Crash in FrameLoader::stopAllLoaders.
https://bugs.webkit.org/show_bug.cgi?id=90805
Reviewed by Nate Chapin.
Calling m_provisionalDocumentLoader->stopLoading() can blow away the frame
from underneath. Protect it with a RefPtr.
No new tests. We don't have a reliable testcase to reproduce this. However,
the crash and free stack from ClusterFuzz point clearly at the bug.
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::stopAllLoaders):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@124776 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index bfa1712..a031267 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2012-08-06 Abhishek Arya <inferno@chromium.org>
+
+ Crash in FrameLoader::stopAllLoaders.
+ https://bugs.webkit.org/show_bug.cgi?id=90805
+
+ Reviewed by Nate Chapin.
+
+ Calling m_provisionalDocumentLoader->stopLoading() can blow away the frame
+ from underneath. Protect it with a RefPtr.
+
+ No new tests. We don't have a reliable testcase to reproduce this. However,
+ the crash and free stack from ClusterFuzz point clearly at the bug.
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::stopAllLoaders):
+
2012-08-06 Hironori Bono <hbono@chromium.org>
Rolling out my r123067 and r123572
diff --git a/Source/WebCore/loader/FrameLoader.cpp b/Source/WebCore/loader/FrameLoader.cpp
index 2e9428d..774e8a2 100644
--- a/Source/WebCore/loader/FrameLoader.cpp
+++ b/Source/WebCore/loader/FrameLoader.cpp
@@ -1501,6 +1501,10 @@
// If this method is called from within this method, infinite recursion can occur (3442218). Avoid this.
if (m_inStopAllLoaders)
return;
+
+ // Calling stopLoading() on the provisional document loader can blow away
+ // the frame from underneath.
+ RefPtr<Frame> protect(m_frame);
m_inStopAllLoaders = true;
