Prevent ThreadableLoaderClient methods from being called after failure notification

Source/core/loader/DocumentThreadableLoader.cpp

 /*
  * Copyright (C) 2011, 2012 Google Inc. All rights reserved.
  * Copyright (C) 2013, Intel Corporation
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
@@ skipping 127 matching lines @@
     , m_timeoutTimer(this, &DocumentThreadableLoader::didTimeout)
     , m_requestStartedSeconds(0.0)
     , m_corsRedirectLimit(kMaxCORSRedirects)
     , m_redirectMode(request.fetchRedirectMode())
 {
     ASSERT(client);
     // Setting an outgoing referer is only supported in the async code path.
     ASSERT(m_async || request.httpReferrer().isEmpty());
 
     if (!m_sameOriginRequest && m_options.crossOriginRequestPolicy == DenyCrossOriginRequests) {
-        m_client->didFail(ResourceError(errorDomainBlinkInternal, 0, request.url().string(), "Cross origin requests are not supported."));
+        ThreadableLoaderClient* client = m_client;
+        clear();
+        client->didFail(ResourceError(errorDomainBlinkInternal, 0, request.url().string(), "Cross origin requests are not supported."));
+        // |this| may be dead here.
         return;
     }
 
     m_requestStartedSeconds = monotonicallyIncreasingTime();
 
     // Save any CORS simple headers on the request here. If this request redirects cross-origin, we cancel the old request
     // create a new one, and copy these headers.
     const HTTPHeaderMap& headerMap = request.httpHeaderFields();
     for (const auto& header : headerMap) {
         if (FetchUtils::isSimpleHeader(header.key, header.value))
@@ skipping 20 matching lines @@
             newRequest.setFetchRequestMode(WebURLRequest::FetchRequestModeCORS);
 
         m_fallbackRequestForServiceWorker = adoptPtr(new ResourceRequest(request));
         m_fallbackRequestForServiceWorker->setSkipServiceWorker(true);
 
         loadRequest(newRequest, m_resourceLoaderOptions);
         return;
     }
 
     dispatchInitialRequest(request);
+    // |this| may be dead here in async mode.
 }
 
 void DocumentThreadableLoader::dispatchInitialRequest(const ResourceRequest& request)
 {
     if (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossOriginRequests) {
         loadRequest(request, m_resourceLoaderOptions);
         return;
     }
 
     ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);
 
     makeCrossOriginAccessRequest(request);
+    // |this| may be dead here in async mode.
 }
 
 void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceRequest& request)
 {
     ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);
+    ASSERT(m_client);
+    ASSERT(!resource());
 
     // Cross-origin requests are only allowed certain registered schemes.
     // We would catch this when checking response headers later, but there
     // is no reason to send a request, preflighted or not, that's guaranteed
     // to be denied.
     if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())) {
-        m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkInternal, 0, request.url().string(), "Cross origin requests are only supported for protocol schemes: " + SchemeRegistry::listOfCORSEnabledURLSchemes() + "."));
+        ThreadableLoaderClient* client = m_client;
+        clear();
+        client->didFailAccessControlCheck(ResourceError(errorDomainBlinkInternal, 0, request.url().string(), "Cross origin requests are only supported for protocol schemes: " + SchemeRegistry::listOfCORSEnabledURLSchemes() + "."));
+        // |this| may be dead here in async mode.
         return;
     }
 
     // We use isSimpleOrForbiddenRequest() here since |request| may have been
     // modified in the process of loading (not from the user's input). For
     // example, referrer. We need to accept them. For security, we must reject
     // forbidden headers/methods at the point we accept user's input. Not here.
     if ((m_options.preflightPolicy == ConsiderPreflight && FetchUtils::isSimpleOrForbiddenRequest(request.httpMethod(), request.httpHeaderFields())) || m_options.preflightPolicy == PreventPreflight) {
         ResourceRequest crossOriginRequest(request);
         ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions);
@@ skipping 43 matching lines @@
         double elapsedTime = monotonicallyIncreasingTime() - m_requestStartedSeconds;
         double nextFire = timeoutMilliseconds / 1000.0;
         double resolvedTime = std::max(nextFire - elapsedTime, 0.0);
         m_timeoutTimer.startOneShot(resolvedTime, FROM_HERE);
     }
 }
 
 void DocumentThreadableLoader::cancel()
 {
     cancelWithError(ResourceError());
+    // |this| may be dead here.
 }
 
 void DocumentThreadableLoader::cancelWithError(const ResourceError& error)
 {
-    RefPtr<DocumentThreadableLoader> protect(this);
+    // Cancel can re-enter and m_resource might be null here as a result.
+    if (!m_client || !resource()) {
+        clear();
+        return;
+    }
 
