<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[205786] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/205786">205786</a></dd>
<dt>Author</dt> <dd>cdumez@apple.com</dd>
<dt>Date</dt> <dd>2016-09-10 09:06:05 -0700 (Sat, 10 Sep 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>It is possible for Document::m_frame pointer to become stale
https://bugs.webkit.org/show_bug.cgi?id=161812
<rdar://problem/27745023>
Reviewed by Ryosuke Niwa.
Source/WebCore:
Document::m_frame is supposed to get cleared by Document::prepareForDestruction().
The Frame destructor calls Frame::setView(nullptr) which is supposed to call the
prepareForDestruction() on the Frame's associated document. However,
Frame::setView(nullptr) was calling prepareForDestruction() only if
Document::inPageCache() returned true. This is because, we allow Documents to
stay alive in the PageCache even though they don't have a frame.
The issue is that Document::m_inPageCache flag was set to true right before
firing the pagehide event, so technically before really entering PageCache.
Therefore, we can run into problems if a Frame gets destroyed by a pagehide
EventHandler because ~Frame() will not call Document::prepareForDestruction()
due to Document::m_inPageCache being true. After the frame is destroyed,
Document::m_frame becomes stale and any action on the document will likely
lead to crashes (such as the one in the layout test and the radar which
happens when trying to unregister event listeners from the document).
The solution adopted in this patch is to replace the m_inPageCache boolean
with a m_pageCacheState enumeration that has 3 states:
- NotInPageCache
- AboutToEnterPageCache
- InPageCache
Frame::setView() / Frame::setDocument() were then updated to call
Document::prepareForDestruction() on the associated document whenever
the document's pageCacheState is not InPageCache. This means that we
will now call Document::prepareForDestruction() when the document is
being detached from its frame while firing the pagehide event.
Note that I tried to keep this patch minimal. Therefore, I kept
the Document::inPageCache() getter for now. I plan to switch all its
calls sites to the new Document::pageCacheState() getter in a follow-up
patch so that we can finally drop the confusing Document::inPageCache().
Test: fast/history/pagehide-remove-iframe-crash.html
* dom/Document.cpp:
(WebCore::Document::Document):
(WebCore::Document::~Document):
(WebCore::Document::createRenderTree):
(WebCore::Document::destroyRenderTree):
(WebCore::Document::setFocusedElement):
(WebCore::Document::setPageCacheState):
(WebCore::Document::topDocument):
* dom/Document.h:
(WebCore::Document::pageCacheState):
(WebCore::Document::inPageCache):
* history/CachedFrame.cpp:
(WebCore::CachedFrame::destroy):
* history/PageCache.cpp:
(WebCore::setPageCacheState):
(WebCore::PageCache::addIfCacheable):
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::stopAllLoaders):
(WebCore::FrameLoader::open):
* loader/HistoryController.cpp:
(WebCore::HistoryController::invalidateCurrentItemCachedPage):
* page/Frame.cpp:
(WebCore::Frame::setView):
LayoutTests:
Add layout test that crashes on both Mac and iOS due to using a stale
Document::m_frame pointer.
* fast/history/pagehide-remove-iframe-crash-expected.txt: Added.
* fast/history/pagehide-remove-iframe-crash.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoredomDocumentcpp">trunk/Source/WebCore/dom/Document.cpp</a></li>
<li><a href="#trunkSourceWebCoredomDocumenth">trunk/Source/WebCore/dom/Document.h</a></li>
<li><a href="#trunkSourceWebCorehistoryCachedFramecpp">trunk/Source/WebCore/history/CachedFrame.cpp</a></li>
<li><a href="#trunkSourceWebCorehistoryPageCachecpp">trunk/Source/WebCore/history/PageCache.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderFrameLoadercpp">trunk/Source/WebCore/loader/FrameLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderHistoryControllercpp">trunk/Source/WebCore/loader/HistoryController.cpp</a></li>
<li><a href="#trunkSourceWebCorepageFramecpp">trunk/Source/WebCore/page/Frame.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsfasthistorypagehideremoveiframecrashexpectedtxt">trunk/LayoutTests/fast/history/pagehide-remove-iframe-crash-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfasthistorypagehideremoveiframecrashhtml">trunk/LayoutTests/fast/history/pagehide-remove-iframe-crash.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (205785 => 205786)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-09-10 15:06:20 UTC (rev 205785)
+++ trunk/LayoutTests/ChangeLog 2016-09-10 16:06:05 UTC (rev 205786)
</span><span class="lines">@@ -1,3 +1,17 @@
</span><ins>+2016-09-10 Chris Dumez <cdumez@apple.com>
+
+ It is possible for Document::m_frame pointer to become stale
+ https://bugs.webkit.org/show_bug.cgi?id=161812
+ <rdar://problem/27745023>
+
+ Reviewed by Ryosuke Niwa.
