<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[214365] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/214365">214365</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2017-03-24 12:34:11 -0700 (Fri, 24 Mar 2017)</dd>
</dl>

<h3>Log Message</h3>
<pre>Prevent new navigations during document unload
https://bugs.webkit.org/show_bug.cgi?id=169934
&lt;rdar://problem/31247584&gt;

Reviewed by Chris Dumez.

Source/WebCore:

Similar to our policy of preventing new navigations from onbeforeunload handlers
we should prevent new navigations that are initiated during the document unload
process.

The significant part of this change is the instantiation of the RAII object NavigationDisabler
in Document::prepareForDestruction(). The rest of this change just renames class
NavigationDisablerForBeforeUnload to NavigationDisabler now that this RAII class is
used to prevent navigation from both onbeforeunload event handlers and when unloading
a document.

Test: fast/frames/frame-unload-navigate-and-setTimeout-assert-fail.html

* dom/Document.cpp:
(WebCore::Document::prepareForDestruction): Disable new navigations when disconnecting
subframes. Also assert that the document is not in the page cache before we fall off
the end of the function.
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::isNavigationAllowed): Update for renaming below.
(WebCore::FrameLoader::shouldClose): Ditto.
* loader/NavigationScheduler.cpp:
(WebCore::NavigationScheduler::shouldScheduleNavigation): Ditto.
* loader/NavigationScheduler.h:
(WebCore::NavigationDisabler::NavigationDisabler): Renamed class; formerly named NavigationDisablerForBeforeUnload.
(WebCore::NavigationDisabler::~NavigationDisabler): Ditto.
(WebCore::NavigationDisabler::isNavigationAllowed): Ditto.
(WebCore::NavigationDisablerForBeforeUnload::NavigationDisablerForBeforeUnload): Deleted.
(WebCore::NavigationDisablerForBeforeUnload::~NavigationDisablerForBeforeUnload): Deleted.
(WebCore::NavigationDisablerForBeforeUnload::isNavigationAllowed): Deleted.

LayoutTests:

Add a test to ensure that we do not cause an assertion fail when calling setTimeout
after starting a navigation from an onunload event handler.