-    // Cancel can re-enter and m_resource might be null here as a result.
-    if (m_client && resource()) {
-        ResourceError errorForCallback = error;
-        if (errorForCallback.isNull()) {
-            // FIXME: This error is sent to the client in didFail(), so it should not be an internal one. Use FrameLoaderClient::cancelledError() instead.
-            errorForCallback = ResourceError(errorDomainBlinkInternal, 0, resource()->url().string(), "Load cancelled");
-            errorForCallback.setIsCancellation(true);
-        }
-        m_client->didFail(errorForCallback);
+    ResourceError errorForCallback = error;
+    if (errorForCallback.isNull()) {
+        // FIXME: This error is sent to the client in didFail(), so it should not be an internal one. Use FrameLoaderClient::cancelledError() instead.
+        errorForCallback = ResourceError(errorDomainBlinkInternal, 0, resource()->url().string(), "Load cancelled");
+        errorForCallback.setIsCancellation(true);
     }
-    clearResource();
-    m_client = 0;
-    m_requestStartedSeconds = 0.0;
+
+    ThreadableLoaderClient* client = m_client;
+    clear();
+    client->didFail(errorForCallback);
+    // |this| may be dead here in async mode.
 }
 
 void DocumentThreadableLoader::setDefersLoading(bool value)
 {
     if (resource())
         resource()->setDefersLoading(value);
 }
 
+void DocumentThreadableLoader::clear()
+{
+    m_client = 0;
+
+    if (!m_async)
+        return;
+
+    clearResource();
+    m_timeoutTimer.stop();
+    m_requestStartedSeconds = 0.0;
+}
+
 // In this method, we can clear |request| to tell content::WebURLLoaderImpl of
 // Chromium not to follow the redirect. This works only when this method is
 // called by RawResource::willSendRequest(). If called by
 // RawResource::didAddClient(), clearing |request| won't be propagated
 // to content::WebURLLoaderImpl. So, this loader must also get detached from
 // the resource by calling clearResource().
 void DocumentThreadableLoader::redirectReceived(Resource* resource, ResourceRequest& request, const ResourceResponse& redirectResponse)
 {
     ASSERT(m_client);
     ASSERT_UNUSED(resource, resource == this->resource());
     ASSERT(m_async);
 
-    RefPtr<DocumentThreadableLoader> protect(this);
-
     if (m_actualRequest) {
         reportResponseReceived(resource->identifier(), redirectResponse);
 
-        clearResource();
+        handlePreflightFailure(redirectResponse.url().string(), "Response for preflight is invalid (redirect)");
+        // |this| may be dead here.
+
         request = ResourceRequest();
 
-        m_requestStartedSeconds = 0.0;
-
-        handlePreflightFailure(redirectResponse.url().string(), "Response for preflight is invalid (redirect)");
-
         return;
     }
 
     if (m_redirectMode == WebURLRequest::FetchRedirectModeManual) {
+        // Keep |this| alive even if the client release a reference in
+        // responseReceived().
+        RefPtr<DocumentThreadableLoader> protect(this);
+
         // We use |m_redirectMode| to check the original redirect mode.
         // |request| is a new request for redirect. So we don't set the redirect
         // mode of it in WebURLLoaderImpl::Context::OnReceivedRedirect().
         ASSERT(request.useStreamOnResponse());
         // There is no need to read the body of redirect response because there
         // is no way to read the body of opaque-redirect filtered response's
         // internal response.
         // TODO(horo): If we support any API which expose the internal body, we
         // will have to read the body. And also HTTPCache changes will be needed
         // because it doesn't store the body of redirect responses.
         responseReceived(resource, redirectResponse, adoptPtr(new EmptyDataHandle()));
-        notifyFinished(resource);
-        clearResource();
+
+        if (m_client) {
+            ASSERT(!m_actualRequest);
+            notifyFinished(resource);
+        }
+
         request = ResourceRequest();
+
         return;
     }
 
     if (m_redirectMode == WebURLRequest::FetchRedirectModeError || !isAllowedByContentSecurityPolicy(request.url(), ContentSecurityPolicy::DidRedirect)) {
-        m_client->didFailRedirectCheck();
+        ThreadableLoaderClient* client = m_client;
+        clear();
+        client->didFailRedirectCheck();
+        // |this| may be dead here.
 
