History.pushState causes intense memory pressure.
authorbeidson@apple.com <beidson@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 26 Jan 2016 22:48:15 +0000 (22:48 +0000)
committerbeidson@apple.com <beidson@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 26 Jan 2016 22:48:15 +0000 (22:48 +0000)
https://bugs.webkit.org/show_bug.cgi?id=153435

Reviewed by Sam Weinig, Oliver Hunt, and Geoff Garen.

Source/WebCore:

Tests: fast/loader/stateobjects/pushstate-frequency-iframe.html
       fast/loader/stateobjects/pushstate-frequency-with-user-gesture.html
       fast/loader/stateobjects/pushstate-frequency.html
       fast/loader/stateobjects/replacestate-frequency-iframe.html
       fast/loader/stateobjects/replacestate-frequency-with-user-gesture.html
       fast/loader/stateobjects/replacestate-frequency.html
       loader/stateobjects/pushstate-size-iframe.html
       loader/stateobjects/pushstate-size.html
       loader/stateobjects/replacestate-size-iframe.html
       loader/stateobjects/replacestate-size.html

Add restrictions on how frequently push/replaceState can be called,
as well as how much of a cumulative payload they can deliver.

* bindings/js/JSHistoryCustom.cpp:
(WebCore::JSHistory::pushState):
(WebCore::JSHistory::replaceState):

* page/History.cpp:
(WebCore::History::stateObjectAdded):
* page/History.h:

LayoutTests:

* TestExpectations: Mark some of the new tests as slow.

* fast/loader/stateobjects/pushstate-frequency-expected.txt: Added.
* fast/loader/stateobjects/pushstate-frequency-iframe-expected.txt: Added.
* fast/loader/stateobjects/pushstate-frequency-iframe.html: Added.
* fast/loader/stateobjects/pushstate-frequency-with-user-gesture-expected.txt: Added.
* fast/loader/stateobjects/pushstate-frequency-with-user-gesture.html: Added.
* fast/loader/stateobjects/pushstate-frequency.html: Added.
* fast/loader/stateobjects/replacestate-frequency-expected.txt: Added.
* fast/loader/stateobjects/replacestate-frequency-iframe-expected.txt: Added.
* fast/loader/stateobjects/replacestate-frequency-iframe.html: Added.
* fast/loader/stateobjects/replacestate-frequency-with-user-gesture-expected.txt: Added.
* fast/loader/stateobjects/replacestate-frequency-with-user-gesture.html: Added.
* fast/loader/stateobjects/replacestate-frequency.html: Added.
* fast/loader/stateobjects/resources/pushstate-iframe.html: Added.
* fast/loader/stateobjects/resources/replacestate-iframe.html: Added.
* loader/stateobjects/pushstate-size-expected.txt: Added.
* loader/stateobjects/pushstate-size-iframe-expected.txt: Added.
* loader/stateobjects/pushstate-size-iframe.html: Added.
* loader/stateobjects/pushstate-size.html: Added.
* loader/stateobjects/replacestate-size-expected.txt: Added.
* loader/stateobjects/replacestate-size-iframe-expected.txt: Added.
* loader/stateobjects/replacestate-size-iframe.html: Added.
* loader/stateobjects/replacestate-size.html: Added.
* loader/stateobjects/resources/pushstate-iframe.html: Added.
* loader/stateobjects/resources/replacestate-iframe.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@195625 268f45cc-cd09-0410-ab3c-d52691b4dbfc

30 files changed:
LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/fast/loader/stateobjects/pushstate-frequency-expected.txt [new file with mode: 0644]
LayoutTests/fast/loader/stateobjects/pushstate-frequency-iframe-expected.txt [new file with mode: 0644]
LayoutTests/fast/loader/stateobjects/pushstate-frequency-iframe.html [new file with mode: 0644]
LayoutTests/fast/loader/stateobjects/pushstate-frequency-with-user-gesture-expected.txt [new file with mode: 0644]
LayoutTests/fast/loader/stateobjects/pushstate-frequency-with-user-gesture.html [new file with mode: 0644]
LayoutTests/fast/loader/stateobjects/pushstate-frequency.html [new file with mode: 0644]
LayoutTests/fast/loader/stateobjects/replacestate-frequency-expected.txt [new file with mode: 0644]
LayoutTests/fast/loader/stateobjects/replacestate-frequency-iframe-expected.txt [new file with mode: 0644]
LayoutTests/fast/loader/stateobjects/replacestate-frequency-iframe.html [new file with mode: 0644]
LayoutTests/fast/loader/stateobjects/replacestate-frequency-with-user-gesture-expected.txt [new file with mode: 0644]
LayoutTests/fast/loader/stateobjects/replacestate-frequency-with-user-gesture.html [new file with mode: 0644]
LayoutTests/fast/loader/stateobjects/replacestate-frequency.html [new file with mode: 0644]
LayoutTests/fast/loader/stateobjects/resources/pushstate-iframe.html [new file with mode: 0644]
LayoutTests/fast/loader/stateobjects/resources/replacestate-iframe.html [new file with mode: 0644]
LayoutTests/loader/stateobjects/pushstate-size-expected.txt [new file with mode: 0644]
LayoutTests/loader/stateobjects/pushstate-size-iframe-expected.txt [new file with mode: 0644]
LayoutTests/loader/stateobjects/pushstate-size-iframe.html [new file with mode: 0644]
LayoutTests/loader/stateobjects/pushstate-size.html [new file with mode: 0644]
LayoutTests/loader/stateobjects/replacestate-size-expected.txt [new file with mode: 0644]
LayoutTests/loader/stateobjects/replacestate-size-iframe-expected.txt [new file with mode: 0644]
LayoutTests/loader/stateobjects/replacestate-size-iframe.html [new file with mode: 0644]
LayoutTests/loader/stateobjects/replacestate-size.html [new file with mode: 0644]
LayoutTests/loader/stateobjects/resources/pushstate-iframe.html [new file with mode: 0644]
LayoutTests/loader/stateobjects/resources/replacestate-iframe.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/bindings/js/JSHistoryCustom.cpp
Source/WebCore/page/History.cpp
Source/WebCore/page/History.h

index ce00a7c..05aff9a 100644 (file)
@@ -1,3 +1,37 @@
+2016-01-26  Brady Eidson  <beidson@apple.com>
+
+        History.pushState causes intense memory pressure.
+        https://bugs.webkit.org/show_bug.cgi?id=153435
+
+        Reviewed by Sam Weinig, Oliver Hunt, and Geoff Garen.
+
+        * TestExpectations: Mark some of the new tests as slow.
+        
+        * fast/loader/stateobjects/pushstate-frequency-expected.txt: Added.
+        * fast/loader/stateobjects/pushstate-frequency-iframe-expected.txt: Added.
+        * fast/loader/stateobjects/pushstate-frequency-iframe.html: Added.
+        * fast/loader/stateobjects/pushstate-frequency-with-user-gesture-expected.txt: Added.
+        * fast/loader/stateobjects/pushstate-frequency-with-user-gesture.html: Added.
+        * fast/loader/stateobjects/pushstate-frequency.html: Added.
+        * fast/loader/stateobjects/replacestate-frequency-expected.txt: Added.
+        * fast/loader/stateobjects/replacestate-frequency-iframe-expected.txt: Added.
+        * fast/loader/stateobjects/replacestate-frequency-iframe.html: Added.
+        * fast/loader/stateobjects/replacestate-frequency-with-user-gesture-expected.txt: Added.
+        * fast/loader/stateobjects/replacestate-frequency-with-user-gesture.html: Added.
+        * fast/loader/stateobjects/replacestate-frequency.html: Added.
+        * fast/loader/stateobjects/resources/pushstate-iframe.html: Added.
+        * fast/loader/stateobjects/resources/replacestate-iframe.html: Added.
+        * loader/stateobjects/pushstate-size-expected.txt: Added.
+        * loader/stateobjects/pushstate-size-iframe-expected.txt: Added.
+        * loader/stateobjects/pushstate-size-iframe.html: Added.
+        * loader/stateobjects/pushstate-size.html: Added.
+        * loader/stateobjects/replacestate-size-expected.txt: Added.
+        * loader/stateobjects/replacestate-size-iframe-expected.txt: Added.
+        * loader/stateobjects/replacestate-size-iframe.html: Added.
+        * loader/stateobjects/replacestate-size.html: Added.
+        * loader/stateobjects/resources/pushstate-iframe.html: Added.
+        * loader/stateobjects/resources/replacestate-iframe.html: Added.
+        
 2016-01-26  Ryan Haddad  <ryanhaddad@apple.com>
 
