Null out LocalDOMWindow::m_frame on navigation.

third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp

 /*
  * Copyright (C) 2006, 2007, 2008, 2010 Apple Inc. All rights reserved.
  * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies)
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
@@ skipping 510 matching lines @@
     m_properties.add(property);
 }
 
 void LocalDOMWindow::unregisterProperty(DOMWindowProperty* property)
 {
     m_properties.remove(property);
 }
 
 void LocalDOMWindow::reset()
 {
-    frameDestroyed();
+    m_frameObserver->contextDestroyed();
 
     m_screen = nullptr;
     m_history = nullptr;
     m_locationbar = nullptr;
     m_menubar = nullptr;
     m_personalbar = nullptr;
     m_scrollbars = nullptr;
     m_statusbar = nullptr;
     m_toolbar = nullptr;
     m_console = nullptr;
     m_navigator = nullptr;
     m_media = nullptr;
     m_applicationCache = nullptr;
 #if ENABLE(ASSERT)
     m_hasBeenReset = true;
 #endif
 
-    resetLocation();
-
     LocalDOMWindow::notifyContextDestroyed();
 }
 
 void LocalDOMWindow::sendOrientationChangeEvent()
 {
     ASSERT(RuntimeEnabledFeatures::orientationEventEnabled());
     ASSERT(frame()->isMainFrame());
 
     // Before dispatching the event, build a list of all frames in the page
     // to send the event to, to mitigate side effects from event handlers
@@ skipping 99 matching lines @@
 {
     if (!isCurrentlyDisplayedInFrame())
         return nullptr;
     if (!m_applicationCache)
         m_applicationCache = ApplicationCache::create(frame());
     return m_applicationCache.get();
 }
 
 Navigator* LocalDOMWindow::navigator() const
 {
-    if (!isCurrentlyDisplayedInFrame() && (!m_navigator || m_navigator->frame())) {

[dcheng, 2015/09/28 06:45:09]

I tested with the test case in
https://code.google.com/p/chromium/issues/detail?id=522791 and confirmed that it
does not work any more.

-        // We return a navigator with null frame instead of returning null
-        // pointer as other functions do, in order to allow users to access
-        // functions such as navigator.product.
-        m_navigator = Navigator::create(nullptr);
-    }
     if (!m_navigator)
         m_navigator = Navigator::create(frame());
-    // As described above, when not dispayed in the frame, the returning
-    // navigator should not be associated with the frame.
-    ASSERT(isCurrentlyDisplayedInFrame() || !m_navigator->frame());
     return m_navigator.get();
 }
 
 void LocalDOMWindow::schedulePostMessage(PassRefPtrWillBeRawPtr<MessageEvent> event, LocalDOMWindow* source, SecurityOrigin* target, PassRefPtrWillBeRawPtr<ScriptCallStack> stackTrace)
 {
     // Schedule the message.
     OwnPtrWillBeRawPtr<PostMessageTimer> timer = adoptPtrWillBeNoop(new PostMessageTimer(*this, event, source, target, stackTrace, UserGestureIndicator::currentToken()));
     timer->startOneShot(0, FROM_HERE);
     timer->suspendIfNeeded();
     m_postMessageTimers.add(timer.release());
@@ skipping 677 matching lines @@
 {
     RefPtrWillBeRawPtr<Event> loadEvent(Event::create(EventTypeNames::load));
     if (frame() && frame()->loader().documentLoader() && !frame()->loader().documentLoader()->timing().loadEventStart()) {
         // The DocumentLoader (and thus its DocumentLoadTiming) might get destroyed while dispatching
         // the event, so protect it to prevent writing the end time into freed memory.
         RefPtrWillBeRawPtr<DocumentLoader> documentLoader = frame()->loader().documentLoader();
         DocumentLoadTiming& timing = documentLoader->timing();
         timing.markLoadEventStart();
         dispatchEvent(loadEvent, document());
         timing.markLoadEventEnd();
-    } else
+    } else {
         dispatchEvent(loadEvent, document());
+    }

[dcheng, 2015/09/28 06:45:09]

I'm not sure why, but the presubmit checks are randomly complaining about this
and line 1456, so I went ahead and fixed them.

 
     // For load events, send a separate load event to the enclosing frame only.
     // This is a DOM extension and is independent of bubbling/capturing rules of
     // the DOM.
     FrameOwner* owner = frame() ? frame()->owner() : nullptr;
     if (owner)
         owner->dispatchLoad();
 
     TRACE_EVENT_INSTANT1("devtools.timeline", "MarkLoad", TRACE_EVENT_SCOPE_THREAD, "data", InspectorMarkLoadEvent::data(frame()));
     InspectorInstrumentation::loadEventFired(frame());
@@ skipping 65 matching lines @@
     if (!enteredWindow->allowPopUp()) {
         // Because FrameTree::find() returns true for empty strings, we must check for empty frame names.
         // Otherwise, illegitimate window.open() calls with no name will pass right through the popup blocker.
         if (frameName.isEmpty() || !frame()->tree().find(frameName))
             return nullptr;
     }
 
     // Get the target frame for the special cases of _top and _parent.
     // In those cases, we schedule a location change right now and return early.
     Frame* targetFrame = nullptr;
-    if (frameName == "_top")
+    if (frameName == "_top") {
         targetFrame = frame()->tree().top();
-    else if (frameName == "_parent") {
+    } else if (frameName == "_parent") {
         if (Frame* parent = frame()->tree().parent())
             targetFrame = parent;
         else
             targetFrame = frame();
     }
 
     if (targetFrame) {
         if (!activeDocument->frame() || !activeDocument->frame()->canNavigate(*targetFrame))
             return nullptr;
 
@@ skipping 33 matching lines @@
     visitor->trace(m_eventQueue);
     visitor->trace(m_postMessageTimers);
     HeapSupplementable<LocalDOMWindow>::trace(visitor);
 #endif
     DOMWindow::trace(visitor);
     DOMWindowLifecycleNotifier::trace(visitor);
 }
 
 LocalFrame* LocalDOMWindow::frame() const
 {
+    // If the LocalDOMWindow still has a frame reference, that frame must point
+    // back to this LocalDOMWindow: otherwise, it's easy to get into a situation
+    // where script execution leaks between different LocalDOMWindows.
+    if (m_frameObserver->frame())
+        ASSERT_WITH_SECURITY_IMPLICATION(m_frameObserver->frame()->domWindow() == this);
     return m_frameObserver->frame();
 }
 
 } // namespace blink