-        clearResource();
         request = ResourceRequest();
 
-        m_requestStartedSeconds = 0.0;
         return;
     }
 
     // Allow same origin requests to continue after allowing clients to audit the redirect.
     if (isAllowedRedirect(request.url())) {
         if (m_client->isDocumentThreadableLoaderClient())
             static_cast<DocumentThreadableLoaderClient*>(m_client)->willFollowRedirect(request, redirectResponse);
         return;
     }
 
     if (m_corsRedirectLimit <= 0) {
-        m_client->didFailRedirectCheck();
+        ThreadableLoaderClient* client = m_client;
+        clear();
+        client->didFailRedirectCheck();
+        // |this| may be dead here.
     } else if (m_options.crossOriginRequestPolicy == UseAccessControl) {
         --m_corsRedirectLimit;
 
         InspectorInstrumentation::didReceiveCORSRedirectResponse(m_document.frame(), resource->identifier(), m_document.frame()->loader().documentLoader(), redirectResponse, 0);
 
         bool allowRedirect = false;
         String accessControlErrorDescription;
 
         // Non-simple cross origin requests (both preflight and actual one) are
         // not allowed to follow redirect.
@@ skipping 27 matching lines @@
                 m_forceDoNotAllowStoredCredentials = true;
 
             // Remove any headers that may have been added by the network layer that cause access control to fail.
             request.clearHTTPReferrer();
             request.clearHTTPOrigin();
             request.clearHTTPUserAgent();
             // Add any CORS simple request headers which we previously saved from the original request.
             for (const auto& header : m_simpleRequestHeaders)
                 request.setHTTPHeaderField(header.key, header.value);
             makeCrossOriginAccessRequest(request);
+            // |this| may be dead here.
             return;
         }
 
-        ResourceError error(errorDomainBlinkInternal, 0, redirectResponse.url().string(), accessControlErrorDescription);
-        m_client->didFailAccessControlCheck(error);
+        ThreadableLoaderClient* client = m_client;
+        clear();
+        client->didFailAccessControlCheck(ResourceError(errorDomainBlinkInternal, 0, redirectResponse.url().string(), accessControlErrorDescription));
+        // |this| may be dead here.
     } else {
-        m_client->didFailRedirectCheck();
+        ThreadableLoaderClient* client = m_client;
+        clear();
+        client->didFailRedirectCheck();
+        // |this| may be dead here.
     }
 
-    clearResource();
     request = ResourceRequest();
-
-    m_requestStartedSeconds = 0.0;
 }
 
 void DocumentThreadableLoader::dataSent(Resource* resource, unsigned long long bytesSent, unsigned long long totalBytesToBeSent)
 {
     ASSERT(m_client);
     ASSERT_UNUSED(resource, resource == this->resource());
     ASSERT(m_async);
 
     m_client->didSendData(bytesSent, totalBytesToBeSent);
+    // |this| may be dead here.
 }
 
 void DocumentThreadableLoader::dataDownloaded(Resource* resource, int dataLength)
 {
     ASSERT(m_client);
     ASSERT_UNUSED(resource, resource == this->resource());
     ASSERT(!m_actualRequest);
     ASSERT(m_async);
 
     m_client->didDownloadData(dataLength);
+    // |this| may be dead here.
 }
 
 void DocumentThreadableLoader::didReceiveResourceTiming(Resource* resource, const ResourceTimingInfo& info)
 {
     ASSERT(m_client);
     ASSERT_UNUSED(resource, resource == this->resource());
     ASSERT(m_async);
 
     m_client->didReceiveResourceTiming(info);
+    // |this| may be dead here.
 }
 
 void DocumentThreadableLoader::responseReceived(Resource* resource, const ResourceResponse& response, PassOwnPtr<WebDataConsumerHandle> handle)
 {
     ASSERT_UNUSED(resource, resource == this->resource());
     ASSERT(m_async);
 
     if (handle)
         m_isUsingDataConsumerHandle = true;
 
     handleResponse(resource->identifier(), response, handle);
+    // |this| may be dead here.
 }
 
 void DocumentThreadableLoader::handlePreflightResponse(const ResourceResponse& response)
 {
     String accessControlErrorDescription;
 
     if (!passesAccessControlCheck(response, effectiveAllowCredentials(), securityOrigin(), accessControlErrorDescription, m_requestContext)) {
         handlePreflightFailure(response.url().string(), "Response to preflight request doesn't pass access control check: " + accessControlErrorDescription);
+        // |this| may be dead here in async mode.
         return;
     }
 
     if (!passesPreflightStatusCheck(response, accessControlErrorDescription)) {
         handlePreflightFailure(response.url().string(), accessControlErrorDescription);
+        // |this| may be dead here in async mode.
         return;
     }
 