         Rebaselining cssom/subpixel-offsetleft-top-width-height-values.html for ios-simulator
index d48fc14..5cc9901 100644 (file)
@@ -847,3 +847,9 @@ http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [
 http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html # Needs expected file.
 http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html # Needs expected file.
 http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src.html # Needs expected file.
+
+# These state object tests purposefully stress a resource limit, and take multiple seconds to run.
+loader/stateobjects/pushstate-size-iframe.html [ Slow ]
+loader/stateobjects/pushstate-size.html [ Slow ]
+loader/stateobjects/replacestate-size-iframe.html [ Slow ]
+loader/stateobjects/replacestate-size.html [ Slow ]
diff --git a/LayoutTests/fast/loader/stateobjects/pushstate-frequency-expected.txt b/LayoutTests/fast/loader/stateobjects/pushstate-frequency-expected.txt
new file mode 100644 (file)
index 0000000..e1a18b1
--- /dev/null
@@ -0,0 +1,104 @@
+Test should complete quickly and not crash.
+Successfully added item: 0
+Successfully added item: 1
+Successfully added item: 2
+Successfully added item: 3
+Successfully added item: 4
+Successfully added item: 5
+Successfully added item: 6
+Successfully added item: 7
+Successfully added item: 8
+Successfully added item: 9
+Successfully added item: 10
+Successfully added item: 11
+Successfully added item: 12
+Successfully added item: 13
+Successfully added item: 14
+Successfully added item: 15
+Successfully added item: 16
+Successfully added item: 17
+Successfully added item: 18
+Successfully added item: 19
+Successfully added item: 20
+Successfully added item: 21
+Successfully added item: 22
+Successfully added item: 23
+Successfully added item: 24
+Successfully added item: 25
+Successfully added item: 26
+Successfully added item: 27
+Successfully added item: 28
+Successfully added item: 29
+Successfully added item: 30
+Successfully added item: 31
+Successfully added item: 32
+Successfully added item: 33
+Successfully added item: 34
+Successfully added item: 35
+Successfully added item: 36
+Successfully added item: 37
+Successfully added item: 38
+Successfully added item: 39
+Successfully added item: 40
+Successfully added item: 41
+Successfully added item: 42
+Successfully added item: 43
+Successfully added item: 44
+Successfully added item: 45
+Successfully added item: 46
+Successfully added item: 47
+Successfully added item: 48
+Successfully added item: 49
+Successfully added item: 50
+Successfully added item: 51
+Successfully added item: 52
+Successfully added item: 53
+Successfully added item: 54
+Successfully added item: 55
+Successfully added item: 56
+Successfully added item: 57
+Successfully added item: 58
+Successfully added item: 59
+Successfully added item: 60
+Successfully added item: 61
+Successfully added item: 62
+Successfully added item: 63
+Successfully added item: 64
+Successfully added item: 65
+Successfully added item: 66
+Successfully added item: 67
+Successfully added item: 68
+Successfully added item: 69
+Successfully added item: 70
+Successfully added item: 71
+Successfully added item: 72
+Successfully added item: 73
+Successfully added item: 74
+Successfully added item: 75
+Successfully added item: 76
+Successfully added item: 77
+Successfully added item: 78
+Successfully added item: 79
+Successfully added item: 80
+Successfully added item: 81
+Successfully added item: 82
+Successfully added item: 83
+Successfully added item: 84
+Successfully added item: 85
+Successfully added item: 86
+Successfully added item: 87
+Successfully added item: 88
+Successfully added item: 89
+Successfully added item: 90
+Successfully added item: 91
+Successfully added item: 92
+Successfully added item: 93
+Successfully added item: 94
+Successfully added item: 95
+Successfully added item: 96
+Successfully added item: 97
+Successfully added item: 98
+Successfully added item: 99
+Error: SecurityError: DOM Exception 18
+Test complete
+
diff --git a/LayoutTests/fast/loader/stateobjects/pushstate-frequency-iframe-expected.txt b/LayoutTests/fast/loader/stateobjects/pushstate-frequency-iframe-expected.txt
new file mode 100644 (file)
index 0000000..0236a4f
--- /dev/null
@@ -0,0 +1,111 @@
+Test should complete quickly and not crash.
+Test does pushStates both from the main frame and from an iframe and makes sure they both count against state object count limit.
+Click to test pushState through a user gesture
+Successfully added item: 0
+Successfully added item: 1
+Successfully added item: 2
+Successfully added item: 3
+Successfully added item: 4
+Successfully added item: 5
+Successfully added item: 6
+Successfully added item: 7
+Successfully added item: 8
+Successfully added item: 9
+Successfully added item: 10
+Successfully added item: 11
+Successfully added item: 12
+Successfully added item: 13
+Successfully added item: 14
+Successfully added item: 15
+Successfully added item: 16
+Successfully added item: 17
+Successfully added item: 18
+Successfully added item: 19
+Successfully added item: 20
+Successfully added item: 21
+Successfully added item: 22
+Successfully added item: 23
+Successfully added item: 24
+Successfully added item: 25
+Successfully added item: 26
+Successfully added item: 27
+Successfully added item: 28
+Successfully added item: 29
+Successfully added item: 30
+Successfully added item: 31
+Successfully added item: 32
+Successfully added item: 33
+Successfully added item: 34
+Successfully added item: 35
+Successfully added item: 36
+Successfully added item: 37
+Successfully added item: 38
+Successfully added item: 39
+Successfully added item: 40
+Successfully added item: 41
+Successfully added item: 42
+Successfully added item: 43
+Successfully added item: 44
+Successfully added item: 45
+Successfully added item: 46
+Successfully added item: 47
+Successfully added item: 48
+Successfully added item: 49
+Successfully added item: 50
+Successfully added item: 51
+Successfully added item: 52
+Successfully added item: 53
+Successfully added item: 54
+Successfully added item: 55
+Successfully added item: 56
+Successfully added item: 57
+Successfully added item: 58
+Successfully added item: 59
+Successfully added item: 60
+Successfully added item: 61
+Successfully added item: 62
+Successfully added item: 63
+Successfully added item: 64
+Successfully added item: 65
+Successfully added item: 66
+Successfully added item: 67
+Successfully added item: 68
+Successfully added item: 69
+Successfully added item: 70
+Successfully added item: 71
+Successfully added item: 72
+Successfully added item: 73
+Successfully added item: 74
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+Adding state objects in iframe
+Successfully added item: 0
+Successfully added item: 1
+Successfully added item: 2
+Successfully added item: 3
+Successfully added item: 4
+Successfully added item: 5
+Successfully added item: 6
+Successfully added item: 7
+Successfully added item: 8
+Successfully added item: 9
+Successfully added item: 10
+Successfully added item: 11
+Successfully added item: 12
+Successfully added item: 13
+Successfully added item: 14
+Successfully added item: 15
+Successfully added item: 16
+Successfully added item: 17
+Successfully added item: 18
+Successfully added item: 19
+Successfully added item: 20
+Successfully added item: 21
+Successfully added item: 22
+Successfully added item: 23
+Successfully added item: 24
+Expected exception: Error: SecurityError: DOM Exception 18
+
diff --git a/LayoutTests/fast/loader/stateobjects/pushstate-frequency-iframe.html b/LayoutTests/fast/loader/stateobjects/pushstate-frequency-iframe.html
new file mode 100644 (file)
index 0000000..c8f097a
--- /dev/null
@@ -0,0 +1,40 @@
+<script>
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.waitUntilDone();
+}
+
+function log(msg) {
+    document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+window.onload = function()
+{
+    try {
+        for( var i = 0; i < 75; ++i ) {
+            history.pushState(0, 0, i.toString());
+            log("Successfully added item: " + i);
+        }
+    } catch (e) {
+        log(e);
+    }
+
+    openFrame();
+}
+
+function openFrame()
+{
+    var iframe = document.createElement('iframe');
+    iframe.src = 'resources/pushstate-iframe.html'
+    document.body.appendChild(iframe);
+}
+
+</script>
+<body>
+Test should complete quickly and not crash.<br>
+Test does pushStates both from the main frame and from an iframe and makes sure they both count against state object count limit.<br>
+<button id="button" onclick="clicked();">Click to test pushState through a user gesture</button>
+<div id="logger"></div>
+</body>
diff --git a/LayoutTests/fast/loader/stateobjects/pushstate-frequency-with-user-gesture-expected.txt b/LayoutTests/fast/loader/stateobjects/pushstate-frequency-with-user-gesture-expected.txt
