Crash in NavigationScheduler::schedule.
https://bugs.webkit.org/show_bug.cgi?id=78297
Reviewed by Adam Barth.
Source/WebCore:
Protect frame pointer and navigation scheduler when we stop the
load (when redirect is scheduled during a load). Also, dont fire
the navigation scheduler timer when we know that frameloader is
going away.
Test: http/tests/navigation/navigation-redirect-schedule-crash.html
* loader/NavigationScheduler.cpp:
(WebCore::NavigationScheduler::schedule):
LayoutTests:
* http/tests/navigation/navigation-redirect-schedule-crash-expected.txt: Added.
* http/tests/navigation/navigation-redirect-schedule-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@107729 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/loader/NavigationScheduler.cpp b/Source/WebCore/loader/NavigationScheduler.cpp
index d304133..46267f9 100644
--- a/Source/WebCore/loader/NavigationScheduler.cpp
+++ b/Source/WebCore/loader/NavigationScheduler.cpp
@@ -422,6 +422,8 @@
{
ASSERT(m_frame->page());
+ RefPtr<Frame> protect(m_frame);
+
// If a redirect was scheduled during a load, then stop the current load.
// Otherwise when the current load transitions from a provisional to a
// committed state, pending redirects may be cancelled.
@@ -437,6 +439,9 @@
if (!m_frame->loader()->isComplete() && m_redirect->isLocationChange())
m_frame->loader()->completed();
+ if (!m_frame->page())
+ return;
+
startTimer();
}