     OwnPtr<CrossOriginPreflightResultCacheItem> preflightResult = adoptPtr(new CrossOriginPreflightResultCacheItem(effectiveAllowCredentials()));
     if (!preflightResult->parse(response, accessControlErrorDescription)
         || !preflightResult->allowsCrossOriginMethod(m_actualRequest->httpMethod(), accessControlErrorDescription)
         || !preflightResult->allowsCrossOriginHeaders(m_actualRequest->httpHeaderFields(), accessControlErrorDescription)) {
         handlePreflightFailure(response.url().string(), accessControlErrorDescription);
+        // |this| may be dead here in async mode.
         return;
     }
 
     CrossOriginPreflightResultCache::shared().appendEntry(securityOrigin()->toString(), m_actualRequest->url(), preflightResult.release());
 }
 
 void DocumentThreadableLoader::reportResponseReceived(unsigned long identifier, const ResourceResponse& response)
 {
     DocumentLoader* loader = m_document.frame()->loader().documentLoader();
     TRACE_EVENT_INSTANT1("devtools.timeline", "ResourceReceiveResponse", TRACE_EVENT_SCOPE_THREAD, "data", InspectorReceiveResponseEvent::data(identifier, m_document.frame(), response));
     LocalFrame* frame = m_document.frame();
     InspectorInstrumentation::didReceiveResourceResponse(frame, identifier, loader, response, resource() ? resource()->loader() : 0);
     frame->console().reportResourceResponseReceived(loader, identifier, response);
 }
 
 void DocumentThreadableLoader::handleResponse(unsigned long identifier, const ResourceResponse& response, PassOwnPtr<WebDataConsumerHandle> handle)
 {
     ASSERT(m_client);
 
     if (m_actualRequest) {
         reportResponseReceived(identifier, response);
         handlePreflightResponse(response);
+        // |this| may be dead here in async mode.
         return;
     }
 
     if (response.wasFetchedViaServiceWorker()) {
         // It's still possible to reach here with null m_fallbackRequestForServiceWorker
         // if the request was for main resource loading (i.e. for SharedWorker), for which
         // we create DocumentLoader before the controller ServiceWorker is set.
         ASSERT(m_fallbackRequestForServiceWorker || m_requestContext == WebURLRequest::RequestContextSharedWorker);
         if (response.wasFallbackRequiredByServiceWorker()) {
             // At this point we must have m_fallbackRequestForServiceWorker.
             // (For SharedWorker the request won't be CORS or CORS-with-preflight,
             // therefore fallback-to-network is handled in the browser process
             // when the ServiceWorker does not call respondWith().)
             ASSERT(m_fallbackRequestForServiceWorker);
             reportResponseReceived(identifier, response);
             loadFallbackRequestForServiceWorker();
+            // |this| may be dead here in async mode.
             return;
         }
         m_fallbackRequestForServiceWorker = nullptr;
         m_client->didReceiveResponse(identifier, response, handle);
         return;
     }
 
     // Even if the request met the conditions to get handled by a Service Worker
     // in the constructor of this class (and therefore
     // |m_fallbackRequestForServiceWorker| is set), the Service Worker may skip
     // processing the request. Only if the request is same origin, the skipped
     // response may come here (wasFetchedViaServiceWorker() returns false) since
     // such a request doesn't have to go through the CORS algorithm by calling
     // loadFallbackRequestForServiceWorker().
     // FIXME: We should use |m_sameOriginRequest| when we will support
     // Suborigins (crbug.com/336894) for Service Worker.
     ASSERT(!m_fallbackRequestForServiceWorker || securityOrigin()->canRequest(m_fallbackRequestForServiceWorker->url()));
     m_fallbackRequestForServiceWorker = nullptr;
 
