Speculative fix for null m_documentLoader deref in FrameLoader::loadInSameDocument

This should fix an uncommon crash during history traversal. I believe the steps to get into this state are: 1. Load a page with a slow-loading iframe. The iframe load must begin before the main frame's load event fires. 2. While the iframe is still in the provisional load state, attempt a same-document history navigation in the child frame. 3. The child frame's provisional load is cancelled by the history navigation in FrameLoader::loadInSameDocument, which in turn causes the parent frame's load event to fire synchronously. 4. The parent frame's onload event handler detaches the iframe. 5. No checks are performed after cancelling the provisional load in FrameLoader::loadInSameDocument, leading to a null deref and crash. We should be able to prevent a crash in this case by checking whether the frame is still attached after cancelling the provisional load in FrameLoader::loadInSameDocument. BUG=374391 Review URL: https://codereview.chromium.org/303133004 git-svn-id: svn://svn.chromium.org/blink/trunk@175174 bbb929c8-8fbe-4397-9dbb-9b2b20218538

Speculative fix for null m_documentLoader deref in FrameLoader::loadInSameDocument
This should fix an uncommon crash during history traversal. I believe the steps to get into this state are: 1. Load a page with a slow-loading iframe. The iframe load must begin before the main frame's load event fires. 2. While the iframe is still in the provisional load state, attempt a same-document history navigation in the child frame. 3. The child frame's provisional load is cancelled by the history navigation in FrameLoader::loadInSameDocument, which in turn causes the parent frame's load event to fire synchronously. 4. The parent frame's onload event handler detaches the iframe. 5. No checks are performed after cancelling the provisional load in FrameLoader::loadInSameDocument, leading to a null deref and crash. We should be able to prevent a crash in this case by checking whether the frame is still attached after cancelling the provisional load in FrameLoader::loadInSameDocument. BUG=374391 Review URL: https://codereview.chromium.org/303133004 git-svn-id: svn://svn.chromium.org/blink/trunk@175174 bbb929c8-8fbe-4397-9dbb-9b2b20218538
e1c4d43d · japhet@chromium.org · cd6be621 · e1c4d43d
Commit e1c4d43d authored May 30, 2014 by japhet@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

third_party/WebKit/Source/core/loader/FrameLoader.cpp third_party/WebKit/Source/core/loader/FrameLoader.cpp +2 -0

No files found.
--- a/third_party/WebKit/Source/core/loader/FrameLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
@@ -562,6 +562,8 @@ void FrameLoader::loadInSameDocument(const KURL& url, PassRefPtr<SerializedScrip
        if (m_provisionalDocumentLoader)
            m_provisionalDocumentLoader->detachFromFrame();
        m_provisionalDocumentLoader = nullptr;
+        if (!m_frame->host())
+            return;
    }
    saveScrollState();