Before bfcache we had the invariant that a document's container was immutable
after document creation and was the docshell the document was in. With bfcache,
this is still true _except_ for bfcached documents, which have a null container.
Should there really be a difference here between bfcache documents and other
documents that have been navigated away from? That seems wrong to me. We
should probably unset the container consistently, and make sure document
teardown still works right...
Also, should documents created via DOMImplementation really have a container
set? That seems wrong to me.
I agree, but this is a separate issue from bfcache. Unmarking dependency to get
it off the radar.
Er... We have an invariant that code may be depending on and that bfcache
violates. Until we check that all code that uses this container deals with it
being null and that for a bfcached document this leads to the right behavior,
this is in fact a bfcache issue. If such checking has already been done, then
my apologies; let me know and I'll remove the dependency in that case.
pulling into beta for investigation
bryner, have you had a chance to look into this?
bryner's busy with other bug fixing. Who else could help here?
We're not getting anywhere here. Who else can help? Johnny, Bryner, any ideas
here? Time is running out.
Without an actual example of somebody relying on this former invariant, we're
not going to block on this.
Anyone calling GetScriptGlobalObject() is relying on it.
Calling it after nsDocument::Destroy, that is.
But do we have an case of that happening in-tree or in common extensionland?
We have at least some known in-tree cases; they're already covered by separate
bugs (eg XTF has this issue at document teardown). I have no idea about
extensions. The whole point of this bug was to either fix the issue or to check
that our in-tree consumers are OK with this. Since the latter hasn't happened,
I can't tell you whether they're OK or not, clearly.
I think all of the issues we know about here have been addressed.
Quick check turns up XBL code that definitely calls GetScriptGlobalObject() in cases when bfcache has nulled out the container (so whatever that code is trying to do doesn't work). We do have a separate bug on that, but it sure isn't fixed...
Given that, I doubt that the code-reading that needs to happen here has been done.
Reassigning my bugs, since I'm not actually working on them.