Created attachment 144559 [details] Patch

Comment on attachment 144559 [details] Patch abarth, WDYT? I'm most interested in knowing if I was really overzealous with my assertions like I thought: the alternative is that something freaky is happen by calling HTMLElement::removedFromDocument() after the DOM is stopped.

Comment on attachment 144559 [details] Patch I talked with Gavin directly abou this patch. Here's what I said: [[[ Yes, that's entirely possible. The way this can happen is you take a reference to a DOM node in an iframe and then either navigate to iframe to a new URL or remove the iframe from the DOM entirely. Now, stop() will be called on the DOM node, but it will still be in the DOM tree. You can then remove it from the DOM tree using removeChild. ]]] He's going to write a test for this in the Chromium repo where it can be an end-to-end test. Ideally, we'd have a LayoutTest too, but Gavin tells me that there's not enough of the prerendering machinery in DumpRenderTree for that to be a meaningful test. Gavin, once you add the test to Chromium, can you include a link in this bug?

Comment on attachment 144559 [details] Patch Clearing flags on attachment: 144559 Committed r118848: <http://trac.webkit.org/changeset/118848>

All reviewed patches have been landed. Closing bug.

I opted to add enough machinery to DumpRenderTree to let this be tested; see https://bugs.webkit.org/show_bug.cgi?id=87860 for the new Mocks and the layout test for this issue.