cx">
</span><span class="lines">@@ -168,7 +169,7 @@
</span><span class="cx"> return jsUndefined();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- ExceptionCode ec = 0;
</del><ins>+ ExceptionCodeWithMessage ec;
</ins><span class="cx"> wrapped().stateObjectAdded(historyState.release(), title, url, History::StateObjectType::Replace, ec);
</span><span class="cx"> setDOMException(&state, ec);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorepageHistorycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/History.cpp (195624 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/History.cpp 2016-01-26 22:22:25 UTC (rev 195624)
+++ trunk/Source/WebCore/page/History.cpp 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -34,9 +34,12 @@
</span><span class="cx"> #include "FrameLoaderClient.h"
</span><span class="cx"> #include "HistoryController.h"
</span><span class="cx"> #include "HistoryItem.h"
</span><ins>+#include "MainFrame.h"
</ins><span class="cx"> #include "Page.h"
</span><ins>+#include "ScriptController.h"
</ins><span class="cx"> #include "SecurityOrigin.h"
</span><span class="cx"> #include "SerializedScriptValue.h"
</span><ins>+#include <wtf/CheckedArithmetic.h>
</ins><span class="cx"> #include <wtf/MainThread.h>
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="lines">@@ -136,17 +139,91 @@
</span><span class="cx"> return URL(baseURL, urlString);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void History::stateObjectAdded(PassRefPtr<SerializedScriptValue> data, const String& title, const String& urlString, StateObjectType stateObjectType, ExceptionCode& ec)
</del><ins>+void History::stateObjectAdded(PassRefPtr<SerializedScriptValue> data, const String& title, const String& urlString, StateObjectType stateObjectType, ExceptionCodeWithMessage& ec)
</ins><span class="cx"> {
</span><ins>+ // Each unique main-frame document is only allowed to send 64mb of state object payload to the UI client/process.
+ static uint32_t totalStateObjectPayloadLimit = 0x4000000;
+ static unsigned perUserGestureStateObjectLimit = 100;
+
</ins><span class="cx"> if (!m_frame || !m_frame->page())
</span><span class="cx"> return;
</span><del>-
</del><ins>+
</ins><span class="cx"> URL fullURL = urlForState(urlString);
</span><span class="cx"> if (!fullURL.isValid() || !m_frame->document()->securityOrigin()->canRequest(fullURL)) {
</span><del>- ec = SECURITY_ERR;
</del><ins>+ ec.code = SECURITY_ERR;
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ Document* mainDocument = m_frame->page()->mainFrame().document();
+ History* mainHistory = nullptr;
+ if (mainDocument) {
+ if (auto* mainDOMWindow = mainDocument->domWindow())
+ mainHistory = mainDOMWindow->history();
+ }
+
+ if (!mainHistory)
+ return;
+
+ bool processingUserGesture = ScriptController::processingUserGesture();
+ if (!processingUserGesture && mainHistory->m_nonUserGestureObjectsAdded >= perUserGestureStateObjectLimit) {
+ ec.code = SECURITY_ERR;
+ if (stateObjectType == StateObjectType::Replace)
+ ec.message = String::format("Attempt to use history.replaceState() more than %u times without a user gesture", perUserGestureStateObjectLimit);
+ else
+ ec.message = String::format("Attempt to use history.pushState() more than %u times without a user gesture", perUserGestureStateObjectLimit);
+ return;
+ }
+
+ double userGestureTimestamp = mainDocument->lastHandledUserGestureTimestamp();
+ if (processingUserGesture) {
+ if (mainHistory->m_currentUserGestureTimestamp < userGestureTimestamp) {
+ mainHistory->m_currentUserGestureTimestamp = userGestureTimestamp;
+ mainHistory->m_currentUserGestureObjectsAdded = 0;
+ }
+
+ if (mainHistory->m_currentUserGestureObjectsAdded >= perUserGestureStateObjectLimit) {
