FrameLoader: Fix crash window.stop() in onreadystatechange.

The bug was introduced in: https://chromium-review.googlesource.com/c/chromium/src/+/1107808 Soon after creating a new provisional DocumentLoader, the parser of the current DocumentLoader is canceled. It can causes document.onreadystatechange to fire. If window.stop() is called it can remove the new provisional DocumentLoader. This CL fixes the bug and add a regression test. Bug: 856759 Change-Id: Ifb39a75d04b250f0c97ebf07c5a9abf1f4631ff7 Reviewed-on: https://chromium-review.googlesource.com/1117038Reviewed-by: Dmitry Gozman <dgozman@chromium.org> Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/master@{#570774}

FrameLoader: Fix crash window.stop() in onreadystatechange.
The bug was introduced in: https://chromium-review.googlesource.com/c/chromium/src/+/1107808 Soon after creating a new provisional DocumentLoader, the parser of the current DocumentLoader is canceled. It can causes document.onreadystatechange to fire. If window.stop() is called it can remove the new provisional DocumentLoader. This CL fixes the bug and add a regression test. Bug: 856759 Change-Id: Ifb39a75d04b250f0c97ebf07c5a9abf1f4631ff7 Reviewed-on: https://chromium-review.googlesource.com/1117038Reviewed-by: Dmitry Gozman <dgozman@chromium.org> Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/master@{#570774}
b07a01f3 · Arthur Sonzogni · Commit Bot · 1675007d · b07a01f3 · b07a01f3
Commit b07a01f3 authored Jun 27, 2018 by Arthur Sonzogni Committed by Commit Bot Jun 27, 2018
3 changed files
--- a/third_party/WebKit/LayoutTests/http/tests/navigation/form-submit-window-stop-in-onreadystatechange-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/navigation/form-submit-window-stop-in-onreadystatechange-expected.txt
+
--- a/third_party/WebKit/LayoutTests/http/tests/navigation/form-submit-window-stop-in-onreadystatechange.html
+++ b/third_party/WebKit/LayoutTests/http/tests/navigation/form-submit-window-stop-in-onreadystatechange.html
+<script>
+  /*
+    Regression test for https://crbug.com/856759.
+    This test passes if it doesn't crash.
+  */
+
+  if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+  }
+
+  document.addEventListener("DOMContentLoaded", function(event) {
+    document.onreadystatechange = function() {
+      window.stop();
+      setTimeout(function() {
+        location.href = "/resources/notify-done.html";
+      }, 0);
+    };
+    document.querySelector("form").submit();
+  })
+
+</script>
+
+<body>
+  <form action="/resources/notify-done.html"></form>
+
+  <!-- Prevent the document from finishing loading -->
+  <iframe src="/resources/slow-script.pl?delay=999"></iframe>
+</body>
--- a/third_party/blink/renderer/core/loader/frame_loader.cc
+++ b/third_party/blink/renderer/core/loader/frame_loader.cc
@@ -1480,9 +1480,10 @@ void FrameLoader::StartLoad(FrameLoadRequest& frame_load_request,
  frame_->GetDocument()->CancelParsing();
  frame_->GetDocument()->CheckCompleted();

-  // document.onreadystatechange can fire in CancelParsing(), which can detach
-  // this frame.
-  if (!frame_->GetPage())
+  // document.onreadystatechange can fire in CancelParsing(), which can:
+  // 1) Detach this frame.
+  // 2) Stop the provisional DocumentLoader (i.e window.stop())
+  if (!frame_->GetPage() || !provisional_document_loader_)
    return;

  // PlzNavigate: We need to ensure that script initiated navigations are