mirror of
https://github.com/LadybirdBrowser/ladybird
synced 2026-05-10 17:12:41 +02:00
0f4575e7d0
IntersectionObserver can keep elements from a navigated iframe's old document alive until a later rendering update. Once that document tears down its layout tree, descendant nodes and pseudo-elements can still retain stale layout and paintable pointers, and destruction can bypass the usual inactive-document teardown entirely. Clear per-node layout and paintable pointers across the inactive document subtree before tearing down the layout tree, and do the same from destroy() for documents that never go through did_stop_being_active_document_in_navigable(). Add a crash test that observes an iframe target, navigates the iframe, and waits for rendering updates without touching stale layout state. Fixes #8670
24 lines
711 B
HTML
24 lines
711 B
HTML
<!DOCTYPE html>
|
|
<html class="test-wait">
|
|
<iframe></iframe>
|
|
<script>
|
|
const iframe = document.querySelector("iframe");
|
|
|
|
iframe.srcdoc = "<div id='target' style='width: 10px; height: 10px'></div>";
|
|
iframe.onload = () => {
|
|
const observer = new IntersectionObserver(() => {});
|
|
observer.observe(iframe.contentDocument.getElementById("target"));
|
|
|
|
iframe.onload = () => {
|
|
requestAnimationFrame(() => {
|
|
requestAnimationFrame(() => {
|
|
document.documentElement.classList.remove("test-wait");
|
|
});
|
|
});
|
|
};
|
|
iframe.srcdoc = "<p>replacement document</p>";
|
|
};
|
|
</script>
|
|
</html>
|
|
</content>
|
|
</invoke> |