+
+ Add layout test that crashes on both Mac and iOS due to using a stale
+ Document::m_frame pointer.
+
+ * fast/history/pagehide-remove-iframe-crash-expected.txt: Added.
+ * fast/history/pagehide-remove-iframe-crash.html: Added.
+
</ins><span class="cx"> 2016-09-10 Gyuyoung Kim <gyuyoung.kim@webkit.org>
</span><span class="cx">
</span><span class="cx"> [EFL] Mark new media source tests to failure
</span></span></pre></div>
<a id="trunkLayoutTestsfasthistorypagehideremoveiframecrashexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/history/pagehide-remove-iframe-crash-expected.txt (0 => 205786)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/history/pagehide-remove-iframe-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/history/pagehide-remove-iframe-crash-expected.txt 2016-09-10 16:06:05 UTC (rev 205786)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+Tests that we do not crash when deleting a subframe from the pagehide event handler.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+pageshow - not from cache
+pagehide - entering cache
+pageshow - from cache
+PASS Page did enter and was restored from the page cache
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsfasthistorypagehideremoveiframecrashhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/history/pagehide-remove-iframe-crash.html (0 => 205786)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/history/pagehide-remove-iframe-crash.html (rev 0)
+++ trunk/LayoutTests/fast/history/pagehide-remove-iframe-crash.html 2016-09-10 16:06:05 UTC (rev 205786)
</span><span class="lines">@@ -0,0 +1,50 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<script src="../../resources/js-test-pre.js"></script>
+<iframe srcdoc="<body></body>"></iframe>
+<script>
+description("Tests that we do not crash when deleting a subframe from the pagehide event handler.");
+jsTestIsAsync = true;
+if (window.testRunner)
+ testRunner.overridePreference("WebKitUsesPageCachePreferenceKey", 1);
+
+window.addEventListener("pageshow", function(event) {
+ debug("pageshow - " + (event.persisted ? "" : "not ") + "from cache");
+
+ if (event.persisted) {
+ testPassed("Page did enter and was restored from the page cache");
+ finishJSTest();
+ }
+}, false);
+
+window.addEventListener("pagehide", function(event) {
+ debug("pagehide - " + (event.persisted ? "" : "not ") + "entering cache");
+ if (!event.persisted) {
+ testFailed("Page did not enter the page cache.");
+ finishJSTest();
+ }
+ // Remove subframe in pagehide event handler.
+ var frame = document.getElementsByTagName("iframe")[0];
+ subFrameDoc = frame.contentDocument;
+ document.body.removeChild(frame);
+ frame = null;
+ gc();
+}, false);
+
+onload = function() {
+ var frame = document.getElementsByTagName("iframe")[0];
+ frame.addEventListener("touchstart", function() { });
+ frame.addEventListener("click", function() { });
+ frame.contentDocument.body.addEventListener("touchstart", function() { });
+ frame.contentDocument.body.addEventListener("click", function() { });
+
+ setTimeout(function() {
+ // Force a back navigation back to this page.
+ window.location.href = "resources/page-cache-helper.html";
+ }, 0);
+}
+</script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (205785 => 205786)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-09-10 15:06:20 UTC (rev 205785)
+++ trunk/Source/WebCore/ChangeLog 2016-09-10 16:06:05 UTC (rev 205786)
</span><span class="lines">@@ -1,3 +1,70 @@
</span><ins>+2016-09-10 Chris Dumez <cdumez@apple.com>
+
+ It is possible for Document::m_frame pointer to become stale
+ https://bugs.webkit.org/show_bug.cgi?id=161812
+ <rdar://problem/27745023>
+
+ Reviewed by Ryosuke Niwa.