new file mode 100644 (file)
index 0000000..28dc476
--- /dev/null
@@ -0,0 +1,206 @@
+Test should complete quickly and not crash.
+Click to test pushState through a user gesture
+Successfully added item: 0
+Successfully added item: 1
+Successfully added item: 2
+Successfully added item: 3
+Successfully added item: 4
+Successfully added item: 5
+Successfully added item: 6
+Successfully added item: 7
+Successfully added item: 8
+Successfully added item: 9
+Successfully added item: 10
+Successfully added item: 11
+Successfully added item: 12
+Successfully added item: 13
+Successfully added item: 14
+Successfully added item: 15
+Successfully added item: 16
+Successfully added item: 17
+Successfully added item: 18
+Successfully added item: 19
+Successfully added item: 20
+Successfully added item: 21
+Successfully added item: 22
+Successfully added item: 23
+Successfully added item: 24
+Successfully added item: 25
+Successfully added item: 26
+Successfully added item: 27
+Successfully added item: 28
+Successfully added item: 29
+Successfully added item: 30
+Successfully added item: 31
+Successfully added item: 32
+Successfully added item: 33
+Successfully added item: 34
+Successfully added item: 35
+Successfully added item: 36
+Successfully added item: 37
+Successfully added item: 38
+Successfully added item: 39
+Successfully added item: 40
+Successfully added item: 41
+Successfully added item: 42
+Successfully added item: 43
+Successfully added item: 44
+Successfully added item: 45
+Successfully added item: 46
+Successfully added item: 47
+Successfully added item: 48
+Successfully added item: 49
+Successfully added item: 50
+Successfully added item: 51
+Successfully added item: 52
+Successfully added item: 53
+Successfully added item: 54
+Successfully added item: 55
+Successfully added item: 56
+Successfully added item: 57
+Successfully added item: 58
+Successfully added item: 59
+Successfully added item: 60
+Successfully added item: 61
+Successfully added item: 62
+Successfully added item: 63
+Successfully added item: 64
+Successfully added item: 65
+Successfully added item: 66
+Successfully added item: 67
+Successfully added item: 68
+Successfully added item: 69
+Successfully added item: 70
+Successfully added item: 71
+Successfully added item: 72
+Successfully added item: 73
+Successfully added item: 74
+Successfully added item: 75
+Successfully added item: 76
+Successfully added item: 77
+Successfully added item: 78
+Successfully added item: 79
+Successfully added item: 80
+Successfully added item: 81
+Successfully added item: 82
+Successfully added item: 83
+Successfully added item: 84
+Successfully added item: 85
+Successfully added item: 86
+Successfully added item: 87
+Successfully added item: 88
+Successfully added item: 89
+Successfully added item: 90
+Successfully added item: 91
+Successfully added item: 92
+Successfully added item: 93
+Successfully added item: 94
+Successfully added item: 95
+Successfully added item: 96
+Successfully added item: 97
+Successfully added item: 98
+Successfully added item: 99
+Error: SecurityError: DOM Exception 18
+Successfully added user gesture item: 0
+Successfully added user gesture item: 1
+Successfully added user gesture item: 2
+Successfully added user gesture item: 3
+Successfully added user gesture item: 4
+Successfully added user gesture item: 5
+Successfully added user gesture item: 6
+Successfully added user gesture item: 7
+Successfully added user gesture item: 8
+Successfully added user gesture item: 9
+Successfully added user gesture item: 10
+Successfully added user gesture item: 11
+Successfully added user gesture item: 12
+Successfully added user gesture item: 13
+Successfully added user gesture item: 14
+Successfully added user gesture item: 15
+Successfully added user gesture item: 16
+Successfully added user gesture item: 17
+Successfully added user gesture item: 18
+Successfully added user gesture item: 19
+Successfully added user gesture item: 20
+Successfully added user gesture item: 21
+Successfully added user gesture item: 22
+Successfully added user gesture item: 23
+Successfully added user gesture item: 24
+Successfully added user gesture item: 25
+Successfully added user gesture item: 26
+Successfully added user gesture item: 27
+Successfully added user gesture item: 28
+Successfully added user gesture item: 29
+Successfully added user gesture item: 30
+Successfully added user gesture item: 31
+Successfully added user gesture item: 32
+Successfully added user gesture item: 33
+Successfully added user gesture item: 34
+Successfully added user gesture item: 35
+Successfully added user gesture item: 36
+Successfully added user gesture item: 37
+Successfully added user gesture item: 38
+Successfully added user gesture item: 39
+Successfully added user gesture item: 40
+Successfully added user gesture item: 41
+Successfully added user gesture item: 42
+Successfully added user gesture item: 43
+Successfully added user gesture item: 44
+Successfully added user gesture item: 45
+Successfully added user gesture item: 46
+Successfully added user gesture item: 47
+Successfully added user gesture item: 48
+Successfully added user gesture item: 49
+Successfully added user gesture item: 50
+Successfully added user gesture item: 51
+Successfully added user gesture item: 52
+Successfully added user gesture item: 53
+Successfully added user gesture item: 54
+Successfully added user gesture item: 55
+Successfully added user gesture item: 56
+Successfully added user gesture item: 57
+Successfully added user gesture item: 58
+Successfully added user gesture item: 59
+Successfully added user gesture item: 60
+Successfully added user gesture item: 61
+Successfully added user gesture item: 62
+Successfully added user gesture item: 63
+Successfully added user gesture item: 64
+Successfully added user gesture item: 65
+Successfully added user gesture item: 66
+Successfully added user gesture item: 67
+Successfully added user gesture item: 68
+Successfully added user gesture item: 69
+Successfully added user gesture item: 70
+Successfully added user gesture item: 71
+Successfully added user gesture item: 72
+Successfully added user gesture item: 73
+Successfully added user gesture item: 74
+Successfully added user gesture item: 75
+Successfully added user gesture item: 76
+Successfully added user gesture item: 77
+Successfully added user gesture item: 78
+Successfully added user gesture item: 79
+Successfully added user gesture item: 80
+Successfully added user gesture item: 81
+Successfully added user gesture item: 82
+Successfully added user gesture item: 83
+Successfully added user gesture item: 84
+Successfully added user gesture item: 85
+Successfully added user gesture item: 86
+Successfully added user gesture item: 87
+Successfully added user gesture item: 88
+Successfully added user gesture item: 89
+Successfully added user gesture item: 90
+Successfully added user gesture item: 91
+Successfully added user gesture item: 92
+Successfully added user gesture item: 93
+Successfully added user gesture item: 94
+Successfully added user gesture item: 95
+Successfully added user gesture item: 96
+Successfully added user gesture item: 97
+Successfully added user gesture item: 98
+Successfully added user gesture item: 99
+User gesture: Error: SecurityError: DOM Exception 18
+Test complete
+
diff --git a/LayoutTests/fast/loader/stateobjects/pushstate-frequency-with-user-gesture.html b/LayoutTests/fast/loader/stateobjects/pushstate-frequency-with-user-gesture.html
new file mode 100644 (file)
index 0000000..29768f3
--- /dev/null
@@ -0,0 +1,51 @@
+<script>
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function log(msg) {
+    document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+window.onload = function()
+{
+    try {
+        for( var i = 0; i < 100000; ++i ) {
+            history.pushState(0, 0, i);
+            log("Successfully added item: " + i);
+        }
+    } catch (e) {
+        log(e);
+    }
+    
+    var button = document.getElementById("button");
+    eventSender.mouseMoveTo(button.offsetLeft + 5, button.offsetTop + 5);
+    eventSender.mouseDown();
+    eventSender.mouseUp();
+}
+
+function clicked()
+{
+    try {
+        for( var i = 0; i < 100000; ++i ) {
+            history.pushState(0, 0, i);
+            log("Successfully added user gesture item: " + i);
+        }
+    } catch (e) {
+        log("User gesture: " + e);
+    }
+
+    if (window.testRunner)
+        testRunner.notifyDone();
+
+    log("Test complete");
+}
+
+</script>
+<body>
+Test should complete quickly and not crash.<br>
+<button id="button" onclick="clicked();">Click to test pushState through a user gesture</button>
+<div id="logger"></div>
+</body>