     if (!m_sameOriginRequest && m_options.crossOriginRequestPolicy == UseAccessControl) {
         String accessControlErrorDescription;
         if (!passesAccessControlCheck(response, effectiveAllowCredentials(), securityOrigin(), accessControlErrorDescription, m_requestContext)) {
             reportResponseReceived(identifier, response);
-            m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkInternal, 0, response.url().string(), accessControlErrorDescription));
+
+            ThreadableLoaderClient* client = m_client;
+            clear();
+            client->didFailAccessControlCheck(ResourceError(errorDomainBlinkInternal, 0, response.url().string(), accessControlErrorDescription));
+            // |this| may be dead here.
             return;
         }
     }
 
     m_client->didReceiveResponse(identifier, response, handle);
 }
 
 void DocumentThreadableLoader::setSerializedCachedMetadata(Resource*, const char* data, size_t size)
 {
     if (m_actualRequest)
         return;
     m_client->didReceiveCachedMetadata(data, size);
+    // |this| may be dead here.
 }
 
 void DocumentThreadableLoader::dataReceived(Resource* resource, const char* data, unsigned dataLength)
 {
     ASSERT_UNUSED(resource, resource == this->resource());
     ASSERT(m_async);
 
     if (m_isUsingDataConsumerHandle)
         return;
 
     handleReceivedData(data, dataLength);
+    // |this| may be dead here.
 }
 
 void DocumentThreadableLoader::handleReceivedData(const char* data, unsigned dataLength)
 {
     ASSERT(m_client);
 
     // Preflight data should be invisible to clients.
     if (m_actualRequest)
         return;
 
     ASSERT(!m_fallbackRequestForServiceWorker);
 
     m_client->didReceiveData(data, dataLength);
+    // |this| may be dead here in async mode.
 }
 
 void DocumentThreadableLoader::notifyFinished(Resource* resource)
 {
     ASSERT(m_client);
     ASSERT(resource == this->resource());
     ASSERT(m_async);
 
-    m_timeoutTimer.stop();
+    if (resource->errorOccurred()) {
+        handleError(resource->resourceError());
+        // |this| may be dead here.
+    } else {
+        handleSuccessfulFinish(resource->identifier(), resource->loadFinishTime());
+        // |this| may be dead here.
+    }
+}
 
-    if (resource->errorOccurred())
-        m_client->didFail(resource->resourceError());
-    else
-        handleSuccessfulFinish(resource->identifier(), resource->loadFinishTime());
+void DocumentThreadableLoader::handleSuccessfulActualRequestFinish(unsigned long identifier, double finishTime)
+{
 }
 
 void DocumentThreadableLoader::handleSuccessfulFinish(unsigned long identifier, double finishTime)
 {
     ASSERT(!m_fallbackRequestForServiceWorker);
 
-    if (m_actualRequest) {
+    if (!m_actualRequest) {
+        // FIXME: Timeout should be applied to whole fetch, not for each of
+        // preflight and actual request.
+        m_timeoutTimer.stop();
         ASSERT(!m_sameOriginRequest);

[hiroshige, 2015/09/17 08:39:33]

This assertion is failing in many browser tests, e.g.
http://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_x64_...

[tyoshino (SeeGerritForStatus), 2015/09/17 08:45:41]

Sorry. I just forgot to fix the if-clause after reverting
handleSuccessfulActualRequestFinish refactoring.

Fixing

         ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);
         loadActualRequest();
-    } else {
-        // FIXME: Should prevent timeout from being overridden after finished loading, without
-        // resetting m_requestStartedSeconds to 0.0
-        m_client->didFinishLoading(identifier, finishTime);
+        return;
     }
+
+    ThreadableLoaderClient* client = m_client;
+    m_client = 0;
+    // Don't clear the resource as the client may need to access the downloaded
+    // file which will be released when the resource is destoryed.
+    if (m_async) {
+        m_timeoutTimer.stop();
+        m_requestStartedSeconds = 0.0;
+    }
+    client->didFinishLoading(identifier, finishTime);
+    // |this| may be dead here in async mode.
 }
 
 void DocumentThreadableLoader::didTimeout(Timer<DocumentThreadableLoader>* timer)
 {
     ASSERT_UNUSED(timer, timer == &m_timeoutTimer);
 
