UpdateWidget() can fire beforeload event synchronously blowing away RenderArena and its associated …

Source/core/page/FrameView.cpp

 /*
  * Copyright (C) 1998, 1999 Torben Weis <weis@kde.org>
  *                     1999 Lars Knoll <knoll@kde.org>
  *                     1999 Antti Koivisto <koivisto@kde.org>
  *                     2000 Dirk Mueller <mueller@kde.org>
  * Copyright (C) 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserved.
  *           (C) 2006 Graham Dennis (graham.dennis@gmail.com)
  *           (C) 2006 Alexey Proskuryakov (ap@nypop.com)
  * Copyright (C) 2009 Google Inc. All rights reserved.
  *
@@ skipping 2184 matching lines @@
     // Align to the top and to the closest side (this matches other browsers).
     anchorNode->renderer()->scrollRectToVisible(rect, ScrollAlignment::alignToEdgeIfNeeded, ScrollAlignment::alignTopAlways);
 
     if (AXObjectCache* cache = m_frame->document()->existingAXObjectCache())
         cache->handleScrolledToAnchor(anchorNode.get());
 
     // scrollRectToVisible can call into setScrollPosition(), which resets m_maintainScrollPositionAnchor.
     m_maintainScrollPositionAnchor = anchorNode;
 }
 
-void FrameView::updateWidget(RenderObject* object)
+bool FrameView::updateWidget(RenderObject* object)
 {
     ASSERT(!object->node() || object->node()->isElementNode());
-    Element* ownerElement = toElement(object->node());
+    RefPtr<Element> ownerElement = toElement(object->node());
     // The object may have already been destroyed (thus node cleared),
     // but FrameView holds a manual ref, so it won't have been deleted.
     ASSERT(m_widgetUpdateSet->contains(object));
     if (!ownerElement)
-        return;
+        return true;
 
     if (object->isEmbeddedObject()) {
         RenderEmbeddedObject* embeddedObject = static_cast<RenderEmbeddedObject*>(object);
         // No need to update if it's already crashed or known to be missing.
         if (embeddedObject->showsUnavailablePluginIndicator())
-            return;
+            return true;
 
         // FIXME: This could turn into a real virtual dispatch if we defined
         // updateWidget(PluginCreationOption) on HTMLElement.
         if (ownerElement->hasTagName(objectTag) || ownerElement->hasTagName(embedTag) || ownerElement->hasTagName(appletTag)) {
-            HTMLPlugInImageElement* pluginElement = toHTMLPlugInImageElement(ownerElement);
+            HTMLPlugInImageElement* pluginElement = toHTMLPlugInImageElement(ownerElement.get());
             if (pluginElement->needsWidgetUpdate())
                 pluginElement->updateWidget(CreateAnyWidgetType);
         } else
             ASSERT_NOT_REACHED();
 
         // Caution: it's possible the object was destroyed again, since loading a
         // plugin may run any arbitrary JavaScript.
+        if (ownerElement->renderer() != embeddedObject) {
+            m_widgetUpdateSet->clear();
+            return false;
+        }
         embeddedObject->updateWidgetPosition();
     }
+
+    return true;
 }
 
 bool FrameView::updateWidgets()
 {
     if (m_nestedLayoutCount > 1 || !m_widgetUpdateSet || m_widgetUpdateSet->isEmpty())
         return true;
     
     size_t size = m_widgetUpdateSet->size();
 
     Vector<RenderObject*> objects;
     objects.reserveInitialCapacity(size);
 
     RenderObjectSet::const_iterator end = m_widgetUpdateSet->end();
     for (RenderObjectSet::const_iterator it = m_widgetUpdateSet->begin(); it != end; ++it) {
         RenderObject* object = *it;
         objects.uncheckedAppend(object);
         if (object->isEmbeddedObject()) {
             RenderEmbeddedObject* embeddedObject = static_cast<RenderEmbeddedObject*>(object);
             embeddedObject->ref();
         }
     }
 
     for (size_t i = 0; i < size; ++i) {
         RenderObject* object = objects[i];
-        updateWidget(object);
+        if (!updateWidget(object))
+            return false;
         m_widgetUpdateSet->remove(object);
     }
 
     RenderArena* arena = m_frame->document()->renderArena();
     for (size_t i = 0; i < size; ++i) {
         RenderObject* object = objects[i];
         if (object->isEmbeddedObject()) {
             RenderEmbeddedObject* embeddedObject = static_cast<RenderEmbeddedObject*>(object);
             embeddedObject->deref(arena);
         }
@@ skipping 62 matching lines @@
 
     if (page) {
         if (ScrollingCoordinator* scrollingCoordinator = page->scrollingCoordinator())
             scrollingCoordinator->frameViewLayoutUpdated(this);
     }
 
     scrollToAnchor();
 
     m_actionScheduler->resume();
 
+    // Refetch render view since it can be destroyed by updateWidget()
+    // call above.
+    renderView = this->renderView();
     if (renderView && !renderView->printing()) {
         IntSize currentSize;
         currentSize = visibleContentRect(IncludeScrollbars).size();
         float currentZoomFactor = renderView->style()->zoom();
         bool resized = !m_firstLayout && (currentSize != m_lastViewportSize || currentZoomFactor != m_lastZoomFactor);
         m_lastViewportSize = currentSize;
         m_lastZoomFactor = currentZoomFactor;
         if (resized) {
             m_frame->eventHandler()->sendResizeEvent();
 
@@ skipping 1188 matching lines @@
 }
     
 AXObjectCache* FrameView::axObjectCache() const
 {
     if (frame() && frame()->document())
         return frame()->document()->existingAXObjectCache();
     return 0;
 }
     
 } // namespace WebCore