imported/w3c/web-platform-tests/navigation-api/ordering-and-transition/navigate-204-205-download-then-same-document.html is a flaky crash

https://bugs.webkit.org/show_bug.cgi?id=301894

Reviewed by Ryosuke Niwa.

The crash was due to the Navigation object not marking its associated
ongoing NavigateEvent when getting visited. Similarly, the NavigateEvent
would fail to mark its associated AbortSignal when visited. As a result,
the AbortSignal's JS wrapper could get garbage collected and we would
crash trying to dispatch the abort event on it.

The test was flakily crashing in debug before this change and is now
reliably passing.

* Source/WebCore/Sources.txt:
* Source/WebCore/WebCore.xcodeproj/project.pbxproj:
* Source/WebCore/bindings/js/JSNavigateEventCustom.cpp:
(WebCore::JSNavigateEvent::visitAdditionalChildren):
* Source/WebCore/bindings/js/JSNavigationCustom.cpp: Copied from Source/WebCore/bindings/js/JSNavigateEventCustom.cpp.
(WebCore::JSNavigation::visitAdditionalChildren):
* Source/WebCore/dom/Microtasks.h:
* Source/WebCore/page/NavigateEvent.cpp:
(WebCore::root):
* Source/WebCore/page/NavigateEvent.h:
* Source/WebCore/page/NavigateEvent.idl:
* Source/WebCore/page/Navigation.h:
* Source/WebCore/page/Navigation.idl:

Canonical link: https://commits.webkit.org/302530@main

Author: cdumez

Source/WebCore/Sources.txt

@@ -737,6 +737,7 @@ bindings/js/JSMessagePortCustom.cpp
 bindings/js/JSMutationObserverCustom.cpp
 bindings/js/JSMutationRecordCustom.cpp
 bindings/js/JSNavigateEventCustom.cpp
+bindings/js/JSNavigationCustom.cpp
 bindings/js/JSNavigatorCustom.cpp
 bindings/js/JSNodeCustom.cpp
 bindings/js/JSNodeIteratorCustom.cpp

Source/WebCore/WebCore.xcodeproj/project.pbxproj

@@ -33,6 +33,8 @@ void JSNavigateEvent::visitAdditionalChildren(Visitor& visitor)
 {
     auto& event = wrapped();
     event.infoWrapper().visit(visitor);
+    if (auto* signal = event.signal())
+        addWebCoreOpaqueRoot(visitor, signal);
 }
 
 DEFINE_VISIT_ADDITIONAL_CHILDREN(JSNavigateEvent);

Source/WebCore/bindings/js/JSNavigateEventCustom.cpp

@@ -0,0 +1,44 @@
+/*
+* Copyright (C) 2025 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "JSNavigation.h"
+
+#include "JSNavigateEvent.h"
+#include "NavigateEvent.h"
+
+namespace WebCore {
+
+template<typename Visitor>
+void JSNavigation::visitAdditionalChildren(Visitor& visitor)
+{
+    // We cannot ref the event on the GC thread.
+    SUPPRESS_UNCOUNTED_ARG if (auto* event = wrapped().ongoingNavigateEvent())
+        addWebCoreOpaqueRoot(visitor, event);
+}
+
+DEFINE_VISIT_ADDITIONAL_CHILDREN(JSNavigation);
+
+} // namespace WebCore

Source/WebCore/bindings/js/JSNavigationCustom.cpp

@@ -26,6 +26,7 @@
 #include <wtf/Forward.h>
 #include <wtf/TZoneMalloc.h>
 #include <wtf/Vector.h>
+#include <wtf/WeakHashMap.h>
 #include <wtf/WeakPtr.h>
 
 namespace JSC {

Source/WebCore/dom/Microtasks.h

@@ -190,4 +190,9 @@ void NavigateEvent::finish(Document& document, InterceptionHandlersDidFulfill di
     m_interceptionState = InterceptionState::Finished;
 }
 
+WebCoreOpaqueRoot root(NavigateEvent* event)
+{
+    return WebCoreOpaqueRoot { event };
+}
+
 } // namespace WebCore

Source/WebCore/page/NavigateEvent.cpp

@@ -141,4 +141,6 @@ class NavigateEvent final : public Event {
     RefPtr<AbortController> m_abortController;
 };
 
+WebCoreOpaqueRoot root(NavigateEvent*);
+
 } // namespace WebCore

Source/WebCore/page/NavigateEvent.h

@@ -1,4 +1,5 @@
 [
+  GenerateIsReachable=Impl,
   JSCustomMarkFunction,
   EnabledBySetting=NavigationAPIEnabled,
   Exposed=Window

Source/WebCore/page/NavigateEvent.idl

@@ -186,6 +186,7 @@ class Navigation final : public RefCounted<Navigation>, public EventTarget, publ
     };
     Ref<AbortHandler> registerAbortHandler();
 
+    NavigateEvent* ongoingNavigateEvent() { return m_ongoingNavigateEvent.get(); } // This may get called on the GC thread.
     RefPtr<NavigateEvent> protectedOngoingNavigateEvent() { return m_ongoingNavigateEvent; }
     bool hasInterceptedOngoingNavigateEvent() const { return m_ongoingNavigateEvent && m_ongoingNavigateEvent->wasIntercepted(); }
 

Source/WebCore/page/Navigation.h

@@ -1,6 +1,7 @@
 [
   EnabledBySetting=NavigationAPIEnabled,
   GenerateIsReachable=ReachableFromDOMWindow,
+  JSCustomMarkFunction,
   Exposed=Window
 ] interface Navigation : EventTarget {
   sequence<NavigationHistoryEntry> entries();