diff --git a/LayoutTests/fast/loader/stateobjects/pushstate-frequency.html b/LayoutTests/fast/loader/stateobjects/pushstate-frequency.html
new file mode 100644 (file)
index 0000000..a76e2bf
--- /dev/null
@@ -0,0 +1,32 @@
+<script>
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function log(msg) {
+    document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+window.onload = function() {
+    try {
+        for( var i = 0; i < 100000; ++i ) {
+            history.pushState(0, 0, i.toString());
+            log("Successfully added item: " + i);
+        }
+    } catch (e) {
+        log(e);
+    }
+
+    if (window.testRunner)
+        testRunner.notifyDone();
+
+    log("Test complete");
+}
+
+</script>
+<body>
+Test should complete quickly and not crash.<br>
+<div id="logger"></div>
+</body>
diff --git a/LayoutTests/fast/loader/stateobjects/replacestate-frequency-expected.txt b/LayoutTests/fast/loader/stateobjects/replacestate-frequency-expected.txt
new file mode 100644 (file)
index 0000000..e1a18b1
--- /dev/null
@@ -0,0 +1,104 @@
+Test should complete quickly and not crash.
+Successfully added item: 0
+Successfully added item: 1
+Successfully added item: 2
+Successfully added item: 3
+Successfully added item: 4
+Successfully added item: 5
+Successfully added item: 6
+Successfully added item: 7
+Successfully added item: 8
+Successfully added item: 9
+Successfully added item: 10
+Successfully added item: 11
+Successfully added item: 12
+Successfully added item: 13
+Successfully added item: 14
+Successfully added item: 15
+Successfully added item: 16
+Successfully added item: 17
+Successfully added item: 18
+Successfully added item: 19
+Successfully added item: 20
+Successfully added item: 21
+Successfully added item: 22
+Successfully added item: 23
+Successfully added item: 24
+Successfully added item: 25
+Successfully added item: 26
+Successfully added item: 27
+Successfully added item: 28
+Successfully added item: 29
+Successfully added item: 30
+Successfully added item: 31
+Successfully added item: 32
+Successfully added item: 33
+Successfully added item: 34
+Successfully added item: 35
+Successfully added item: 36
+Successfully added item: 37
+Successfully added item: 38
+Successfully added item: 39
+Successfully added item: 40
+Successfully added item: 41
+Successfully added item: 42
+Successfully added item: 43
+Successfully added item: 44
+Successfully added item: 45
+Successfully added item: 46
+Successfully added item: 47
+Successfully added item: 48
+Successfully added item: 49
+Successfully added item: 50
+Successfully added item: 51
+Successfully added item: 52
+Successfully added item: 53
+Successfully added item: 54
+Successfully added item: 55
+Successfully added item: 56
+Successfully added item: 57
+Successfully added item: 58
+Successfully added item: 59
+Successfully added item: 60
+Successfully added item: 61
+Successfully added item: 62
+Successfully added item: 63
+Successfully added item: 64
+Successfully added item: 65
+Successfully added item: 66
+Successfully added item: 67
+Successfully added item: 68
+Successfully added item: 69
+Successfully added item: 70
+Successfully added item: 71
+Successfully added item: 72
+Successfully added item: 73
+Successfully added item: 74
+Successfully added item: 75
+Successfully added item: 76
+Successfully added item: 77
+Successfully added item: 78
+Successfully added item: 79
+Successfully added item: 80
+Successfully added item: 81
+Successfully added item: 82
+Successfully added item: 83
+Successfully added item: 84
+Successfully added item: 85
+Successfully added item: 86
+Successfully added item: 87
+Successfully added item: 88
+Successfully added item: 89
+Successfully added item: 90
+Successfully added item: 91
+Successfully added item: 92
+Successfully added item: 93
+Successfully added item: 94
+Successfully added item: 95
+Successfully added item: 96
+Successfully added item: 97
+Successfully added item: 98
+Successfully added item: 99
+Error: SecurityError: DOM Exception 18
+Test complete
+
diff --git a/LayoutTests/fast/loader/stateobjects/replacestate-frequency-iframe-expected.txt b/LayoutTests/fast/loader/stateobjects/replacestate-frequency-iframe-expected.txt
new file mode 100644 (file)
index 0000000..b2bc6f8
--- /dev/null
@@ -0,0 +1,111 @@
+Test should not crash.
+Test does replaceStates both from the main frame and from an iframe and makes sure they both count against state object count limit.
+Click to test replaceState through a user gesture
+Successfully added item: 0
+Successfully added item: 1
+Successfully added item: 2
+Successfully added item: 3
+Successfully added item: 4
+Successfully added item: 5
+Successfully added item: 6
+Successfully added item: 7
+Successfully added item: 8
+Successfully added item: 9
+Successfully added item: 10
+Successfully added item: 11
+Successfully added item: 12
+Successfully added item: 13
+Successfully added item: 14
+Successfully added item: 15
+Successfully added item: 16
+Successfully added item: 17
+Successfully added item: 18
+Successfully added item: 19
+Successfully added item: 20
+Successfully added item: 21
+Successfully added item: 22
+Successfully added item: 23
+Successfully added item: 24
+Successfully added item: 25
+Successfully added item: 26
+Successfully added item: 27
+Successfully added item: 28
+Successfully added item: 29
+Successfully added item: 30
+Successfully added item: 31
+Successfully added item: 32
+Successfully added item: 33
+Successfully added item: 34
+Successfully added item: 35
+Successfully added item: 36
+Successfully added item: 37
+Successfully added item: 38
+Successfully added item: 39
+Successfully added item: 40
+Successfully added item: 41
+Successfully added item: 42
+Successfully added item: 43
+Successfully added item: 44
+Successfully added item: 45
+Successfully added item: 46
+Successfully added item: 47
+Successfully added item: 48
+Successfully added item: 49
+Successfully added item: 50
+Successfully added item: 51
+Successfully added item: 52
+Successfully added item: 53
+Successfully added item: 54
+Successfully added item: 55
+Successfully added item: 56
+Successfully added item: 57
+Successfully added item: 58
+Successfully added item: 59
+Successfully added item: 60
+Successfully added item: 61
+Successfully added item: 62
+Successfully added item: 63
+Successfully added item: 64
+Successfully added item: 65
+Successfully added item: 66
+Successfully added item: 67
+Successfully added item: 68
+Successfully added item: 69
+Successfully added item: 70
+Successfully added item: 71
+Successfully added item: 72
+Successfully added item: 73
+Successfully added item: 74
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+Adding state objects in iframe
+Successfully added item: 0
+Successfully added item: 1
+Successfully added item: 2
+Successfully added item: 3
+Successfully added item: 4
+Successfully added item: 5
+Successfully added item: 6
+Successfully added item: 7
+Successfully added item: 8
+Successfully added item: 9
+Successfully added item: 10
+Successfully added item: 11
+Successfully added item: 12
+Successfully added item: 13
+Successfully added item: 14
+Successfully added item: 15
+Successfully added item: 16
+Successfully added item: 17
+Successfully added item: 18
+Successfully added item: 19
+Successfully added item: 20
+Successfully added item: 21
+Successfully added item: 22
+Successfully added item: 23
+Successfully added item: 24
+Expected exception: Error: SecurityError: DOM Exception 18
+
diff --git a/LayoutTests/fast/loader/stateobjects/replacestate-frequency-iframe.html b/LayoutTests/fast/loader/stateobjects/replacestate-frequency-iframe.html
new file mode 100644 (file)
index 0000000..4ce8e60
--- /dev/null
@@ -0,0 +1,40 @@
+<script>
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.waitUntilDone();
+}
+
+function log(msg) {
+    document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+window.onload = function()
+{
+    try {
+        for( var i = 0; i < 75; ++i ) {
+            history.replaceState(0, 0, i.toString());
+            log("Successfully added item: " + i);
+        }
+    } catch (e) {
+        log(e);
+    }
+
+    openFrame();
+}
+
+function openFrame()
+{
+    var iframe = document.createElement('iframe');
+    iframe.src = 'resources/replaceState-iframe.html'
+    document.body.appendChild(iframe);
+}
+
+</script>
+<body>
+Test should not crash.<br>
+Test does replaceStates both from the main frame and from an iframe and makes sure they both count against state object count limit.<br>
+<button id="button" onclick="clicked();">Click to test replaceState through a user gesture</button>
+<div id="logger"></div>
+</body>
diff --git a/LayoutTests/fast/loader/stateobjects/replacestate-frequency-with-user-gesture-expected.txt b/LayoutTests/fast/loader/stateobjects/replacestate-frequency-with-user-gesture-expected.txt
