Add an extra guard to replaceDocument()

Source/core/loader/DocumentLoader.cpp

 /*
  * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved.
  * Copyright (C) 2011 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
@@ skipping 758 matching lines @@
         mainResourceLoader()->attachThreadedDataReceiver(threadedDataReceiver);
 }
 
 void DocumentLoader::endWriting(DocumentWriter* writer)
 {
     ASSERT_UNUSED(writer, m_writer == writer);
     m_writer->end();
     m_writer.clear();
 }
 
 PassRefPtrWillBeRawPtr<DocumentWriter> DocumentLoader::createWriterFor(LocalFrame* frame, const Document* ownerDocument, const KURL& url, const AtomicString& mimeType, const AtomicString& encoding, bool dispatch)

[dglazkov, 2014/08/26 17:22:43]

Just thinking outloud: since now there are two createWriteFor functions, and
both of them really operate on DocumentInit, maybe we could:
1) make DocumentInit of both of them, and/or
2) rename the newly-created one to sound a lot more ominous, since it's doing
nasty things.

 {
-    // Create a new document before clearing the frame, because it may need to
+    // Prepare a DocumentInit before clearing the frame, because it may need to
     // inherit an aliased security context.
     DocumentInit init(url, frame);
     init.withNewRegistrationContext();
+    frame->loader().clear();
+    ASSERT(frame->page());
+    return createWriterFor(ownerDocument, init, mimeType, encoding, dispatch);
+}
 
-    // In some rare cases, we'll re-used a LocalDOMWindow for a new Document. For example,
-    // when a script calls window.open("..."), the browser gives JavaScript a window
-    // synchronously but kicks off the load in the window asynchronously. Web sites
-    // expect that modifications that they make to the window object synchronously
-    // won't be blown away when the network load commits. To make that happen, we
-    // "securely transition" the existing LocalDOMWindow to the Document that results from
-    // the network load. See also SecurityContext::isSecureTransitionTo.
-    bool shouldReuseDefaultView = frame->loader().stateMachine()->isDisplayingInitialEmptyDocument() && frame->document()->isSecureTransitionTo(url);
-
-    frame->loader().clear();
+PassRefPtrWillBeRawPtr<DocumentWriter> DocumentLoader::createWriterFor(const Document* ownerDocument, const DocumentInit& init, const AtomicString& mimeType, const AtomicString& encoding, bool dispatch)
+{
+    LocalFrame* frame = init.frame();
 
     if (frame->document())
         frame->document()->prepareForDestruction();
 
-    if (!shouldReuseDefaultView)
+    if (!init.shouldReuseDefaultView())
         frame->setDOMWindow(LocalDOMWindow::create(*frame));
 
     RefPtrWillBeRawPtr<Document> document = frame->domWindow()->installNewDocument(mimeType, init);
     if (ownerDocument) {
         document->setCookieURL(ownerDocument->cookieURL());
         document->setSecurityOrigin(ownerDocument->securityOrigin());
         if (ownerDocument->isTransitionDocument())
             document->setIsTransitionDocument();
     }
 
     frame->loader().didBeginDocument(dispatch);
 
     return DocumentWriter::create(document.get(), mimeType, encoding);
 }
 
 const AtomicString& DocumentLoader::mimeType() const
 {
     if (m_writer)
         return m_writer->mimeType();
     return m_response.mimeType();
 }
 
 void DocumentLoader::setUserChosenEncoding(const String& charset)
 {
     if (m_writer)
         m_writer->setUserChosenEncoding(charset);
 }
 
-// This is only called by ScriptController::executeScriptIfJavaScriptURL
-// and always contains the result of evaluating a javascript: url.
-// This is the <iframe src="javascript:'html'"> case.
-void DocumentLoader::replaceDocument(const String& source, Document* ownerDocument)
+// This is only called by FrameLoader::replaceDocumentWhileExecutingJavaScriptURL()
+void DocumentLoader::replaceDocumentWhileExecutingJavaScriptURL(const DocumentInit& init, const String& source, Document* ownerDocument)
 {
-    m_frame->loader().stopAllLoaders();
-    m_writer = createWriterFor(m_frame, ownerDocument, m_frame->document()->url(), mimeType(), m_writer ? m_writer->encoding() : emptyAtom, true);
+    m_writer = createWriterFor(ownerDocument, init, mimeType(), m_writer ? m_writer->encoding() : emptyAtom, true);
     if (!source.isNull())
         m_writer->appendReplacingData(source);
     endWriting(m_writer.get());
 }
 
 } // namespace blink