document.open(): Check frame_ after StopAllLoaders

FrameLoader::StopAllLoaders() has this explicit note: Warning: stopAllLoaders can and will detach the LocalFrame out from under you. All callers need to either protect the LocalFrame or guarantee they won't in any way access the LocalFrame after stopAllLoaders returns. Check frame_'s existence after the call to prevent a NULL dereference. Bug: 879366 Change-Id: I1e537374f59fbad7b069f9de63cfa3b6b2b2b00c Reviewed-on: https://chromium-review.googlesource.com/1198022Reviewed-by: Nate Chapin <japhet@chromium.org> Reviewed-by: Kent Tamura <tkent@chromium.org> Reviewed-by: Hayato Ito <hayato@chromium.org> Commit-Queue: Timothy Gu <timothygu@chromium.org> Cr-Commit-Position: refs/heads/master@{#587933}

document.open(): Check frame_ after StopAllLoaders
FrameLoader::StopAllLoaders() has this explicit note: Warning: stopAllLoaders can and will detach the LocalFrame out from under you. All callers need to either protect the LocalFrame or guarantee they won't in any way access the LocalFrame after stopAllLoaders returns. Check frame_'s existence after the call to prevent a NULL dereference. Bug: 879366 Change-Id: I1e537374f59fbad7b069f9de63cfa3b6b2b2b00c Reviewed-on: https://chromium-review.googlesource.com/1198022Reviewed-by: Nate Chapin <japhet@chromium.org> Reviewed-by: Kent Tamura <tkent@chromium.org> Reviewed-by: Hayato Ito <hayato@chromium.org> Commit-Queue: Timothy Gu <timothygu@chromium.org> Cr-Commit-Position: refs/heads/master@{#587933}
09b4427e · Timothy Gu · Commit Bot · f507b26d · 09b4427e · 09b4427e
Commit 09b4427e authored Aug 31, 2018 by Timothy Gu Committed by Commit Bot Aug 31, 2018
3 changed files
--- a/third_party/WebKit/LayoutTests/fast/dom/Document/open-with-pending-load2-expected.txt
+++ b/third_party/WebKit/LayoutTests/fast/dom/Document/open-with-pending-load2-expected.txt
+This tests that calling document.open on a document that has a pending load correctly cancels the load and does not crash even if the frame is removed.
--- a/third_party/WebKit/LayoutTests/fast/dom/Document/open-with-pending-load2.html
+++ b/third_party/WebKit/LayoutTests/fast/dom/Document/open-with-pending-load2.html
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<body>
+This tests that calling document.open on a document that has a pending load correctly cancels the load and does not crash even if the frame is removed.
+<script>
+const div = document.body.appendChild(document.createElement("div"));
+div.innerHTML = "<iframe src='data:text/html,'></iframe>";
+const frame = div.childNodes[0];
+const client = new frame.contentWindow.XMLHttpRequest();
+client.open("GET", "data:text/html,");
+client.onabort = e => {
+  div.remove();
+};
+client.send();
+frame.contentWindow.document.open();
+</script>
+</body>
--- a/third_party/blink/renderer/core/dom/document.cc
+++ b/third_party/blink/renderer/core/dom/document.cc
@@ -3108,7 +3108,7 @@ void Document::open() {
  if (frame_ && frame_->Loader().HasProvisionalNavigation()) {
    frame_->Loader().StopAllLoaders();
    // Navigations handled by the client should also be cancelled.
-    if (frame_->Client())
+    if (frame_ && frame_->Client())
      frame_->Client()->AbortClientNavigation();
  }