Merge 95471 - [Chromium] Crash after magic iframe transfer for Pepper/NaCl plugins.

Source/WebCore/html/HTMLFrameElementBase.cpp

 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2000 Simon Hausmann (hausmann@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  * Copyright (C) 2004, 2006, 2008, 2009 Apple Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
  * License as published by the Free Software Foundation; either
@@ skipping 26 matching lines @@
 #include "Page.h"
 #include "RenderPart.h"
 #include "ScriptController.h"
 #include "ScriptEventListener.h"
 #include "Settings.h"
 
 namespace WebCore {
 
 using namespace HTMLNames;
 
+// Helper to check if the Frame's document contains elements that can instantiate plugins.
+// Does a recursive check for nested Frames too.
+static bool hasPluginElements(Frame* frame)
+{
+    if (!frame)
+        return false;
+
+    // Search for a plugin element in this document.
+    Document* document = frame->document();
+    for (Node* node = document->firstChild(); node; node = node->traverseNextNode(document)) {
+        if (!node->isElementNode())
+            continue;
+
+        Element* element = static_cast<Element*>(node);
+        if (element->hasLocalName(embedTag) || element->hasLocalName(objectTag))
+            return true;
+    }
+
+    // Do the same for the nested frames.
+    for (Frame* child = frame->tree()->firstChild(); child; child = child->tree()->nextSibling()) {
+        if (hasPluginElements(child))
+            return true;
+    }
+
+    return false;
+}
+
 HTMLFrameElementBase::HTMLFrameElementBase(const QualifiedName& tagName, Document* document)
     : HTMLFrameOwnerElement(tagName, document)
     , m_scrolling(ScrollbarAuto)
     , m_marginWidth(-1)
     , m_marginHeight(-1)
     , m_checkInDocumentTimer(this, &HTMLFrameElementBase::checkInDocumentTimerFired)
     , m_viewSource(false)
     , m_remainsAliveOnRemovalFromTree(false)
 {
 }
@@ skipping 187 matching lines @@
 }
 
 int HTMLFrameElementBase::height()
 {
     document()->updateLayoutIgnorePendingStylesheets();
     if (!renderBox())
         return 0;
     return renderBox()->height();
 }
 
+// Some types of content can restrict the ability to move the iframes between pages.
+// For example, the plugin infrastructure of an embedder may associate the plugin instances
+// with the top-level Frame for tracking various resources and failure to transfer those
+// resources correctly may lead to crashes and other ill effects (https://bugs.webkit.org/show_bug.cgi?id=68267)
+bool HTMLFrameElementBase::canRemainAliveOnRemovalFromTree()
+{
+    return !hasPluginElements(contentFrame());
+}
+
 void HTMLFrameElementBase::setRemainsAliveOnRemovalFromTree(bool value)
 {
+    ASSERT(!value || canRemainAliveOnRemovalFromTree());
     m_remainsAliveOnRemovalFromTree = value;
 
     // There is a possibility that JS will do document.adoptNode() on this element but will not insert it into the tree.
     // Start the async timer that is normally stopped by attach(). If it's not stopped and fires, it'll unload the frame.
     if (value)
         m_checkInDocumentTimer.startOneShot(0);
     else
         m_checkInDocumentTimer.stop();
 }
 
@@ skipping 15 matching lines @@
 }
 
 #if ENABLE(FULLSCREEN_API)
 bool HTMLFrameElementBase::allowFullScreen() const
 {
     return hasAttribute(webkitallowfullscreenAttr);
 }
 #endif
 
 } // namespace WebCore