new file mode 100644 (file)
index 0000000..4f7f052
--- /dev/null
@@ -0,0 +1,206 @@
+Test should complete quickly and not crash.
+Click to test replaceState through a user gesture
+Successfully added item: 0
+Successfully added item: 1
+Successfully added item: 2
+Successfully added item: 3
+Successfully added item: 4
+Successfully added item: 5
+Successfully added item: 6
+Successfully added item: 7
+Successfully added item: 8
+Successfully added item: 9
+Successfully added item: 10
+Successfully added item: 11
+Successfully added item: 12
+Successfully added item: 13
+Successfully added item: 14
+Successfully added item: 15
+Successfully added item: 16
+Successfully added item: 17
+Successfully added item: 18
+Successfully added item: 19
+Successfully added item: 20
+Successfully added item: 21
+Successfully added item: 22
+Successfully added item: 23
+Successfully added item: 24
+Successfully added item: 25
+Successfully added item: 26
+Successfully added item: 27
+Successfully added item: 28
+Successfully added item: 29
+Successfully added item: 30
+Successfully added item: 31
+Successfully added item: 32
+Successfully added item: 33
+Successfully added item: 34
+Successfully added item: 35
+Successfully added item: 36
+Successfully added item: 37
+Successfully added item: 38
+Successfully added item: 39
+Successfully added item: 40
+Successfully added item: 41
+Successfully added item: 42
+Successfully added item: 43
+Successfully added item: 44
+Successfully added item: 45
+Successfully added item: 46
+Successfully added item: 47
+Successfully added item: 48
+Successfully added item: 49
+Successfully added item: 50
+Successfully added item: 51
+Successfully added item: 52
+Successfully added item: 53
+Successfully added item: 54
+Successfully added item: 55
+Successfully added item: 56
+Successfully added item: 57
+Successfully added item: 58
+Successfully added item: 59
+Successfully added item: 60
+Successfully added item: 61
+Successfully added item: 62
+Successfully added item: 63
+Successfully added item: 64
+Successfully added item: 65
+Successfully added item: 66
+Successfully added item: 67
+Successfully added item: 68
+Successfully added item: 69
+Successfully added item: 70
+Successfully added item: 71
+Successfully added item: 72
+Successfully added item: 73
+Successfully added item: 74
+Successfully added item: 75
+Successfully added item: 76
+Successfully added item: 77
+Successfully added item: 78
+Successfully added item: 79
+Successfully added item: 80
+Successfully added item: 81
+Successfully added item: 82
+Successfully added item: 83
+Successfully added item: 84
+Successfully added item: 85
+Successfully added item: 86
+Successfully added item: 87
+Successfully added item: 88
+Successfully added item: 89
+Successfully added item: 90
+Successfully added item: 91
+Successfully added item: 92
+Successfully added item: 93
+Successfully added item: 94
+Successfully added item: 95
+Successfully added item: 96
+Successfully added item: 97
+Successfully added item: 98
+Successfully added item: 99
+Error: SecurityError: DOM Exception 18
+Successfully added user gesture item: 0
+Successfully added user gesture item: 1
+Successfully added user gesture item: 2
+Successfully added user gesture item: 3
+Successfully added user gesture item: 4
+Successfully added user gesture item: 5
+Successfully added user gesture item: 6
+Successfully added user gesture item: 7
+Successfully added user gesture item: 8
+Successfully added user gesture item: 9
+Successfully added user gesture item: 10
+Successfully added user gesture item: 11
+Successfully added user gesture item: 12
+Successfully added user gesture item: 13
+Successfully added user gesture item: 14
+Successfully added user gesture item: 15
+Successfully added user gesture item: 16
+Successfully added user gesture item: 17
+Successfully added user gesture item: 18
+Successfully added user gesture item: 19
+Successfully added user gesture item: 20
+Successfully added user gesture item: 21
+Successfully added user gesture item: 22
+Successfully added user gesture item: 23
+Successfully added user gesture item: 24
+Successfully added user gesture item: 25
+Successfully added user gesture item: 26
+Successfully added user gesture item: 27
+Successfully added user gesture item: 28
+Successfully added user gesture item: 29
+Successfully added user gesture item: 30
+Successfully added user gesture item: 31
+Successfully added user gesture item: 32
+Successfully added user gesture item: 33
+Successfully added user gesture item: 34
+Successfully added user gesture item: 35
+Successfully added user gesture item: 36
+Successfully added user gesture item: 37
+Successfully added user gesture item: 38
+Successfully added user gesture item: 39
+Successfully added user gesture item: 40
+Successfully added user gesture item: 41
+Successfully added user gesture item: 42
+Successfully added user gesture item: 43
+Successfully added user gesture item: 44
+Successfully added user gesture item: 45
+Successfully added user gesture item: 46
+Successfully added user gesture item: 47
+Successfully added user gesture item: 48
+Successfully added user gesture item: 49
+Successfully added user gesture item: 50
+Successfully added user gesture item: 51
+Successfully added user gesture item: 52
+Successfully added user gesture item: 53
+Successfully added user gesture item: 54
+Successfully added user gesture item: 55
+Successfully added user gesture item: 56
+Successfully added user gesture item: 57
+Successfully added user gesture item: 58
+Successfully added user gesture item: 59
+Successfully added user gesture item: 60
+Successfully added user gesture item: 61
+Successfully added user gesture item: 62
+Successfully added user gesture item: 63
+Successfully added user gesture item: 64
+Successfully added user gesture item: 65
+Successfully added user gesture item: 66
+Successfully added user gesture item: 67
+Successfully added user gesture item: 68
+Successfully added user gesture item: 69
+Successfully added user gesture item: 70
+Successfully added user gesture item: 71
+Successfully added user gesture item: 72
+Successfully added user gesture item: 73
+Successfully added user gesture item: 74
+Successfully added user gesture item: 75
+Successfully added user gesture item: 76
+Successfully added user gesture item: 77
+Successfully added user gesture item: 78
+Successfully added user gesture item: 79
+Successfully added user gesture item: 80
+Successfully added user gesture item: 81
+Successfully added user gesture item: 82
+Successfully added user gesture item: 83
+Successfully added user gesture item: 84
+Successfully added user gesture item: 85
+Successfully added user gesture item: 86
+Successfully added user gesture item: 87
+Successfully added user gesture item: 88
+Successfully added user gesture item: 89
+Successfully added user gesture item: 90
+Successfully added user gesture item: 91
+Successfully added user gesture item: 92
+Successfully added user gesture item: 93
+Successfully added user gesture item: 94
+Successfully added user gesture item: 95
+Successfully added user gesture item: 96
+Successfully added user gesture item: 97
+Successfully added user gesture item: 98
+Successfully added user gesture item: 99
+User gesture: Error: SecurityError: DOM Exception 18
+Test complete
+
diff --git a/LayoutTests/fast/loader/stateobjects/replacestate-frequency-with-user-gesture.html b/LayoutTests/fast/loader/stateobjects/replacestate-frequency-with-user-gesture.html
new file mode 100644 (file)
index 0000000..efdc1a2
--- /dev/null
@@ -0,0 +1,51 @@
+<script>
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function log(msg) {
+    document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+window.onload = function()
+{
+    try {
+        for( var i = 0; i < 100000; ++i ) {
+            history.replaceState(0, 0, i);
+            log("Successfully added item: " + i);
+        }
+    } catch (e) {
+        log(e);
+    }
+    
+    var button = document.getElementById("button");
+    eventSender.mouseMoveTo(button.offsetLeft + 5, button.offsetTop + 5);
+    eventSender.mouseDown();
+    eventSender.mouseUp();
+}
+
+function clicked()
+{
+    try {
+        for( var i = 0; i < 100000; ++i ) {
+            history.replaceState(0, 0, i);
+            log("Successfully added user gesture item: " + i);
+        }
+    } catch (e) {
+        log("User gesture: " + e);
+    }
+
+    if (window.testRunner)
+        testRunner.notifyDone();
+
+    log("Test complete");
+}
+
+</script>
+<body>
+Test should complete quickly and not crash.<br>
+<button id="button" onclick="clicked();">Click to test replaceState through a user gesture</button>
+<div id="logger"></div>
+</body>