+
+ Document::m_frame is supposed to get cleared by Document::prepareForDestruction().
+ The Frame destructor calls Frame::setView(nullptr) which is supposed to call the
+ prepareForDestruction() on the Frame's associated document. However,
+ Frame::setView(nullptr) was calling prepareForDestruction() only if
+ Document::inPageCache() returned true. This is because, we allow Documents to
+ stay alive in the PageCache even though they don't have a frame.
+
+ The issue is that Document::m_inPageCache flag was set to true right before
+ firing the pagehide event, so technically before really entering PageCache.
+ Therefore, we can run into problems if a Frame gets destroyed by a pagehide
+ EventHandler because ~Frame() will not call Document::prepareForDestruction()
+ due to Document::m_inPageCache being true. After the frame is destroyed,
+ Document::m_frame becomes stale and any action on the document will likely
+ lead to crashes (such as the one in the layout test and the radar which
+ happens when trying to unregister event listeners from the document).
+
+ The solution adopted in this patch is to replace the m_inPageCache boolean
+ with a m_pageCacheState enumeration that has 3 states:
+ - NotInPageCache
+ - AboutToEnterPageCache
+ - InPageCache
+
+ Frame::setView() / Frame::setDocument() were then updated to call
+ Document::prepareForDestruction() on the associated document whenever
+ the document's pageCacheState is not InPageCache. This means that we
+ will now call Document::prepareForDestruction() when the document is
+ being detached from its frame while firing the pagehide event.
+
+ Note that I tried to keep this patch minimal. Therefore, I kept
+ the Document::inPageCache() getter for now. I plan to switch all its
+ calls sites to the new Document::pageCacheState() getter in a follow-up
+ patch so that we can finally drop the confusing Document::inPageCache().
+
+ Test: fast/history/pagehide-remove-iframe-crash.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::Document):
+ (WebCore::Document::~Document):
+ (WebCore::Document::createRenderTree):
+ (WebCore::Document::destroyRenderTree):
+ (WebCore::Document::setFocusedElement):
+ (WebCore::Document::setPageCacheState):
+ (WebCore::Document::topDocument):
+ * dom/Document.h:
+ (WebCore::Document::pageCacheState):
+ (WebCore::Document::inPageCache):
+ * history/CachedFrame.cpp:
+ (WebCore::CachedFrame::destroy):
+ * history/PageCache.cpp:
+ (WebCore::setPageCacheState):
+ (WebCore::PageCache::addIfCacheable):
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::stopAllLoaders):
+ (WebCore::FrameLoader::open):
+ * loader/HistoryController.cpp:
+ (WebCore::HistoryController::invalidateCurrentItemCachedPage):
+ * page/Frame.cpp:
+ (WebCore::Frame::setView):
+
</ins><span class="cx"> 2016-09-10 Wenson Hsieh <wenson_hsieh@apple.com>
</span><span class="cx">
</span><span class="cx"> Apple.com keynote does not display media controls
</span></span></pre></div>
<a id="trunkSourceWebCoredomDocumentcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/Document.cpp (205785 => 205786)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/Document.cpp 2016-09-10 15:06:20 UTC (rev 205785)
+++ trunk/Source/WebCore/dom/Document.cpp 2016-09-10 16:06:05 UTC (rev 205786)
</span><span class="lines">@@ -493,7 +493,6 @@
</span><span class="cx"> , m_annotatedRegionsDirty(false)
</span><span class="cx"> #endif
</span><span class="cx"> , m_createRenderers(true)
</span><del>- , m_inPageCache(false)
</del><span class="cx"> , m_accessKeyMapValid(false)
</span><span class="cx"> , m_documentClasses(documentClasses)
</span><span class="cx"> , m_isSynthesized(constructionFlags & Synthesized)
