LayoutTests/fast/loader/recursive-before-unload-crash.html - WebKit - Git at Google

 <script>
 if (window.testRunner) {
     testRunner.waitUntilDone();
     testRunner.dumpAsText();
 }

 var haveAddedIFrame = false;

 window.onbeforeunload = function() {
     if (!haveAddedIFrame)
         document.getElementById("logger").innerText += "onbeforeunload called, and iframe hasn't been added yet.\n";
     var a = document.createEvent("MouseEvents");
     a.initEvent("click", true, true);
     var d = document.createElement("a");
     d.href = "http://localhost:1234/";
     d.dispatchEvent(a);
 }

 function clicked() {
     window.location.href="http://127.0.0.1:1234/";
 }

 function addiframe() {
     document.getElementById("logger").innerText += "Adding iframe.\n";
     var frame = document.createElement("iframe");
     frame.src = "http://localhost:1234/"
     document.body.appendChild(frame);
     haveAddedIFrame = true;
     if (window.testRunner)
         testRunner.notifyDone();
 }

 function runTest() {
    clicked();
    setTimeout("addiframe();", 0);
 }

 </script>
 <body onload="runTest();">
 This test demonstrates a problem with our handling of the beforeunload event.<br>
 If a script manages to try and navigate the frame from beforeunload - when a navigation is already pending - we end up blowing out the stack by recursively consulting the policy delegate then running onbeforeunload repeatedly.<br>
 After this happens, the FrameLoader is in a bogus state where it thinks it is in the middle of a provisional load, but it doesn't have a provisional document loader.<br>
 In this state, the frame is very difficult to navigate anywhere else, and attempts to load new things within the frame can result in a crash.<br>
 This was reproducibly identified on sears.com following a bizarre Safari specific code path.<br>
 <a href="javascript:void(clicked())">Click here to run the beforeunload test and blow out the stack</a><br>
 <a href="javascript:void(addiframe())">Click here to append an iframe and crash</a><br>
 <div id="logger"></div>
 </body>
	<script>
	if (window.testRunner) {
	testRunner.waitUntilDone();
	testRunner.dumpAsText();
	}

	var haveAddedIFrame = false;

	window.onbeforeunload = function() {
	if (!haveAddedIFrame)
	document.getElementById("logger").innerText += "onbeforeunload called, and iframe hasn't been added yet.\n";
	var a = document.createEvent("MouseEvents");
	a.initEvent("click", true, true);
	var d = document.createElement("a");
	d.href = "http://localhost:1234/";
	d.dispatchEvent(a);
	}

	function clicked() {
	window.location.href="http://127.0.0.1:1234/";
	}

	function addiframe() {
	document.getElementById("logger").innerText += "Adding iframe.\n";
	var frame = document.createElement("iframe");
	frame.src = "http://localhost:1234/"
	document.body.appendChild(frame);
	haveAddedIFrame = true;
	if (window.testRunner)
	testRunner.notifyDone();
	}

	function runTest() {
	clicked();
	setTimeout("addiframe();", 0);
	}

	</script>
	<body onload="runTest();">
	This test demonstrates a problem with our handling of the beforeunload event.<br>
	If a script manages to try and navigate the frame from beforeunload - when a navigation is already pending - we end up blowing out the stack by recursively consulting the policy delegate then running onbeforeunload repeatedly.<br>
	After this happens, the FrameLoader is in a bogus state where it thinks it is in the middle of a provisional load, but it doesn't have a provisional document loader.<br>
	In this state, the frame is very difficult to navigate anywhere else, and attempts to load new things within the frame can result in a crash.<br>
	This was reproducibly identified on sears.com following a bizarre Safari specific code path.<br>
	<a href="javascript:void(clicked())">Click here to run the beforeunload test and blow out the stack</a><br>
	<a href="javascript:void(addiframe())">Click here to append an iframe and crash</a><br>
	<div id="logger"></div>
	</body>