Geremy Condra | c957189 | 2012-03-05 12:32:24 -0800 | [diff] [blame] | 1 | <script> |
| 2 | if (window.layoutTestController) { |
| 3 | layoutTestController.waitUntilDone(); |
| 4 | layoutTestController.dumpAsText(); |
| 5 | } |
| 6 | |
| 7 | var haveAddedIFrame = false; |
| 8 | |
| 9 | window.onbeforeunload = function() { |
| 10 | if (!haveAddedIFrame) |
| 11 | alert("onbeforeunload called, and iframe hasn't been added yet."); |
| 12 | var a = document.createEvent("MouseEvents"); |
| 13 | a.initEvent("click", true, true); |
| 14 | var d = document.createElement("a"); |
| 15 | d.href = "http://localhost:1234/"; |
| 16 | d.dispatchEvent(a); |
| 17 | } |
| 18 | |
| 19 | function clicked() { |
| 20 | window.location.href="http://127.0.0.1:1234/"; |
| 21 | } |
| 22 | |
| 23 | function addiframe() { |
| 24 | alert("Adding iframe"); |
| 25 | var frame = document.createElement("iframe"); |
| 26 | frame.src = "http://localhost:1234/" |
| 27 | document.body.appendChild(frame); |
| 28 | haveAddedIFrame = true; |
| 29 | if (window.layoutTestController) |
| 30 | layoutTestController.notifyDone(); |
| 31 | } |
| 32 | |
| 33 | function runTest() { |
| 34 | clicked(); |
| 35 | setTimeout("addiframe();", 0); |
| 36 | } |
| 37 | |
| 38 | </script> |
| 39 | <body onload="runTest();"> |
| 40 | This test demonstrates a problem with our handling of the beforeunload event.<br> |
| 41 | If a script manages to try and navigate the frame from beforeunload - when a navigation is already pending - we end up blowing out the stack by recursively consulting the policy delegate then running onbeforeunload repeatedly.<br> |
| 42 | After this happens, the FrameLoader is in a bogus state where it thinks it is in the middle of a provisional load, but it doesn't have a provisional document loader.<br> |
| 43 | In this state, the frame is very difficult to navigate anywhere else, and attempts to load new things within the frame can result in a crash.<br> |
| 44 | This was reproducibly identified on sears.com following a bizarre Safari specific code path.<br> |
| 45 | <a href="javascript:void(clicked())">Click here to run the beforeunload test and blow out the stack</a><br> |
| 46 | <a href="javascript:void(addiframe())">Click here to append an iframe and crash</a><br> |
| 47 | </body> |