Crash in FrameLoader::stopAllLoaders.
https://bugs.webkit.org/show_bug.cgi?id=90805

Reviewed by Nate Chapin.

Calling m_provisionalDocumentLoader->stopLoading() can blow away the frame
from underneath. Protect it with a RefPtr.

No new tests. We don't have a reliable testcase to reproduce this. However,
the crash and free stack from ClusterFuzz point clearly at the bug.

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::stopAllLoaders):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@124776 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/loader/FrameLoader.cpp b/Source/WebCore/loader/FrameLoader.cpp
index 2e9428d..774e8a2 100644
--- a/Source/WebCore/loader/FrameLoader.cpp
+++ b/Source/WebCore/loader/FrameLoader.cpp
@@ -1501,6 +1501,10 @@
     // If this method is called from within this method, infinite recursion can occur (3442218). Avoid this.
     if (m_inStopAllLoaders)
         return;
+    
+    // Calling stopLoading() on the provisional document loader can blow away
+    // the frame from underneath.
+    RefPtr<Frame> protect(m_frame);
 
     m_inStopAllLoaders = true;