</span><span class="lines">@@ -602,7 +601,7 @@
</span><span class="cx"> allDocuments().remove(this);
</span><span class="cx">
</span><span class="cx"> ASSERT(!renderView());
</span><del>- ASSERT(!m_inPageCache);
</del><ins>+ ASSERT(m_pageCacheState != InPageCache);
</ins><span class="cx"> ASSERT(m_ranges.isEmpty());
</span><span class="cx"> ASSERT(!m_parentTreeScope);
</span><span class="cx"> ASSERT(!m_disabledFieldsetElementsCount);
</span><span class="lines">@@ -2237,7 +2236,7 @@
</span><span class="cx"> void Document::createRenderTree()
</span><span class="cx"> {
</span><span class="cx"> ASSERT(!renderView());
</span><del>- ASSERT(!m_inPageCache);
</del><ins>+ ASSERT(m_pageCacheState != InPageCache);
</ins><span class="cx"> ASSERT(!m_axObjectCache || this != &topDocument());
</span><span class="cx">
</span><span class="cx"> if (m_isNonRenderedPlaceholder)
</span><span class="lines">@@ -2301,7 +2300,7 @@
</span><span class="cx"> void Document::destroyRenderTree()
</span><span class="cx"> {
</span><span class="cx"> ASSERT(hasLivingRenderTree());
</span><del>- ASSERT(!m_inPageCache);
</del><ins>+ ASSERT(m_pageCacheState != InPageCache);
</ins><span class="cx">
</span><span class="cx"> TemporaryChange<bool> change(m_renderTreeBeingDestroyed, true);
</span><span class="cx">
</span><span class="lines">@@ -3787,7 +3786,7 @@
</span><span class="cx"> if (m_focusedElement == newFocusedElement)
</span><span class="cx"> return true;
</span><span class="cx">
</span><del>- if (m_inPageCache)
</del><ins>+ if (inPageCache())
</ins><span class="cx"> return false;
</span><span class="cx">
</span><span class="cx"> bool focusChangeBlocked = false;
</span><span class="lines">@@ -4715,17 +4714,18 @@
</span><span class="cx"> return completeURL(url, m_baseURL);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void Document::setInPageCache(bool flag)
</del><ins>+void Document::setPageCacheState(PageCacheState state)
</ins><span class="cx"> {
</span><del>- if (m_inPageCache == flag)
</del><ins>+ if (m_pageCacheState == state)
</ins><span class="cx"> return;
</span><span class="cx">
</span><del>- m_inPageCache = flag;
</del><ins>+ m_pageCacheState = state;
</ins><span class="cx">
</span><span class="cx"> FrameView* v = view();
</span><span class="cx"> Page* page = this->page();
</span><span class="cx">
</span><del>- if (flag) {
</del><ins>+ switch (state) {
+ case InPageCache:
</ins><span class="cx"> if (v) {
</span><span class="cx"> // FIXME: There is some scrolling related work that needs to happen whenever a page goes into the
</span><span class="cx"> // page cache and similar work that needs to occur when it comes out. This is where we do the work
</span><span class="lines">@@ -4745,9 +4745,13 @@
</span><span class="cx"> m_styleRecalcTimer.stop();
</span><span class="cx">
</span><span class="cx"> clearSharedObjectPool();
</span><del>- } else {
</del><ins>+ break;
+ case NotInPageCache:
</ins><span class="cx"> if (childNeedsStyleRecalc())
</span><span class="cx"> scheduleStyleRecalc();
</span><ins>+ break;
+ case AboutToEnterPageCache:
+ break;
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -5066,7 +5070,7 @@
</span><span class="cx"> {
</span><span class="cx"> // FIXME: This special-casing avoids incorrectly determined top documents during the process
</span><span class="cx"> // of AXObjectCache teardown or notification posting for cached or being-destroyed documents.
</span><del>- if (!m_inPageCache && !m_renderTreeBeingDestroyed) {
</del><ins>+ if (!inPageCache() && !m_renderTreeBeingDestroyed) {
</ins><span class="cx"> if (!m_frame)
</span><span class="cx"> return const_cast<Document&>(*this);
</span><span class="cx"> // This should always be non-null.
