Destroy (Password)AutofillAgent safely

components/autofill/content/renderer/form_autofill_util.cc

Index: components/autofill/content/renderer/form_autofill_util.cc
diff --git a/components/autofill/content/renderer/form_autofill_util.cc b/components/autofill/content/renderer/form_autofill_util.cc
index cb7947514250d5bbe3f689711c7590b9da959a29..c32ea6ccd511ea456e97111f916726f02afa01b6 100644
--- a/components/autofill/content/renderer/form_autofill_util.cc
+++ b/components/autofill/content/renderer/form_autofill_util.cc
@@ -892,6 +892,10 @@ void FillFormField(const FormFieldData& data,
       TruncateString(&value, input_element->maxLength());
     }
     field->setValue(value, true);
+    // Setting the value might trigger JavaScript, which is capable of
+    // destroying the frame.
+    if (!field->document().frame())
+      return;

[robwu, 2016/05/04 14:35:38]

Are you sure that |field| is still valid?
One of the new test cases from https://crbug.com/608101#c6 shows this stack:
https://bugs.chromium.org/p/chromium/issues/attachmentText?aid=233641.

Although I only reported about setValue, setChecked (a few lines back) should
also be fixed. Similarly for FormCache::ClearFormWithElement.

[vabr (Chromium), 2016/05/04 14:49:46]

It's refcounted and a reference is held by the caller, so it should be.
Good point, added.
While it does hold a reference to a frame without adding to its refcount, I
don't see it using it after setting any values. At that point it is the
responsibility of the caller to avoid calling it again once the frame is
deleted.

   }
 
   field->setAutofilled(true);