Layout Test fast/events/beforeunload-dom-manipulation-crash.html is crashing
authorpvollan@apple.com <pvollan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 1 Feb 2018 04:18:38 +0000 (04:18 +0000)
committerpvollan@apple.com <pvollan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 1 Feb 2018 04:18:38 +0000 (04:18 +0000)
commite35fdcf91a63965c288bba3952b022db204739d7
tree89a6c9dbbf4da90c31680efc629d8923de0f9a0a
parent1585724930f67be27045eab99c1035fbb3347dad
Layout Test fast/events/beforeunload-dom-manipulation-crash.html is crashing
https://bugs.webkit.org/show_bug.cgi?id=181204
<rdar://problem/36256274>

Reviewed by Ryosuke Niwa.

Source/WebCore:

When a frame element is moved in the DOM tree during the execution of a beforeunload handler,
the frame will be detached when removed from its previous position in the DOM tree. When being
detached, an attempt will also be made to stop the load by calling FrameLoader::stopAllLoaders().
However, this method will return early when executed in a beforeunload handler, since navigation
is not allowed then. The end result is a detached frame which will continue to load, and hitting
asserts in DocumentLoader::dataReceived(), and DocumentLoader::notifyFinished(). It should be
possible to stop a frame load, even when executing a beforeunload handler.

No new tests. Covered by the existing test fast/events/beforeunload-dom-manipulation-crash.html.

* history/PageCache.cpp:
(WebCore::PageCache::addIfCacheable): Fix a failing API test by allowing scripts to be executed
under the PageCache::prune method.
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::isStopLoadingAllowed const):
(WebCore::FrameLoader::stopAllLoaders):
* loader/FrameLoader.h:
* svg/graphics/SVGImage.cpp:
(WebCore::SVGImage::~SVGImage): Disable scripts disallowed assertions in this scope, since it is
safe in this context.

Tools:

Implement 'testRunner.forceImmediateCompletion()' for WK1.

* DumpRenderTree/TestRunner.cpp:
(forceImmediateCompletionCallback):
(TestRunner::staticFunctions):

LayoutTests:

* fast/events/beforeunload-dom-manipulation-crash.html: Make it clear that the
frame element is a child of the 'del' element.
* fast/events/beforeunload-dom-manipulation-crash-expected.html:
* platform/mac-wk1/TestExpectations: Unskip test.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@227948 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/events/beforeunload-dom-manipulation-crash-expected.txt
LayoutTests/fast/events/beforeunload-dom-manipulation-crash.html
LayoutTests/platform/mac-wk1/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/history/PageCache.cpp
Source/WebCore/loader/FrameLoader.cpp
Source/WebCore/loader/FrameLoader.h
Source/WebCore/svg/graphics/SVGImage.cpp
Tools/ChangeLog
Tools/DumpRenderTree/TestRunner.cpp