Fix a use-after-free in spellcheck client

Source/core/editing/SpellChecker.cpp

Index: Source/core/editing/SpellChecker.cpp
diff --git a/Source/core/editing/SpellChecker.cpp b/Source/core/editing/SpellChecker.cpp
index bfa17c3ac195014accf972c888741d3145c6537b..417dfd19c35c89b6a114b45d49c2ae295235c67c 100644
--- a/Source/core/editing/SpellChecker.cpp
+++ b/Source/core/editing/SpellChecker.cpp
@@ -89,16 +89,18 @@ void SpellCheckRequest::didSucceed(const Vector<TextCheckingResult>& results)
 {
     if (!m_checker)
         return;
-    m_checker->didCheckSucceed(m_requestData.sequence(), results);
+    SpellChecker* checker = m_checker;

[abarth-chromium, 2013/07/17 00:01:00]

It's a bit scary that this is a raw pointer, but that seems to be how we hold
m_checker..  LGTM

     m_checker = 0;
+    checker->didCheckSucceed(m_requestData.sequence(), results);
 }
 
 void SpellCheckRequest::didCancel()
 {
     if (!m_checker)
         return;
-    m_checker->didCheckCancel(m_requestData.sequence());
+    SpellChecker* checker = m_checker;
     m_checker = 0;
+    checker->didCheckCancel(m_requestData.sequence());
 }
 
 void SpellCheckRequest::setCheckerAndSequence(SpellChecker* requester, int sequence)