diff --git a/LayoutTests/fast/loader/stateobjects/replacestate-frequency.html b/LayoutTests/fast/loader/stateobjects/replacestate-frequency.html
new file mode 100644 (file)
index 0000000..291803c
--- /dev/null
@@ -0,0 +1,32 @@
+<script>
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function log(msg) {
+    document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+window.onload = function() {
+    try {
+        for( var i = 0; i < 100000; ++i ) {
+            history.replaceState(0, 0, i.toString());
+            log("Successfully added item: " + i);
+        }
+    } catch (e) {
+        log(e);
+    }
+
+    if (window.testRunner)
+        testRunner.notifyDone();
+
+    log("Test complete");
+}
+
+</script>
+<body>
+Test should complete quickly and not crash.<br>
+<div id="logger"></div>
+</body>
diff --git a/LayoutTests/fast/loader/stateobjects/resources/pushstate-iframe.html b/LayoutTests/fast/loader/stateobjects/resources/pushstate-iframe.html
new file mode 100644 (file)
index 0000000..43c23f0
--- /dev/null
@@ -0,0 +1,30 @@
+<script>
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function log(msg) {
+    document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+window.onload = function()
+{
+    log("Adding state objects in iframe");
+    try {
+        for( var i = 0; i < 75; ++i ) {
+            history.pushState(0, 0, i.toString());
+            log("Successfully added item: " + i);
+        }
+    } catch (e) {
+        log("Expected exception: " + e);
+        if (window.testRunner)
+            testRunner.notifyDone();    
+    }
+}
+
+</script>
+<body>
+<div id="logger"></div>
+</body>
diff --git a/LayoutTests/fast/loader/stateobjects/resources/replacestate-iframe.html b/LayoutTests/fast/loader/stateobjects/resources/replacestate-iframe.html
new file mode 100644 (file)
index 0000000..e7e6203
--- /dev/null
@@ -0,0 +1,30 @@
+<script>
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function log(msg) {
+    document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+window.onload = function()
+{
+    log("Adding state objects in iframe");
+    try {
+        for( var i = 0; i < 75; ++i ) {
+            history.replaceState(0, 0, i.toString());
+            log("Successfully added item: " + i);
+        }
+    } catch (e) {
+        log("Expected exception: " + e);
+        if (window.testRunner)
+            testRunner.notifyDone();    
+    }
+}
+
+</script>
+<body>
+<div id="logger"></div>
+</body>
diff --git a/LayoutTests/loader/stateobjects/pushstate-size-expected.txt b/LayoutTests/loader/stateobjects/pushstate-size-expected.txt
new file mode 100644 (file)
index 0000000..fcccd01
--- /dev/null
@@ -0,0 +1,24 @@
+Test should not crash.
+Click to test pushState through a user gesture
+Successfully added item: 1 times
+Successfully added item: 2 times
+Successfully added item: 3 times
+Successfully added item: 4 times
+Successfully added item: 5 times
+Successfully added item: 6 times
+Successfully added item: 7 times
+Successfully added item: 8 times
+Successfully added item: 9 times
+Successfully added item: 10 times
+Successfully added item: 11 times
+Successfully added item: 12 times
+Successfully added item: 13 times
+Successfully added item: 14 times
+Successfully added item: 15 times
+Successfully added item: 16 times
+Successfully added item: 17 times
+Successfully added item: 18 times
+Successfully added item: 19 times
+Successfully added item: 20 times
+User gesture: Error: QuotaExceededError: DOM Exception 22
+
diff --git a/LayoutTests/loader/stateobjects/pushstate-size-iframe-expected.txt b/LayoutTests/loader/stateobjects/pushstate-size-iframe-expected.txt
new file mode 100644 (file)
index 0000000..799a1fb
--- /dev/null
@@ -0,0 +1,30 @@
+Test should not crash.
+Test does pushState both from the main frame and from an iframe and makes sure they both count against the main frame document's size limit.
+Click to test pushState through a user gesture
+Parent frame successfully added item: 1 times
+Parent frame successfully added item: 2 times
+Parent frame successfully added item: 3 times
+Parent frame successfully added item: 4 times
+Parent frame successfully added item: 5 times
+Parent frame successfully added item: 6 times
+Parent frame successfully added item: 7 times
+Parent frame successfully added item: 8 times
+Parent frame successfully added item: 9 times
+Parent frame successfully added item: 10 times
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+iFrame successfully added item: 1 times
+iFrame successfully added item: 2 times
+iFrame successfully added item: 3 times
+iFrame successfully added item: 4 times
+iFrame successfully added item: 5 times
+iFrame successfully added item: 6 times
+iFrame successfully added item: 7 times
+iFrame successfully added item: 8 times
+iFrame successfully added item: 9 times
+iFrame successfully added item: 10 times
+Expected exception: Error: QuotaExceededError: DOM Exception 22
+
diff --git a/LayoutTests/loader/stateobjects/pushstate-size-iframe.html b/LayoutTests/loader/stateobjects/pushstate-size-iframe.html
new file mode 100644 (file)
index 0000000..84bc099
--- /dev/null
@@ -0,0 +1,73 @@
+<script>
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.waitUntilDone();
+}
+
+function log(msg) {
+    document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+var object = "aaaaaaaaaa";
+for (var i = 0; i < 16; ++i)
+    object += object;
+
+function click()
+{
+    if (!eventSender)
+        return;
+
+    var button = document.getElementById("button");
+    eventSender.mouseMoveTo(button.offsetLeft + 5, button.offsetTop + 5);
+    eventSender.mouseDown();
+    eventSender.mouseUp();
+}
+
+window.onload = click;
+
+var count = 1;
+
+function clicked()
+{
+    try {
+        history.pushState(object, object, object);
+    } catch (e) {
+        log("Unexpected exception: " + e);
+        if (window.testRunner)
+            testRunner.notifyDone();    
+    }
+
+    log("Parent frame successfully added item: " + count + " times");
+    ++count;
+
+    if (count > 10) {
+        openFrame();
+        return;
+    }
+
+    setTimeout(click, 0);
+}
+
+function iframeLoaded()
+{
+    document.getElementById("button").onclick = window.frames[0].iframeClicked;
+    click();
+}
+
+function openFrame()
+{
+    var iframe = document.createElement('iframe');
+    iframe.src = 'resources/pushstate-iframe.html'
+    iframe.onload = iframeLoaded;
+    document.body.appendChild(iframe);
+}
+
+</script>
+<body>
+Test should not crash.<br>
+Test does pushState both from the main frame and from an iframe and makes sure they both count against the main frame document's size limit.<br>
+<button id="button" onclick="clicked();">Click to test pushState through a user gesture</button>
+<div id="logger"></div>
+</body>
diff --git a/LayoutTests/loader/stateobjects/pushstate-size.html b/LayoutTests/loader/stateobjects/pushstate-size.html
new file mode 100644 (file)
index 0000000..4fe7376
--- /dev/null
@@ -0,0 +1,49 @@
+<script>
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function log(msg) {
+    document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+var object = "aaaaaaaaaa";
+for (var i = 0; i < 16; ++i)
+    object += object;
+
+function click()
+{
+    var testDiv = document.getElementById("test");
+    eventSender.mouseMoveTo(testDiv.offsetLeft + 5, testDiv.offsetTop + 5);
+    eventSender.mouseDown();
+    eventSender.mouseUp();
+}
+
+window.onload = click;
+
+var count = 1;
+
+function clicked()
+{
+    try {
+        history.pushState(object, object, object);
+    } catch (e) {
+        log("User gesture: " + e);
+        if (window.testRunner)
+            testRunner.notifyDone();    
+    }
+
+    log("Successfully added item: " + count + " times");
+    ++count;
+
+    setTimeout(click, 0);
+}
+
+</script>
+<body>
+Test should not crash.<br>
+<div id="test" onclick="clicked();">Click to test pushState through a user gesture</div>
+<div id="logger"></div>
+</body>
diff --git a/LayoutTests/loader/stateobjects/replacestate-size-expected.txt b/LayoutTests/loader/stateobjects/replacestate-size-expected.txt
new file mode 100644 (file)
index 0000000..ce98a86
--- /dev/null
@@ -0,0 +1,8 @@
+Test should not crash.
+replaceState() should not always count against the global quota. Instead it should literally replace the most recent state object added.
+Pushing 63+mb of state objects (but less than 64mb)
+Replacing the last state object with one that should fit
+It fit
+Replacing the last state object with one that should not fit
+Expected exception replacing the last state object: Error: QuotaExceededError: DOM Exception 22
+
diff --git a/LayoutTests/loader/stateobjects/replacestate-size-iframe-expected.txt b/LayoutTests/loader/stateobjects/replacestate-size-iframe-expected.txt
new file mode 100644 (file)
