Crash in FrameLoader::stopAllLoaders.
https://bugs.webkit.org/show_bug.cgi?id=90805
Reviewed by Nate Chapin.
Calling m_provisionalDocumentLoader->stopLoading() can blow away the frame
from underneath. Protect it with a RefPtr.
No new tests. We don't have a reliable testcase to reproduce this. However,
the crash and free stack from ClusterFuzz point clearly at the bug.
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::stopAllLoaders):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@124776 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/loader/FrameLoader.cpp b/Source/WebCore/loader/FrameLoader.cpp
index 2e9428d..774e8a2 100644
--- a/Source/WebCore/loader/FrameLoader.cpp
+++ b/Source/WebCore/loader/FrameLoader.cpp
@@ -1501,6 +1501,10 @@
// If this method is called from within this method, infinite recursion can occur (3442218). Avoid this.
if (m_inStopAllLoaders)
return;
+
+ // Calling stopLoading() on the provisional document loader can blow away
+ // the frame from underneath.
+ RefPtr<Frame> protect(m_frame);
m_inStopAllLoaders = true;