* fast/frames/frame-unload-navigate-and-setTimeout-assert-fail-expected.txt: Added.
* fast/frames/frame-unload-navigate-and-setTimeout-assert-fail.html: Added.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoredomDocumentcpp">trunk/Source/WebCore/dom/Document.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderFrameLoadercpp">trunk/Source/WebCore/loader/FrameLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderNavigationSchedulercpp">trunk/Source/WebCore/loader/NavigationScheduler.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderNavigationSchedulerh">trunk/Source/WebCore/loader/NavigationScheduler.h</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsfastframesframeunloadnavigateandsetTimeoutassertfailexpectedtxt">trunk/LayoutTests/fast/frames/frame-unload-navigate-and-setTimeout-assert-fail-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastframesframeunloadnavigateandsetTimeoutassertfailhtml">trunk/LayoutTests/fast/frames/frame-unload-navigate-and-setTimeout-assert-fail.html</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (214364 => 214365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog        2017-03-24 19:01:54 UTC (rev 214364)
+++ trunk/LayoutTests/ChangeLog        2017-03-24 19:34:11 UTC (rev 214365)
</span><span class="lines">@@ -1,3 +1,17 @@
</span><ins>+2017-03-24  Daniel Bates  &lt;dabates@apple.com&gt;
+
+        Prevent new navigations during document unload
+        https://bugs.webkit.org/show_bug.cgi?id=169934
+        &lt;rdar://problem/31247584&gt;
+
+        Reviewed by Chris Dumez.
+
+        Add a test to ensure that we do not cause an assertion fail when calling setTimeout
+        after starting a navigation from an onunload event handler.
+
+        * fast/frames/frame-unload-navigate-and-setTimeout-assert-fail-expected.txt: Added.
+        * fast/frames/frame-unload-navigate-and-setTimeout-assert-fail.html: Added.
+
</ins><span class="cx"> 2017-03-24  Myles C. Maxfield  &lt;mmaxfield@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         Implement font-optical-sizing
</span></span></pre></div>
<a id="trunkLayoutTestsfastframesframeunloadnavigateandsetTimeoutassertfailexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/frames/frame-unload-navigate-and-setTimeout-assert-fail-expected.txt (0 => 214365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/frames/frame-unload-navigate-and-setTimeout-assert-fail-expected.txt                                (rev 0)
+++ trunk/LayoutTests/fast/frames/frame-unload-navigate-and-setTimeout-assert-fail-expected.txt        2017-03-24 19:34:11 UTC (rev 214365)
</span><span class="lines">@@ -0,0 +1 @@
</span><ins>+PASS did not crash.
</ins></span></pre></div>
<a id="trunkLayoutTestsfastframesframeunloadnavigateandsetTimeoutassertfailhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/frames/frame-unload-navigate-and-setTimeout-assert-fail.html (0 => 214365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/frames/frame-unload-navigate-and-setTimeout-assert-fail.html                                (rev 0)
+++ trunk/LayoutTests/fast/frames/frame-unload-navigate-and-setTimeout-assert-fail.html        2017-03-24 19:34:11 UTC (rev 214365)
</span><span class="lines">@@ -0,0 +1,26 @@
</span><ins>+&lt;!DOCTYPE html&gt;
+&lt;html&gt;
+&lt;body&gt;
+&lt;script&gt;
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.overridePreference(&quot;WebKitUsesPageCachePreferenceKey&quot;, 1);
+    testRunner.waitUntilDone();
+}
+&lt;/script&gt;
+&lt;iframe id=&quot;iframe&quot;&gt;&lt;/iframe&gt;
+&lt;script&gt;
+var frame = document.getElementById(&quot;iframe&quot;);
+frame.contentWindow.onunload = () =&gt; {
+    var link = document.createElement('a');
+    link.href = &quot;about:blank&quot;;
+    link.click();
+
+    window.setTimeout(() =&gt; {
+        // Do nothing.
+    }, 0);
+};
+window.location = 'javascript:&quot;PASS did not crash.&lt;script&gt;window.testRunner &amp;&amp; window.testRunner.notifyDone();&lt;/' + 'script&gt;&quot;';
+&lt;/script&gt;
+&lt;/body&gt;
+&lt;/html&gt;
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (214364 => 214365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog        2017-03-24 19:01:54 UTC (rev 214364)
+++ trunk/Source/WebCore/ChangeLog        2017-03-24 19:34:11 UTC (rev 214365)
</span><span class="lines">@@ -1,3 +1,40 @@
</span><ins>+2017-03-24  Daniel Bates  &lt;dabates@apple.com&gt;
+
+        Prevent new navigations during document unload
+        https://bugs.webkit.org/show_bug.cgi?id=169934
+        &lt;rdar://problem/31247584&gt;
+
+        Reviewed by Chris Dumez.
+
+        Similar to our policy of preventing new navigations from onbeforeunload handlers
+        we should prevent new navigations that are initiated during the document unload
+        process.
+
+        The significant part of this change is the instantiation of the RAII object NavigationDisabler
+        in Document::prepareForDestruction(). The rest of this change just renames class
+        NavigationDisablerForBeforeUnload to NavigationDisabler now that this RAII class is
+        used to prevent navigation from both onbeforeunload event handlers and when unloading
+        a document.
+
+        Test: fast/frames/frame-unload-navigate-and-setTimeout-assert-fail.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::prepareForDestruction): Disable new navigations when disconnecting
+        subframes. Also assert that the document is not in the page cache before we fall off
+        the end of the function.
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::isNavigationAllowed): Update for renaming below.
+        (WebCore::FrameLoader::shouldClose): Ditto.
+        * loader/NavigationScheduler.cpp:
+        (WebCore::NavigationScheduler::shouldScheduleNavigation): Ditto.
+        * loader/NavigationScheduler.h:
+        (WebCore::NavigationDisabler::NavigationDisabler): Renamed class; formerly named NavigationDisablerForBeforeUnload.
+        (WebCore::NavigationDisabler::~NavigationDisabler): Ditto.