+ ec.code = SECURITY_ERR;
+ if (stateObjectType == StateObjectType::Replace)
+ ec.message = String::format("Attempt to use history.replaceState() more than %u times per gesture", perUserGestureStateObjectLimit);
+ else
+ ec.message = String::format("Attempt to use history.pushState() more than %u times per user gesture", perUserGestureStateObjectLimit);
+ return;
+ }
+ }
+
+ Checked<unsigned> titleSize = title.length();
+ titleSize *= 2;
+
+ Checked<unsigned> urlSize = fullURL.string().length();
+ urlSize *= 2;
+
+ Checked<uint64_t> payloadSize = titleSize;
+ payloadSize += urlSize;
+ payloadSize += data ? data->data().size() : 0;
+
+ Checked<uint64_t> newTotalUsage = mainHistory->m_totalStateObjectUsage;
+
+ if (stateObjectType == StateObjectType::Replace)
+ newTotalUsage -= m_mostRecentStateObjectUsage;
+ newTotalUsage += payloadSize;
+
+ if (newTotalUsage > totalStateObjectPayloadLimit) {
+ ec.code = QUOTA_EXCEEDED_ERR;
+ if (stateObjectType == StateObjectType::Replace)
+ ec.message = ASCIILiteral("Attempt to store more data than allowed using history.replaceState()");
+ else
+ ec.message = ASCIILiteral("Attempt to store more data than allowed using history.pushState()");
+ return;
+ }
+
+ m_mostRecentStateObjectUsage = payloadSize.unsafeGet();
+
+ mainHistory->m_totalStateObjectUsage = newTotalUsage.unsafeGet();
+ if (processingUserGesture)
+ ++mainHistory->m_currentUserGestureObjectsAdded;
+ else
+ ++mainHistory->m_nonUserGestureObjectsAdded;
+
</ins><span class="cx"> if (!urlString.isEmpty())
</span><span class="cx"> m_frame->document()->updateURLForPushOrReplaceState(fullURL);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorepageHistoryh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/History.h (195624 => 195625)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/History.h 2016-01-26 22:22:25 UTC (rev 195624)
+++ trunk/Source/WebCore/page/History.h 2016-01-26 22:48:15 UTC (rev 195625)
</span><span class="lines">@@ -38,6 +38,7 @@
</span><span class="cx">
</span><span class="cx"> class Frame;
</span><span class="cx"> class ScriptExecutionContext;
</span><ins>+struct ExceptionCodeWithMessage;
</ins><span class="cx"> typedef int ExceptionCode;
</span><span class="cx">
</span><span class="cx"> class History : public ScriptWrappable, public RefCounted<History>, public DOMWindowProperty {
</span><span class="lines">@@ -61,7 +62,7 @@
</span><span class="cx"> Push,
</span><span class="cx"> Replace
</span><span class="cx"> };
</span><del>- void stateObjectAdded(PassRefPtr<SerializedScriptValue>, const String& title, const String& url, StateObjectType, ExceptionCode&);
</del><ins>+ void stateObjectAdded(PassRefPtr<SerializedScriptValue>, const String& title, const String& url, StateObjectType, ExceptionCodeWithMessage&);
</ins><span class="cx">
</span><span class="cx"> private:
</span><span class="cx"> explicit History(Frame*);
</span><span class="lines">@@ -71,6 +72,16 @@
</span><span class="cx"> PassRefPtr<SerializedScriptValue> stateInternal() const;
</span><span class="cx">
</span><span class="cx"> RefPtr<SerializedScriptValue> m_lastStateObjectRequested;
</span><ins>+
+ unsigned m_nonUserGestureObjectsAdded { 0 };
+ unsigned m_currentUserGestureObjectsAdded { 0 };
+ double m_currentUserGestureTimestamp { 0 };
+
+ // For the main frame's History object to keep track of all state object usage.
+ uint64_t m_totalStateObjectUsage { 0 };
+
+ // For each individual History object to keep track of the most recent state object added.
+ uint64_t m_mostRecentStateObjectUsage { 0 };
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } // namespace WebCore
</span></span></pre>
</div>
</div>
</body>
</html>