Add an extra guard to replaceDocument()

Source/core/loader/DocumentLoader.cpp

 /*
  * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved.
  * Copyright (C) 2011 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
@@ skipping 485 matching lines @@
         }
     }
 }
 
 void DocumentLoader::ensureWriter(const AtomicString& mimeType, const KURL& overridingURL)
 {
     if (m_writer)
         return;
 
     const AtomicString& encoding = overrideEncoding().isNull() ? response().textEncodingName() : overrideEncoding();
-    m_writer = createWriterFor(m_frame, 0, url(), mimeType, encoding, false);
+
+    // Prepare a DocumentInit before clearing the frame, because it may need to
+    // inherit an aliased security context.
+    DocumentInit init(url(), m_frame);
+    init.withNewRegistrationContext();
+    m_frame->loader().clear();
+    ASSERT(m_frame->page());
+
+    m_writer = createWriterFor(0, init, mimeType, encoding, false);
     m_writer->setDocumentWasLoadedAsPartOfNavigation();
     // This should be set before receivedFirstData().
     if (!overridingURL.isEmpty())
         m_frame->document()->setBaseURLOverride(overridingURL);
 
     // Call receivedFirstData() exactly once per load.
     frameLoader()->receivedFirstData();
     m_frame->document()->maybeHandleHttpRefresh(m_response.httpHeaderField("Refresh"), Document::HttpRefreshFromHeader);
 }
 
@@ skipping 252 matching lines @@
         mainResourceLoader()->attachThreadedDataReceiver(threadedDataReceiver);
 }
 
 void DocumentLoader::endWriting(DocumentWriter* writer)
 {
     ASSERT_UNUSED(writer, m_writer == writer);
     m_writer->end();
     m_writer.clear();
 }
 
-PassRefPtrWillBeRawPtr<DocumentWriter> DocumentLoader::createWriterFor(LocalFrame* frame, const Document* ownerDocument, const KURL& url, const AtomicString& mimeType, const AtomicString& encoding, bool dispatch)
+PassRefPtrWillBeRawPtr<DocumentWriter> DocumentLoader::createWriterFor(const Document* ownerDocument, const DocumentInit& init, const AtomicString& mimeType, const AtomicString& encoding, bool dispatch)
 {
-    // Create a new document before clearing the frame, because it may need to
-    // inherit an aliased security context.
-    DocumentInit init(url, frame);
-    init.withNewRegistrationContext();
-
-    // In some rare cases, we'll re-used a LocalDOMWindow for a new Document. For example,
-    // when a script calls window.open("..."), the browser gives JavaScript a window
-    // synchronously but kicks off the load in the window asynchronously. Web sites
-    // expect that modifications that they make to the window object synchronously
-    // won't be blown away when the network load commits. To make that happen, we
-    // "securely transition" the existing LocalDOMWindow to the Document that results from
-    // the network load. See also SecurityContext::isSecureTransitionTo.
-    bool shouldReuseDefaultView = frame->loader().stateMachine()->isDisplayingInitialEmptyDocument() && frame->document()->isSecureTransitionTo(url);
-
-    frame->loader().clear();
+    LocalFrame* frame = init.frame();
 
     if (frame->document())
         frame->document()->prepareForDestruction();
 
-    if (!shouldReuseDefaultView)
+    if (!init.shouldReuseDefaultView())
         frame->setDOMWindow(LocalDOMWindow::create(*frame));
 
     RefPtrWillBeRawPtr<Document> document = frame->domWindow()->installNewDocument(mimeType, init);
     if (ownerDocument) {
         document->setCookieURL(ownerDocument->cookieURL());
         document->setSecurityOrigin(ownerDocument->securityOrigin());
         if (ownerDocument->isTransitionDocument())
             document->setIsTransitionDocument();
     }
 
     frame->loader().didBeginDocument(dispatch);
 
     return DocumentWriter::create(document.get(), mimeType, encoding);
 }
 
 const AtomicString& DocumentLoader::mimeType() const
 {
     if (m_writer)
         return m_writer->mimeType();
     return m_response.mimeType();
 }
 
 void DocumentLoader::setUserChosenEncoding(const String& charset)
 {
     if (m_writer)
         m_writer->setUserChosenEncoding(charset);
 }
 
-// This is only called by ScriptController::executeScriptIfJavaScriptURL
-// and always contains the result of evaluating a javascript: url.
-// This is the <iframe src="javascript:'html'"> case.
-void DocumentLoader::replaceDocument(const String& source, Document* ownerDocument)
+// This is only called by FrameLoader::replaceDocumentWhileExecutingJavaScriptURL()
+void DocumentLoader::replaceDocumentWhileExecutingJavaScriptURL(const DocumentInit& init, const String& source, Document* ownerDocument)
 {
-    m_frame->loader().stopAllLoaders();
-    m_writer = createWriterFor(m_frame, ownerDocument, m_frame->document()->url(), mimeType(), m_writer ? m_writer->encoding() : emptyAtom, true);
+    m_writer = createWriterFor(ownerDocument, init, mimeType(), m_writer ? m_writer->encoding() : emptyAtom, true);
     if (!source.isNull())
         m_writer->appendReplacingData(source);
     endWriting(m_writer.get());
 }
 
 } // namespace blink