[Webkit-unassigned] [Bug 53733] New: Timers can fire after a frame has been put into the page cache

Thu Feb 3 16:31:37 PST 2011

https://bugs.webkit.org/show_bug.cgi?id=53733

           Summary: Timers can fire after a frame has been put into the
                    page cache
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mihaip at chromium.org
                CC: ap at webkit.org, beidson at apple.com

As a follow-up from the fix on bug 53648, it's still possible to execute JavaScript in a frame after active DOM objects have been suspended. Given this frame hierarchy:

Main frame
   frame A
   frame B

When navigating away from the main frame (and putting it in the page cache via CachedFrame), we still do things in this order:

1. Fire pagehide for the main frame
2. Fire pagehide for frame A
3. Suspend active DOM objects for frame A
4. Fire pagehide for frame B
5. Suspend active DOM objects for frame B
6. Suspend active DOM objects for the main frame

If frame B in its pagehide handler calls a function in frame A that uses setTimeout, that timer will not be suspended, and could fire while in the page cache.

The correct fix would be to separate the recursion steps; one full pass to fire pagehide and another to suspend active DOM objects. This may require some refactoring of CachedFrame::CachedFrame, where all this happens currently.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.