Crash in FrameLoader::stopAllLoaders. https://bugs.webkit.org/show_bug.cgi?id=90805 Reviewed by Nate Chapin. Calling m_provisionalDocumentLoader->stopLoading() can blow away the frame from underneath. Protect it with a RefPtr. No new tests. We don't have a reliable testcase to reproduce this. However, the crash and free stack from ClusterFuzz point clearly at the bug. * loader/FrameLoader.cpp: (WebCore::FrameLoader::stopAllLoaders): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@124776 268f45cc-cd09-0410-ab3c-d52691b4dbfc

commit: bc05aa58f59b6faddaeba1f1bc3fd7f4112949fe [log] [tgz]
author: inferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Mon Aug 06 16:30:40 2012 +0000
committer: inferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Mon Aug 06 16:30:40 2012 +0000
tree: 36d589c55aedb3cb71e5cd56d395448ba98c57e1
parent: 7fcfabe02e31c84d93f6648f4a4fac5afaa9e7c8 [diff]
diff --git a/Source/WebCore/loader/FrameLoader.cpp b/Source/WebCore/loader/FrameLoader.cpp
index 2e9428d..774e8a2 100644
--- a/Source/WebCore/loader/FrameLoader.cpp
+++ b/Source/WebCore/loader/FrameLoader.cpp

@@ -1501,6 +1501,10 @@
     // If this method is called from within this method, infinite recursion can occur (3442218). Avoid this.
     if (m_inStopAllLoaders)
         return;
+    
+    // Calling stopLoading() on the provisional document loader can blow away
+    // the frame from underneath.
+    RefPtr<Frame> protect(m_frame);
 
     m_inStopAllLoaders = true;
commit	bc05aa58f59b6faddaeba1f1bc3fd7f4112949fe	[log] [tgz]
author	inferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Mon Aug 06 16:30:40 2012 +0000
committer	inferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Mon Aug 06 16:30:40 2012 +0000
tree	36d589c55aedb3cb71e5cd56d395448ba98c57e1
parent	7fcfabe02e31c84d93f6648f4a4fac5afaa9e7c8 [diff]