When a page is navigated while a listener is registered for DeviceOrientation events, a crash can occur if the controller later attempts to dispatch an event. We need to make sure all listeners are removed when the page is navigated. We currently remove all listeners from DOMWindow::removeAllEventListeners() but this is not called on page reload. We could add similar code to DOMWindow::clear().
This occurs only when the page is in the page cache, as in this case, event listeners are not unregistered. Note that a crash is only observed with V8.
Created attachment 70725 [details] Patch
Comment on attachment 70725 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=70725&action=review r=me > LayoutTests/fast/dom/DeviceOrientation/script-tests/event-after-navigation.js:1 > +description('Tests for a crash where an event is fired after the page has been navigated away when the original page is in the page cache.<br><br>Note that the crash is only seen with V8.'); Is there any reason this crash can only possibly happen in V8? If not, this comment probably should be removed, even if we currently only see it in V8. If so, it should probably mention why it's V8 specific. This way it'll be clear whether the comment is stale.
> Is there any reason this crash can only possibly happen in V8? If not, this > comment probably should be removed, even if we currently only see it in V8. No, there's no fundamental reason why it should only happen with V8. The controller should never try to fire events once the document has gone. I'll remove the comment before landing.
Committed r69764: <http://trac.webkit.org/changeset/69764>