</span></span></pre></div>
<a id="trunkSourceWebCoredomDocumenth"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/Document.h (205785 => 205786)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/Document.h 2016-09-10 15:06:20 UTC (rev 205785)
+++ trunk/Source/WebCore/dom/Document.h 2016-09-10 16:06:05 UTC (rev 205786)
</span><span class="lines">@@ -1001,9 +1001,14 @@
</span><span class="cx">
</span><span class="cx"> void finishedParsing();
</span><span class="cx">
</span><del>- bool inPageCache() const { return m_inPageCache; }
- void setInPageCache(bool flag);
</del><ins>+ enum PageCacheState { NotInPageCache, AboutToEnterPageCache, InPageCache };
</ins><span class="cx">
</span><ins>+ PageCacheState pageCacheState() const { return m_pageCacheState; }
+ void setPageCacheState(PageCacheState);
+
+ // FIXME: Update callers to use pageCacheState() instead.
+ bool inPageCache() const { return m_pageCacheState != NotInPageCache; }
+
</ins><span class="cx"> // Elements can register themselves for the "suspend()" and
</span><span class="cx"> // "resume()" callbacks
</span><span class="cx"> void registerForDocumentSuspensionCallbacks(Element*);
</span><span class="lines">@@ -1593,7 +1598,7 @@
</span><span class="cx"> HashMap<String, RefPtr<HTMLCanvasElement>> m_cssCanvasElements;
</span><span class="cx">
</span><span class="cx"> bool m_createRenderers;
</span><del>- bool m_inPageCache;
</del><ins>+ PageCacheState m_pageCacheState { NotInPageCache };
</ins><span class="cx">
</span><span class="cx"> HashSet<Element*> m_documentSuspensionCallbackElements;
</span><span class="cx"> HashSet<Element*> m_mediaVolumeCallbackElements;
</span></span></pre></div>
<a id="trunkSourceWebCorehistoryCachedFramecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/history/CachedFrame.cpp (205785 => 205786)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/history/CachedFrame.cpp 2016-09-10 15:06:20 UTC (rev 205785)
+++ trunk/Source/WebCore/history/CachedFrame.cpp 2016-09-10 16:06:05 UTC (rev 205786)
</span><span class="lines">@@ -264,7 +264,7 @@
</span><span class="cx"> // fully anyway, because the document won't be able to access its DOMWindow object (due to being frameless).
</span><span class="cx"> m_document->removeAllEventListeners();
</span><span class="cx">
</span><del>- m_document->setInPageCache(false);
</del><ins>+ m_document->setPageCacheState(Document::NotInPageCache);
</ins><span class="cx"> m_document->prepareForDestruction();
</span><span class="cx">
</span><span class="cx"> clear();
</span></span></pre></div>
<a id="trunkSourceWebCorehistoryPageCachecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/history/PageCache.cpp (205785 => 205786)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/history/PageCache.cpp 2016-09-10 15:06:20 UTC (rev 205785)
+++ trunk/Source/WebCore/history/PageCache.cpp 2016-09-10 16:06:05 UTC (rev 205786)
</span><span class="lines">@@ -373,11 +373,11 @@
</span><span class="cx"> return emptyString();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-static void setInPageCache(Page& page, bool isInPageCache)
</del><ins>+static void setPageCacheState(Page& page, Document::PageCacheState pageCacheState)
</ins><span class="cx"> {
</span><span class="cx"> for (Frame* frame = &page.mainFrame(); frame; frame = frame->tree().traverseNext()) {
</span><span class="cx"> if (auto* document = frame->document())
</span><del>- document->setInPageCache(isInPageCache);
</del><ins>+ document->setPageCacheState(pageCacheState);
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -407,8 +407,7 @@
</span><span class="cx"> if (!page || !canCache(*page))
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- // Make sure all the documents know they are being added to the PageCache.
- setInPageCache(*page, true);
</del><ins>+ setPageCacheState(*page, Document::AboutToEnterPageCache);
</ins><span class="cx">
</span><span class="cx"> // Focus the main frame, defocusing a focused subframe (if we have one). We do this here,
</span><span class="cx"> // before the page enters the page cache, while we still can dispatch DOM blur/focus events.
