heap use-after-free at WebCore::TimerBase::heapPopMin()
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 17 May 2016 01:09:27 +0000 (01:09 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 17 May 2016 01:09:27 +0000 (01:09 +0000)
commit2c993f16dcf8db6df8007fb8046aae4343f62a6a
treeda81b6657cfa2e0aa6b189bdfce7a9e2175ae621
parent530c7ba8447eff0af5fcb8d70c2fc048d39b2e81
heap use-after-free at WebCore::TimerBase::heapPopMin()
https://bugs.webkit.org/show_bug.cgi?id=157742
<rdar://problem/26236778>

Source/WebCore:

Reviewed by David Kilzer.

Tested by fast/frames/resources/crash-during-iframe-load-stop.html.

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::stopForUserCancel): Protect m_frame from destruction while it is still
being used by the current stack frame.
(WebCore::FrameLoader::frameDetached): Ditto.
(WebCore::FrameLoader::continueFragmentScrollAfterNavigationPolicy): Ditto.

LayoutTests:

Reviewed by Simon Fraser.

* fast/frames/crash-during-iframe-load-stop-expected.txt: Added.
* fast/frames/crash-during-iframe-load-stop.html: Added.
* fast/frames/resources/crash-during-iframe-load-stop-inner.html: Added.
* fast/frames/resources/crash-during-iframe-load-stop.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200986 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/frames/crash-during-iframe-load-stop-expected.txt [new file with mode: 0644]
LayoutTests/fast/frames/crash-during-iframe-load-stop.html [new file with mode: 0644]
LayoutTests/fast/frames/resources/crash-during-iframe-load-stop-inner.html [new file with mode: 0644]
LayoutTests/fast/frames/resources/crash-during-iframe-load-stop.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/FrameLoader.cpp