index 0000000..04d1a5f
--- /dev/null
@@ -0,0 +1,17 @@
+Test should not crash.
+replaceState() in any frame should not always count against the global quota. Instead it should literally replace the most recent state object added from that frame.
+Pushing 59+mb of state objects (but less than 61mb)
+Replace the last 1mb object with a 2mb object, bringing the total to 60+mb
+It fit.
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+The total payload is currently 60+mb. Pushing a 1mb object brings that 61+mb.
+It fit.
+The total payload is currently 61+mb. Replacing the last 1mb with 2mb brings that to 62+mb.
+It fit.
+The total payload is currently 62+mb. Replacing the last 2mb with 4mb brings that to 64+mb, and should not fit.
+Expected exception replacing 2mb with 4mb:Error: QuotaExceededError: DOM Exception 22
+
diff --git a/LayoutTests/loader/stateobjects/replacestate-size-iframe.html b/LayoutTests/loader/stateobjects/replacestate-size-iframe.html
new file mode 100644 (file)
index 0000000..c3b3d6e
--- /dev/null
@@ -0,0 +1,52 @@
+<script>
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.waitUntilDone();
+}
+
+function log(msg) {
+    document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+function loaded()
+{
+    // Make a 512k character string, which computes as 1mb of payload.
+    var object = "12345678";
+    for (var i = 0; i < 16; ++i)
+        object += object;
+    
+    log("Pushing 59+mb of state objects (but less than 61mb)");
+
+    try {
+        // Push 59+mb of state objects (while the string is exactly 1mb, it counts for a little more than 1mb)
+        for (var i = 1; i < 60; ++i)
+            history.pushState(0, 0, object);
+    } catch (e) {
+        log("Unexpected exception pushing > 59mb but < 60mb of state objects: " + e);  
+    } 
+
+    log("Replace the last 1mb object with a 2mb object, bringing the total to 60+mb");
+    object += object;
+    try {
+        history.replaceState(0, 0, object);
+        log("It fit.");
+    } catch (e) {
+        log("Unexpected exception replacing 1mb with 2mb, bringing the total to 60mb: " + e);  
+    } 
+    
+
+    var iframe = document.createElement('iframe');
+    iframe.src = 'resources/replacestate-iframe.html'
+    document.body.appendChild(iframe);
+}
+
+window.onload = loaded;
+
+</script>
+<body>
+Test should not crash.<br>
+replaceState() in any frame should not always count against the global quota. Instead it should literally replace the most recent state object added from that frame.<br>
+<div id="logger"></div>
+</body>
diff --git a/LayoutTests/loader/stateobjects/replacestate-size.html b/LayoutTests/loader/stateobjects/replacestate-size.html
new file mode 100644 (file)
index 0000000..d05637a
--- /dev/null
@@ -0,0 +1,66 @@
+<script>
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function log(msg) {
+    document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+function loaded()
+{
+    // Make a 512k character string, which computes as 1mb of payload.
+    var object = "12345678";
+    for (var i = 0; i < 16; ++i)
+        object += object;
+    
+    log("Pushing 63+mb of state objects (but less than 64mb)");
+
+    try {
+        // Push 63+mb of state objects (while the string is exactly 1mb, it counts for a little more than 1mb)
+        for (var i = 1; i < 64; ++i)
+            history.pushState(0, 0, object);
+    } catch (e) {
+        log("Unexpected exception pushing > 63mb but < 64mb of state objects: " + e);  
+    }
+    
+    log ("Replacing the last state object with one that should fit");
+
+    try {
+        // replaceState with a 1mb state object.
+        // If replaceState counts against the global limit, this will cause an exception.
+        // But it should work.
+        history.replaceState(0, 0, object);
+        
+        log("It fit");
+    } catch (e) {
+        log("Unexpected exception replacing the last state object: " + e); 
+    }
+    
+    // Make the string be 1024k characters, which computes as 2mb of payload.
+    object += object;
+    
+    log ("Replacing the last state object with one that should not fit");
+
+    try {
+        // Replacing the 63rd 1mb string with a 2mb string *should* still trigger the limit.
+        history.replaceState(0, 0, object);
+        log("It fit, but should not have");
+    } catch (e) {
+        log("Expected exception replacing the last state object: " + e);  
+    }
+
+    if (window.testRunner)
+        testRunner.notifyDone();    
+}
+
+window.onload = loaded;
+
+</script>
+<body>
+Test should not crash.<br>
+replaceState() should not always count against the global quota. Instead it should literally replace the most recent state object added.<br>
+<div id="logger"></div>
+</body>
diff --git a/LayoutTests/loader/stateobjects/resources/pushstate-iframe.html b/LayoutTests/loader/stateobjects/resources/pushstate-iframe.html
new file mode 100644 (file)
index 0000000..50865db
--- /dev/null
@@ -0,0 +1,43 @@
+<script>
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function log(msg) {
+    document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+var object = "aaaaaaaaaa";
+for (var i = 0; i < 16; ++i)
+    object += object;
+
+var count = 1;
+
+function iframeClicked()
+{
+    try {
+        history.pushState(object, object, object);
+    } catch (e) {
+        log("Expected exception: " + e);
+        if (window.testRunner)
+            testRunner.notifyDone();    
+    }
+
+    log("iFrame successfully added item: " + count + " times");
+    ++count;
+
+    if (count > 50) {
+        log("This has gone on for way too long");
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }
+
+    setTimeout(window.parent.click, 0);
+}
+
+</script>
+<body>
+<div id="logger"></div>
+</body>
diff --git a/LayoutTests/loader/stateobjects/resources/replacestate-iframe.html b/LayoutTests/loader/stateobjects/resources/replacestate-iframe.html
new file mode 100644 (file)
index 0000000..d0fbf41
--- /dev/null
@@ -0,0 +1,57 @@
+<script>
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function log(msg) {
+    document.getElementById("logger").innerHTML += msg + "<br>";
+}
+
+function loaded()
+{
+    // Make a 512k character string, which computes as 1mb of payload.
+    var object = "12345678";
+    for (var i = 0; i < 16; ++i)
+        object += object;
+    
+    log("The total payload is currently 60+mb. Pushing a 1mb object brings that 61+mb.");
+
+    try {
+        history.pushState(0, 0, object);
+        log("It fit.");
+    } catch (e) {
+        log("Unexpected exception pushing 1mb:" + e);  
+    }
+    
+    log("The total payload is currently 61+mb. Replacing the last 1mb with 2mb brings that to 62+mb.");
+
+    object += object;
+    try {
+        history.replaceState(0, 0, object);
+        log("It fit.");
+    } catch (e) {
+        log("Unexpected exception replacing 1mb with 2mb:" + e);  
+    }
+
+    log("The total payload is currently 62+mb. Replacing the last 2mb with 4mb brings that to 64+mb, and should not fit.");
+
+    object += object;
+    try {
+        history.replaceState(0, 0, object);
+        log("It fit, but should not have.");
+    } catch (e) {
+        log("Expected exception replacing 2mb with 4mb:" + e);  
+    }
+
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+window.onload = loaded;
+
+</script>
+<body>
+<div id="logger"></div>
+</body>
index 6b16315..ebfa767 100644 (file)
@@ -1,3 +1,32 @@
+2016-01-26  Brady Eidson  <beidson@apple.com>
+
+        History.pushState causes intense memory pressure.
+        https://bugs.webkit.org/show_bug.cgi?id=153435
+
+        Reviewed by Sam Weinig, Oliver Hunt, and Geoff Garen.
+
+        Tests: fast/loader/stateobjects/pushstate-frequency-iframe.html
+               fast/loader/stateobjects/pushstate-frequency-with-user-gesture.html
+               fast/loader/stateobjects/pushstate-frequency.html
+               fast/loader/stateobjects/replacestate-frequency-iframe.html
+               fast/loader/stateobjects/replacestate-frequency-with-user-gesture.html
+               fast/loader/stateobjects/replacestate-frequency.html
+               loader/stateobjects/pushstate-size-iframe.html
+               loader/stateobjects/pushstate-size.html
+               loader/stateobjects/replacestate-size-iframe.html
+               loader/stateobjects/replacestate-size.html
+
+        Add restrictions on how frequently push/replaceState can be called,
+        as well as how much of a cumulative payload they can deliver.
+        
+        * bindings/js/JSHistoryCustom.cpp:
+        (WebCore::JSHistory::pushState):
+        (WebCore::JSHistory::replaceState):
+        
+        * page/History.cpp:
+        (WebCore::History::stateObjectAdded):
+        * page/History.h:
+
 2016-01-26  Anders Carlsson  <andersca@apple.com>
 