+        (WebCore::NavigationDisabler::isNavigationAllowed): Ditto.
+        (WebCore::NavigationDisablerForBeforeUnload::NavigationDisablerForBeforeUnload): Deleted.
+        (WebCore::NavigationDisablerForBeforeUnload::~NavigationDisablerForBeforeUnload): Deleted.
+        (WebCore::NavigationDisablerForBeforeUnload::isNavigationAllowed): Deleted.
+
</ins><span class="cx"> 2017-03-24  Myles C. Maxfield  &lt;mmaxfield@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         Implement font-optical-sizing
</span></span></pre></div>
<a id="trunkSourceWebCoredomDocumentcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/Document.cpp (214364 => 214365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/Document.cpp        2017-03-24 19:01:54 UTC (rev 214364)
+++ trunk/Source/WebCore/dom/Document.cpp        2017-03-24 19:34:11 UTC (rev 214365)
</span><span class="lines">@@ -2224,8 +2224,12 @@
</span><span class="cx">             cache-&gt;clearTextMarkerNodesInUse(this);
</span><span class="cx">     }
</span><span class="cx"> #endif
</span><del>-    
-    disconnectDescendantFrames();
</del><ins>+
+    {
+        NavigationDisabler navigationDisabler;
+        disconnectDescendantFrames();
+    }
+
</ins><span class="cx">     if (m_domWindow &amp;&amp; m_frame)
</span><span class="cx">         m_domWindow-&gt;willDetachDocumentFromFrame();
</span><span class="cx"> 
</span><span class="lines">@@ -2281,6 +2285,11 @@
</span><span class="cx">     detachFromFrame();
</span><span class="cx"> 
</span><span class="cx">     m_hasPreparedForDestruction = true;
</span><ins>+
+    // Note that m_pageCacheState can be Document::AboutToEnterPageCache if our frame
+    // was removed in an onpagehide event handler fired when the top-level frame is
+    // about to enter the page cache.
+    ASSERT_WITH_SECURITY_IMPLICATION(m_pageCacheState != Document::InPageCache);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void Document::removeAllEventListeners()
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderFrameLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (214364 => 214365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/FrameLoader.cpp        2017-03-24 19:01:54 UTC (rev 214364)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp        2017-03-24 19:34:11 UTC (rev 214365)
</span><span class="lines">@@ -1212,7 +1212,7 @@
</span><span class="cx"> 
</span><span class="cx"> bool FrameLoader::isNavigationAllowed() const
</span><span class="cx"> {
</span><del>-    return m_pageDismissalEventBeingDispatched == PageDismissalType::None &amp;&amp; NavigationDisablerForBeforeUnload::isNavigationAllowed();
</del><ins>+    return m_pageDismissalEventBeingDispatched == PageDismissalType::None &amp;&amp; NavigationDisabler::isNavigationAllowed();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void FrameLoader::loadURL(const FrameLoadRequest&amp; frameLoadRequest, const String&amp; referrer, FrameLoadType newLoadType, Event* event, FormState* formState)
</span><span class="lines">@@ -2990,7 +2990,7 @@
</span><span class="cx"> 
</span><span class="cx">     bool shouldClose = false;
</span><span class="cx">     {
</span><del>-        NavigationDisablerForBeforeUnload navigationDisabler;
</del><ins>+        NavigationDisabler navigationDisabler;
</ins><span class="cx">         size_t i;
</span><span class="cx"> 
</span><span class="cx">         for (i = 0; i &lt; targetFrames.size(); i++) {
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderNavigationSchedulercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/NavigationScheduler.cpp (214364 => 214365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/NavigationScheduler.cpp        2017-03-24 19:01:54 UTC (rev 214364)
+++ trunk/Source/WebCore/loader/NavigationScheduler.cpp        2017-03-24 19:34:11 UTC (rev 214365)
</span><span class="lines">@@ -55,7 +55,7 @@
</span><span class="cx"> 
</span><span class="cx"> namespace WebCore {
</span><span class="cx"> 
</span><del>-unsigned NavigationDisablerForBeforeUnload::s_navigationDisableCount = 0;
</del><ins>+unsigned NavigationDisabler::s_navigationDisableCount = 0;
</ins><span class="cx"> 
</span><span class="cx"> class ScheduledNavigation {
</span><span class="cx">     WTF_MAKE_NONCOPYABLE(ScheduledNavigation); WTF_MAKE_FAST_ALLOCATED;
</span><span class="lines">@@ -364,7 +364,7 @@
</span><span class="cx">         return false;
</span><span class="cx">     if (protocolIsJavaScript(url))
</span><span class="cx">         return true;
</span><del>-    return NavigationDisablerForBeforeUnload::isNavigationAllowed();
</del><ins>+    return NavigationDisabler::isNavigationAllowed();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void NavigationScheduler::scheduleRedirect(Document&amp; initiatingDocument, double delay, const URL&amp; url)
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderNavigationSchedulerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/NavigationScheduler.h (214364 => 214365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/NavigationScheduler.h        2017-03-24 19:01:54 UTC (rev 214364)
+++ trunk/Source/WebCore/loader/NavigationScheduler.h        2017-03-24 19:34:11 UTC (rev 214365)
</span><span class="lines">@@ -43,13 +43,13 @@
</span><span class="cx"> class SecurityOrigin;
</span><span class="cx"> class URL;
</span><span class="cx"> 
</span><del>-class NavigationDisablerForBeforeUnload {
</del><ins>+class NavigationDisabler {
</ins><span class="cx"> public:
</span><del>-    NavigationDisablerForBeforeUnload()
</del><ins>+    NavigationDisabler()
</ins><span class="cx">     {
</span><span class="cx">         s_navigationDisableCount++;
</span><span class="cx">     }
</span><del>-    ~NavigationDisablerForBeforeUnload()
</del><ins>+    ~NavigationDisabler()
</ins><span class="cx">     {
</span><span class="cx">         ASSERT(s_navigationDisableCount);
</span><span class="cx">         s_navigationDisableCount--;
</span></span></pre>
</div>
</div>

</body>
</html>