ServiceOverlayController::Highlight() has a Ref<Range>, and Range has a Ref<Document>. When you change the selection in a view, ServiceOverlayController makes a “potential highlight” Highlight, which retains the Document. If you then navigate, there’s nothing that clears that Highlight, until the selection changes. We need to either have ServiceOverlayController use weak refs, or clear its highlights on navigation.
rdar://problem/40735219
This is visible with any layout test that makes a selection (like LayoutTests/fast/css/counters/counter-after-style-crash.html) and the patch in bug 186214
(In reply to Simon Fraser (smfr) from comment #0) > ServiceOverlayController::Highlight() has a Ref<Range>, and Range has a > Ref<Document>. > > When you change the selection in a view, ServiceOverlayController makes a > “potential highlight” Highlight, which retains the Document. If you then > navigate, there’s nothing that clears that Highlight, until the selection > changes. > > We need to either have ServiceOverlayController use weak refs, or clear its > highlights on navigation. We should probably add logic to clear state underneath `Document::willBeRemovedFromFrame()` (similar to how some of the other controller-type objects have a `documentDetached` method).