         Add a Dictionary overload that returns an Optional result
index 2bd2f6d..0d62bd1 100644 (file)
@@ -29,6 +29,7 @@
 #include "config.h"
 #include "JSHistory.h"
 
+#include "ExceptionCode.h"
 #include "Frame.h"
 #include "JSDOMBinding.h"
 #include "SerializedScriptValue.h"
@@ -139,7 +140,7 @@ JSValue JSHistory::pushState(ExecState& state)
             return jsUndefined();
     }
 
-    ExceptionCode ec = 0;
+    ExceptionCodeWithMessage ec;
     wrapped().stateObjectAdded(historyState.release(), title, url, History::StateObjectType::Push, ec);
     setDOMException(&state, ec);
 
@@ -168,7 +169,7 @@ JSValue JSHistory::replaceState(ExecState& state)
             return jsUndefined();
     }
 
-    ExceptionCode ec = 0;
+    ExceptionCodeWithMessage ec;
     wrapped().stateObjectAdded(historyState.release(), title, url, History::StateObjectType::Replace, ec);
     setDOMException(&state, ec);
 
index d288f67..b9571c1 100644 (file)
 #include "FrameLoaderClient.h"
 #include "HistoryController.h"
 #include "HistoryItem.h"
+#include "MainFrame.h"
 #include "Page.h"
+#include "ScriptController.h"
 #include "SecurityOrigin.h"
 #include "SerializedScriptValue.h"
+#include <wtf/CheckedArithmetic.h>
 #include <wtf/MainThread.h>
 
 namespace WebCore {
@@ -136,17 +139,91 @@ URL History::urlForState(const String& urlString)
     return URL(baseURL, urlString);
 }
 
-void History::stateObjectAdded(PassRefPtr<SerializedScriptValue> data, const String& title, const String& urlString, StateObjectType stateObjectType, ExceptionCode& ec)
+void History::stateObjectAdded(PassRefPtr<SerializedScriptValue> data, const String& title, const String& urlString, StateObjectType stateObjectType, ExceptionCodeWithMessage& ec)
 {
+    // Each unique main-frame document is only allowed to send 64mb of state object payload to the UI client/process.
+    static uint32_t totalStateObjectPayloadLimit = 0x4000000;
+    static unsigned perUserGestureStateObjectLimit = 100;
+
     if (!m_frame || !m_frame->page())
         return;
-    
+
     URL fullURL = urlForState(urlString);
     if (!fullURL.isValid() || !m_frame->document()->securityOrigin()->canRequest(fullURL)) {
-        ec = SECURITY_ERR;
+        ec.code = SECURITY_ERR;
         return;
     }
 
+    Document* mainDocument = m_frame->page()->mainFrame().document();
+    History* mainHistory = nullptr;
+    if (mainDocument) {
+        if (auto* mainDOMWindow = mainDocument->domWindow())
+            mainHistory = mainDOMWindow->history();
+    }
+
+    if (!mainHistory)
+        return;
+
+    bool processingUserGesture = ScriptController::processingUserGesture();
+    if (!processingUserGesture && mainHistory->m_nonUserGestureObjectsAdded >= perUserGestureStateObjectLimit) {
+        ec.code = SECURITY_ERR;
+        if (stateObjectType == StateObjectType::Replace)
+            ec.message = String::format("Attempt to use history.replaceState() more than %u times without a user gesture", perUserGestureStateObjectLimit);
+        else
+            ec.message = String::format("Attempt to use history.pushState() more than %u times without a user gesture", perUserGestureStateObjectLimit);
+        return;
+    }
+
+    double userGestureTimestamp = mainDocument->lastHandledUserGestureTimestamp();
+    if (processingUserGesture) {
+        if (mainHistory->m_currentUserGestureTimestamp < userGestureTimestamp) {
+            mainHistory->m_currentUserGestureTimestamp = userGestureTimestamp;
+            mainHistory->m_currentUserGestureObjectsAdded = 0;
+        }
+
+        if (mainHistory->m_currentUserGestureObjectsAdded >= perUserGestureStateObjectLimit) {
+            ec.code = SECURITY_ERR;
+            if (stateObjectType == StateObjectType::Replace)
+                ec.message = String::format("Attempt to use history.replaceState() more than %u times per gesture", perUserGestureStateObjectLimit);
+            else
+                ec.message = String::format("Attempt to use history.pushState() more than %u times per user gesture", perUserGestureStateObjectLimit);
+            return;
+        }
+    }
+
+    Checked<unsigned> titleSize = title.length();
+    titleSize *= 2;
+
+    Checked<unsigned> urlSize = fullURL.string().length();
+    urlSize *= 2;
+
+    Checked<uint64_t> payloadSize = titleSize;
+    payloadSize += urlSize;
+    payloadSize += data ? data->data().size() : 0;
+
+    Checked<uint64_t> newTotalUsage = mainHistory->m_totalStateObjectUsage;
+
+    if (stateObjectType == StateObjectType::Replace)
+        newTotalUsage -= m_mostRecentStateObjectUsage;
+    newTotalUsage += payloadSize;
+
+    if (newTotalUsage > totalStateObjectPayloadLimit) {
+        ec.code = QUOTA_EXCEEDED_ERR;
+        if (stateObjectType == StateObjectType::Replace)
+            ec.message = ASCIILiteral("Attempt to store more data than allowed using history.replaceState()");
+        else
+            ec.message = ASCIILiteral("Attempt to store more data than allowed using history.pushState()");
+        return;
+    }
+
+    m_mostRecentStateObjectUsage = payloadSize.unsafeGet();
+
+    mainHistory->m_totalStateObjectUsage = newTotalUsage.unsafeGet();
+    if (processingUserGesture)
+        ++mainHistory->m_currentUserGestureObjectsAdded;
+    else
+        ++mainHistory->m_nonUserGestureObjectsAdded;
+
     if (!urlString.isEmpty())
         m_frame->document()->updateURLForPushOrReplaceState(fullURL);
 
index 1454c44..ae37fc3 100644 (file)
@@ -38,6 +38,7 @@ namespace WebCore {
 
 class Frame;
 class ScriptExecutionContext;
+struct ExceptionCodeWithMessage;
 typedef int ExceptionCode;
 
 class History : public ScriptWrappable, public RefCounted<History>, public DOMWindowProperty {
@@ -61,7 +62,7 @@ public:
         Push,
         Replace
     };
-    void stateObjectAdded(PassRefPtr<SerializedScriptValue>, const String& title, const String& url, StateObjectType, ExceptionCode&);
+    void stateObjectAdded(PassRefPtr<SerializedScriptValue>, const String& title, const String& url, StateObjectType, ExceptionCodeWithMessage&);
 
 private:
     explicit History(Frame*);
@@ -71,6 +72,16 @@ private:
     PassRefPtr<SerializedScriptValue> stateInternal() const;
 
     RefPtr<SerializedScriptValue> m_lastStateObjectRequested;
+
+    unsigned m_nonUserGestureObjectsAdded { 0 };
+    unsigned m_currentUserGestureObjectsAdded { 0 };
+    double m_currentUserGestureTimestamp { 0 };
+
+    // For the main frame's History object to keep track of all state object usage.
+    uint64_t m_totalStateObjectUsage { 0 };
+
+    // For each individual History object to keep track of the most recent state object added.
+    uint64_t m_mostRecentStateObjectUsage { 0 };
 };
 
 } // namespace WebCore