</span><span class="lines">@@ -421,10 +420,12 @@
</span><span class="cx"> // Check that the page is still page-cacheable after firing the pagehide event. The JS event handlers
</span><span class="cx"> // could have altered the page in a way that could prevent caching.
</span><span class="cx"> if (!canCache(*page)) {
</span><del>- setInPageCache(*page, false);
</del><ins>+ setPageCacheState(*page, Document::NotInPageCache);
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ setPageCacheState(*page, Document::InPageCache);
+
</ins><span class="cx"> // Make sure we no longer fire any JS events past this point.
</span><span class="cx"> NoEventDispatchAssertion assertNoEventDispatch;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderFrameLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (205785 => 205786)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/FrameLoader.cpp 2016-09-10 15:06:20 UTC (rev 205785)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2016-09-10 16:06:05 UTC (rev 205786)
</span><span class="lines">@@ -1596,7 +1596,7 @@
</span><span class="cx">
</span><span class="cx"> void FrameLoader::stopAllLoaders(ClearProvisionalItemPolicy clearProvisionalItemPolicy)
</span><span class="cx"> {
</span><del>- ASSERT(!m_frame.document() || !m_frame.document()->inPageCache());
</del><ins>+ ASSERT(!m_frame.document() || m_frame.document()->pageCacheState() != Document::InPageCache);
</ins><span class="cx"> if (m_pageDismissalEventBeingDispatched != PageDismissalType::None)
</span><span class="cx"> return;
</span><span class="cx">
</span><span class="lines">@@ -2094,7 +2094,7 @@
</span><span class="cx">
</span><span class="cx"> clear(document, true, true, cachedFrame.isMainFrame());
</span><span class="cx">
</span><del>- document->setInPageCache(false);
</del><ins>+ document->setPageCacheState(Document::NotInPageCache);
</ins><span class="cx">
</span><span class="cx"> m_needsClear = true;
</span><span class="cx"> m_isComplete = false;
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderHistoryControllercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/HistoryController.cpp (205785 => 205786)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/HistoryController.cpp 2016-09-10 15:06:20 UTC (rev 205785)
+++ trunk/Source/WebCore/loader/HistoryController.cpp 2016-09-10 16:06:05 UTC (rev 205786)
</span><span class="lines">@@ -270,7 +270,7 @@
</span><span class="cx">
</span><span class="cx"> ASSERT(cachedPage->document() == m_frame.document());
</span><span class="cx"> if (cachedPage->document() == m_frame.document()) {
</span><del>- cachedPage->document()->setInPageCache(false);
</del><ins>+ cachedPage->document()->setPageCacheState(Document::NotInPageCache);
</ins><span class="cx"> cachedPage->clear();
</span><span class="cx"> }
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorepageFramecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/Frame.cpp (205785 => 205786)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/Frame.cpp 2016-09-10 15:06:20 UTC (rev 205785)
+++ trunk/Source/WebCore/page/Frame.cpp 2016-09-10 16:06:05 UTC (rev 205786)
</span><span class="lines">@@ -246,7 +246,7 @@
</span><span class="cx"> // Prepare for destruction now, so any unload event handlers get run and the DOMWindow is
</span><span class="cx"> // notified. If we wait until the view is destroyed, then things won't be hooked up enough for
</span><span class="cx"> // these calls to work.
</span><del>- if (!view && m_doc && !m_doc->inPageCache())
</del><ins>+ if (!view && m_doc && m_doc->pageCacheState() != Document::InPageCache)
</ins><span class="cx"> m_doc->prepareForDestruction();
</span><span class="cx">
</span><span class="cx"> if (m_view)
</span><span class="lines">@@ -268,7 +268,7 @@
</span><span class="cx"> {
</span><span class="cx"> ASSERT(!newDocument || newDocument->frame() == this);
</span><span class="cx">
</span><del>- if (m_doc && !m_doc->inPageCache())
</del><ins>+ if (m_doc && m_doc->pageCacheState() != Document::InPageCache)
</ins><span class="cx"> m_doc->prepareForDestruction();
</span><span class="cx">
</span><span class="cx"> m_doc = newDocument.copyRef();
</span></span></pre>
</div>
</div>
</body>
</html>