Crash fix: Avoid using stale HTMLToken after tree construction

third_party/WebKit/Source/core/html/parser/HTMLTreeBuilder.cpp

Index: third_party/WebKit/Source/core/html/parser/HTMLTreeBuilder.cpp
diff --git a/third_party/WebKit/Source/core/html/parser/HTMLTreeBuilder.cpp b/third_party/WebKit/Source/core/html/parser/HTMLTreeBuilder.cpp
index 7a1d8199dbc66387c93cccb8782af1e74acd83d2..f8a5ef3fe0a4ac8f29d1fa8076af6aff275c1495 100644
--- a/third_party/WebKit/Source/core/html/parser/HTMLTreeBuilder.cpp
+++ b/third_party/WebKit/Source/core/html/parser/HTMLTreeBuilder.cpp
@@ -793,10 +793,17 @@ void HTMLTreeBuilder::processStartTagForInBody(AtomicHTMLToken* token)
         return;
     }
     if (token->name() == inputTag) {
+        // Per spec https://html.spec.whatwg.org/#parsing-main-inbody,
+        // section "A start tag whose tag name is "input""
+
         Attribute* typeAttribute = token->getAttributeItem(typeAttr);
+        bool disableFrameset = !typeAttribute || !equalIgnoringCase(typeAttribute->value(), "hidden");
+
         m_tree.reconstructTheActiveFormattingElements();
+        // TODO(kouhei): Make it obvious that insertSelfClosingHTMLElement may mutate the token.
         m_tree.insertSelfClosingHTMLElement(token);
-        if (!typeAttribute || !equalIgnoringCase(typeAttribute->value(), "hidden"))
+
+        if (disableFrameset)
             m_framesetOk = false;
         return;
     }