     // Using values from net/base/net_error_list.h ERR_TIMED_OUT,
     // Same as existing FIXME above - this error should be coming from FrameLoaderClient to be identifiable.
     static const int timeoutError = -7;
     ResourceError error("net", timeoutError, resource()->url(), String());
     error.setIsTimeout(true);
     cancelWithError(error);
+    // |this| may be dead here.
 }
 
 void DocumentThreadableLoader::loadFallbackRequestForServiceWorker()
 {
     clearResource();
     OwnPtr<ResourceRequest> fallbackRequest(m_fallbackRequestForServiceWorker.release());
     dispatchInitialRequest(*fallbackRequest);
+    // |this| may be dead here in async mode.
 }
 
 void DocumentThreadableLoader::loadActualRequest()
 {
     OwnPtr<ResourceRequest> actualRequest;
     actualRequest.swap(m_actualRequest);
     OwnPtr<ResourceLoaderOptions> actualOptions;
     actualOptions.swap(m_actualOptions);
 
     actualRequest->setHTTPOrigin(securityOrigin()->toAtomicString());
 
     clearResource();
 
     loadRequest(*actualRequest, *actualOptions);
 }
 
 void DocumentThreadableLoader::handlePreflightFailure(const String& url, const String& errorDescription)
 {
     ResourceError error(errorDomainBlinkInternal, 0, url, errorDescription);
 
     // Prevent handleSuccessfulFinish() from bypassing access check.
     m_actualRequest = nullptr;
 
-    // FIXME: Should prevent timeout from being overridden after preflight failure, without
-    // resetting m_requestStartedSeconds to 0.0
-    m_client->didFailAccessControlCheck(error);
+    ThreadableLoaderClient* client = m_client;
+    clear();
+    client->didFailAccessControlCheck(error);
+    // |this| may be dead here in async mode.
+}
+
+void DocumentThreadableLoader::handleError(const ResourceError& error)
+{
+    // Copy the ResourceError instance to make it sure that the passed
+    // ResourceError is alive during didFail() even when the Resource is
+    // destructed during didFail().
+    ResourceError copiedError = error;
+
+    ThreadableLoaderClient* client = m_client;
+    clear();
+    client->didFail(copiedError);
+    // |this| may be dead here.
 }
 
 void DocumentThreadableLoader::loadRequest(const ResourceRequest& request, ResourceLoaderOptions resourceLoaderOptions)
 {
     // Any credential should have been removed from the cross-site requests.
     const KURL& requestURL = request.url();
     ASSERT(m_sameOriginRequest || requestURL.user().isEmpty());
     ASSERT(m_sameOriginRequest || requestURL.pass().isEmpty());
 
     // Update resourceLoaderOptions with enforced values.
@@ skipping 47 matching lines @@
     // FIXME: A synchronous request does not tell us whether a redirect happened or not, so we guess by comparing the
     // request and response URLs. This isn't a perfect test though, since a server can serve a redirect to the same URL that was
     // requested. Also comparing the request and response URLs as strings will fail if the requestURL still has its credentials.
     if (requestURL != response.url() && (!isAllowedByContentSecurityPolicy(response.url(), ContentSecurityPolicy::DidRedirect) || !isAllowedRedirect(response.url()))) {
         m_client->didFailRedirectCheck();
         return;
     }
 
     handleResponse(identifier, response, nullptr);
 
+    // handleResponse() may detect an error. In such a case (check |m_client|
+    // as it gets reset by clear() call), skip the rest.
+    //
+    // |this| is alive here since loadResourceSynchronously() keeps it alive
+    // until the end of the function.
+    if (!m_client)
+        return;
+
     SharedBuffer* data = resource->resourceBuffer();
     if (data)
         handleReceivedData(data->data(), data->size());
 
+    // The client may cancel this loader in handleReceivedData(). In such a
+    // case, skip the rest.
+    if (!m_client)
+        return;
+
     handleSuccessfulFinish(identifier, 0.0);
 }
 
 bool DocumentThreadableLoader::isAllowedRedirect(const KURL& url) const
 {
     if (m_options.crossOriginRequestPolicy == AllowCrossOriginRequests)
         return true;
 
     return m_sameOriginRequest && securityOrigin()->canRequest(url);
 }
@@ skipping 11 matching lines @@
         return DoNotAllowStoredCredentials;
     return m_resourceLoaderOptions.allowCredentials;
 }
 
 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const
 {
     return m_securityOrigin ? m_securityOrigin.get() : m_document.securityOrigin();
 }
 
 } // namespace blink