Temporary RELEASE_ASSERT to find frame loads during DocumentLoader detachment.

This CL mostly relands r357479 but without the check that ancestor documents
haven't started unload as that turned out to fire very frequently.

I've also moved the loadEventProgress member of Document to be one of the first
members so that it's likely to be included in a minidump memory region.

BUG=519752

Review URL: https://codereview.chromium.org/1414693010

Cr-Commit-Position: refs/heads/master@{#357751}

4 files changed, 34 insertions, 3 deletions

diff --git a/third_party/WebKit/Source/core/dom/Document.cpp b/third_party/WebKit/Source/core/dom/Document.cpp
index f3d84ee..7d94d4e 100644
--- a/third_party/WebKit/Source/core/dom/Document.cpp
+++ b/third_party/WebKit/Source/core/dom/Document.cpp
@@ -375,6 +375,8 @@ private:
 Document::Document(const DocumentInit& initializer, DocumentClassFlags documentClasses)
     : ContainerNode(0, CreateDocument)
     , TreeScope(*this)
+    , m_detachingDocumentLoader(false)
+    , m_loadEventProgress(LoadEventNotRun)
     , m_hasNodesWithPlaceholderStyle(false)
     , m_evaluateMediaQueriesOnStyleRecalc(false)
     , m_pendingSheetLayout(NoLayoutWithPendingSheets)
@@ -408,7 +410,6 @@ Document::Document(const DocumentInit& initializer, DocumentClassFlags documentC
     , m_markers(adoptPtrWillBeNoop(new DocumentMarkerController))
     , m_updateFocusAppearanceTimer(this, &Document::updateFocusAppearanceTimerFired)
     , m_cssTarget(nullptr)
-    , m_loadEventProgress(LoadEventNotRun)
     , m_startTime(currentTime())
     , m_scriptRunner(ScriptRunner::create(this))
     , m_xmlVersion("1.0")
diff --git a/third_party/WebKit/Source/core/dom/Document.h b/third_party/WebKit/Source/core/dom/Document.h
index 3d4aed0..18669f2 100644
--- a/third_party/WebKit/Source/core/dom/Document.h
+++ b/third_party/WebKit/Source/core/dom/Document.h
@@ -1043,6 +1043,9 @@ public:
     WebTaskRunner* loadingTaskRunner() const;
     WebTaskRunner* timerTaskRunner() const;
 
+    // TODO(bokan): Temporary to help track down crash in crbug.com/519752.
+    bool m_detachingDocumentLoader;
+
 protected:
     Document(const DocumentInit&, DocumentClassFlags = DefaultDocumentClass);
 
@@ -1147,6 +1150,10 @@ private:
 
     void setNthIndexCache(NthIndexCache* nthIndexCache) { ASSERT(!m_nthIndexCache || !nthIndexCache); m_nthIndexCache = nthIndexCache; }
 
+    // TODO(bokan): Temporarily moved this to the top of memebers so it's likely
+    // to be included in a minidump memory region. crbug.com/519752
+    LoadEventProgress m_loadEventProgress;
+
     DocumentLifecycle m_lifecycle;
 
     bool m_hasNodesWithPlaceholderStyle;
@@ -1252,8 +1259,6 @@ private:
 
     RawPtrWillBeMember<Element> m_cssTarget;
 
-    LoadEventProgress m_loadEventProgress;
-
     double m_startTime;
 
     OwnPtrWillBeMember<ScriptRunner> m_scriptRunner;
diff --git a/third_party/WebKit/Source/core/frame/LocalFrame.cpp b/third_party/WebKit/Source/core/frame/LocalFrame.cpp
index 59127cc..d697f96 100644
--- a/third_party/WebKit/Source/core/frame/LocalFrame.cpp
+++ b/third_party/WebKit/Source/core/frame/LocalFrame.cpp
@@ -127,8 +127,25 @@ inline float parentTextZoomFactor(LocalFrame* frame)
 
 } // namespace
 
+// TODO(bokan): Temporary to help track down crash in crbug.com/519752
+static void checkCanLoad(Document* doc)
+{
+    if (!doc)
+        return;
+
+    // I added this flag that gets set to true just before detaching the document loader. This
+    // should trip and will hopefully illuminate why the loadEventProgress state isn't stopping
+    // navigation.
+    RELEASE_ASSERT(!doc->m_detachingDocumentLoader);
+
+    checkCanLoad(doc->parentDocument());
+}
+
 PassRefPtrWillBeRawPtr<LocalFrame> LocalFrame::create(FrameLoaderClient* client, FrameHost* host, FrameOwner* owner)
 {
+    if (owner && owner->isLocal())
+        checkCanLoad(&toHTMLFrameOwnerElement(owner)->document());
+
     RefPtrWillBeRawPtr<LocalFrame> frame = adoptRefWillBeNoop(new LocalFrame(client, host, owner));
     InspectorInstrumentation::frameAttachedToParent(frame.get());
     return frame.release();
diff --git a/third_party/WebKit/Source/core/loader/FrameLoader.cpp b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
index 2179214..fa81cce 100644
--- a/third_party/WebKit/Source/core/loader/FrameLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
@@ -1054,8 +1054,16 @@ bool FrameLoader::prepareForCommit()
     if (pdl != m_provisionalDocumentLoader)
         return false;
     if (m_documentLoader) {
+        // TODO(bokan): Temporarily added this flag to help track down how we're attaching
+        // new frames during the DocumentLoader detachment. crbug.com/519752.
+        if (m_frame->document())
+            m_frame->document()->m_detachingDocumentLoader = true;
+
         FrameNavigationDisabler navigationDisabler(m_frame);
         detachDocumentLoader(m_documentLoader);
+
+        if (m_frame->document())
+            m_frame->document()->m_detachingDocumentLoader = false;
     }
     // detachFromFrame() will abort XHRs that haven't completed, which can
     // trigger event listeners for 'abort'. These event listeners might detach