Bug 153255

Summary: Document.open / Document.write should be prevented while the document is being unloaded
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: DOMAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: buildbot, commit-queue, darin, esprehn+autocc, ggaren, japhet, kangil.han, rniwa, webkit-bug-importer
Priority: P2 Keywords: InRadar, WebExposed
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
URL: https://html.spec.whatwg.org/multipage/webappapis.html#dom-document-open
See Also: https://bugs.webkit.org/show_bug.cgi?id=150980
Bug Depends on:    
Bug Blocks: 153432    
Attachments:
Description Flags
WIP Patch (needs a test)
buildbot: commit-queue-
Archive of layout-test-results from ews103 for mac-yosemite
none
Archive of layout-test-results from ews115 for mac-yosemite
none
Archive of layout-test-results from ews107 for mac-yosemite-wk2
none
WIP Patch (needs a test)
none
Patch none

Description Chris Dumez 2016-01-19 14:56:09 PST 
Document.open / Document.write should be prevented while the document is being unloaded:
https://html.spec.whatwg.org/multipage/webappapis.html#dom-document-open
https://html.spec.whatwg.org/multipage/webappapis.html#dom-document-write

This causes us to fail and crash on the following W3C test:
http://w3c-test.org/html/browsers/browsing-the-web/unloading-documents/005.html
Comment 1 Chris Dumez 2016-01-19 14:56:31 PST 
rdar://problem/22741293
Comment 2 Chris Dumez 2016-01-19 15:18:44 PST 
Document.open step 6:
Similarly, if the Document's ignore-opens-during-unload counter is greater than zero, then the method does nothing. Abort these steps and return the Document object on which the method was invoked.

Document.write step 3:
If the insertion point is undefined and either the Document's ignore-opens-during-unload counter is greater than zero or the Document's ignore-destructive-writes counter is greater than zero, abort these steps.


-> https://html.spec.whatwg.org/multipage/webappapis.html#ignore-opens-during-unload-counter
Comment 3 Chris Dumez 2016-01-19 17:01:08 PST 
Created attachment 269312 [details]
WIP Patch (needs a test)
Comment 4 Build Bot 2016-01-19 17:56:44 PST 
Comment on attachment 269312 [details]
WIP Patch (needs a test)

Attachment 269312 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/714707

New failing tests:
fast/frames/frame-unload-crash2.html
fast/parser/document-open-in-unload.html
Comment 5 Build Bot 2016-01-19 17:56:48 PST 
Created attachment 269319 [details]
Archive of layout-test-results from ews103 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103  Port: mac-yosemite  Platform: Mac OS X 10.10.5
Comment 6 Build Bot 2016-01-19 18:04:33 PST 
Comment on attachment 269312 [details]
WIP Patch (needs a test)

Attachment 269312 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/714717

New failing tests:
fast/frames/frame-unload-crash2.html
fast/parser/document-open-in-unload.html
Comment 7 Build Bot 2016-01-19 18:04:39 PST 
Created attachment 269321 [details]
Archive of layout-test-results from ews115 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews115  Port: mac-yosemite  Platform: Mac OS X 10.10.5
Comment 8 Build Bot 2016-01-19 18:04:48 PST 
Comment on attachment 269312 [details]
WIP Patch (needs a test)

Attachment 269312 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/714727

New failing tests:
fast/frames/frame-unload-crash2.html
Comment 9 Build Bot 2016-01-19 18:04:54 PST 
Created attachment 269322 [details]
Archive of layout-test-results from ews107 for mac-yosemite-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews107  Port: mac-yosemite-wk2  Platform: Mac OS X 10.10.5
Comment 10 Chris Dumez 2016-01-21 12:25:04 PST 
Created attachment 269482 [details]
WIP Patch (needs a test)
Comment 11 Chris Dumez 2016-01-21 16:11:15 PST 
Created attachment 269510 [details]
Patch
Comment 12 Ryosuke Niwa 2016-01-22 15:58:29 PST 
Comment on attachment 269510 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=269510&action=review

> Source/WebCore/loader/FrameLoader.cpp:2889
> +    IgnoreOpensDuringUnloadCountIncrementer ignoreOpensDuringUnloadCountIncrementer(m_frame.document());

I think we need to handle this in beforeunload event dispatching as well.
We can do it in a separate patch though.
Comment 13 Chris Dumez 2016-01-22 16:14:25 PST 
(In reply to comment #12)
> Comment on attachment 269510 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=269510&action=review
> 
> > Source/WebCore/loader/FrameLoader.cpp:2889
> > +    IgnoreOpensDuringUnloadCountIncrementer ignoreOpensDuringUnloadCountIncrementer(m_frame.document());
> 
> I think we need to handle this in beforeunload event dispatching as well.
> We can do it in a separate patch though.

Good point, I'll do this in a follow-up patch.
Comment 14 WebKit Commit Bot 2016-01-22 17:05:10 PST 
Comment on attachment 269510 [details]
Patch

Clearing flags on attachment: 269510

Committed r195496: <http://trac.webkit.org/changeset/195496>
Comment 15 WebKit Commit Bot 2016-01-22 17:05:16 PST 
All reviewed patches have been landed.  Closing bug.