Avoid use-after-free if frame is deleted when stopping loading.

Avoid use-after-free if frame is deleted when stopping loading.

WebFrame::stopLoading can run onload event handlers, which have
the ability to delete the frame.  This means we must be careful
when calling it from within RenderFrameImpl, or else the
remainder of the function may try to access a deleted object.

BUG=638166, 639689
TEST=See bug 638166 comment 11
NOTRY=true
NOPRESUBMIT=true

Review-Url: https://codereview.chromium.org/2307463003
Cr-Commit-Position: refs/heads/master@{#416082}
(cherry picked from commit ba53b47ffb07652d639e68db92743dc9aea21e5c)

[Charlie Reis, 2016-09-12 18:33:34]

creis@chromium.org changed reviewers:
+ nick@chromium.org

[Charlie Reis, 2016-09-12 18:33:35]

Nick, can you give me a sanity check that I got the merge correct?  I'm trying
to keep just the OnStop fix and not the NavigateInternal fix (and test) from
https://codereview.chromium.org/2307463003/.

[ncarter (slow), 2016-09-12 18:37:11]

This seems safe, though aesthetically it's squarely in the middle of crazytown.
lgtm

[Charlie Reis, 2016-09-12 18:56:36]

Description was changed from

==========
Avoid use-after-free if frame is deleted when stopping loading.

WebFrame::stopLoading can run onload event handlers, which have
the ability to delete the frame.  This means we must be careful
when calling it from within RenderFrameImpl, or else the
remainder of the function may try to access a deleted object.

BUG=638166, 639689
TEST=See bug 638166 comment 11
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2307463003
Cr-Commit-Position: refs/heads/master@{#416082}
(cherry picked from commit ba53b47ffb07652d639e68db92743dc9aea21e5c)
==========

to

==========
Avoid use-after-free if frame is deleted when stopping loading.

WebFrame::stopLoading can run onload event handlers, which have
the ability to delete the frame.  This means we must be careful
when calling it from within RenderFrameImpl, or else the
remainder of the function may try to access a deleted object.

BUG=638166, 639689
TEST=See bug 638166 comment 11
NOTRY=true
NOPRESUBMIT=true

Review-Url: https://codereview.chromium.org/2307463003
Cr-Commit-Position: refs/heads/master@{#416082}
(cherry picked from commit ba53b47ffb07652d639e68db92743dc9aea21e5c)
==========

[Charlie Reis, 2016-09-12 18:57:01]

The CQ bit was checked by creis@chromium.org

[commit-bot: I haz the power, 2016-09-12 18:57:45]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-09-12 19:04:26]

Description was changed from

==========
Avoid use-after-free if frame is deleted when stopping loading.

WebFrame::stopLoading can run onload event handlers, which have
the ability to delete the frame.  This means we must be careful
when calling it from within RenderFrameImpl, or else the
remainder of the function may try to access a deleted object.

BUG=638166, 639689
TEST=See bug 638166 comment 11
NOTRY=true
NOPRESUBMIT=true

Review-Url: https://codereview.chromium.org/2307463003
Cr-Commit-Position: refs/heads/master@{#416082}
(cherry picked from commit ba53b47ffb07652d639e68db92743dc9aea21e5c)
==========

to

==========
Avoid use-after-free if frame is deleted when stopping loading.

WebFrame::stopLoading can run onload event handlers, which have
the ability to delete the frame.  This means we must be careful
when calling it from within RenderFrameImpl, or else the
remainder of the function may try to access a deleted object.

BUG=638166, 639689
TEST=See bug 638166 comment 11
NOTRY=true
NOPRESUBMIT=true

Review-Url: https://codereview.chromium.org/2307463003
Cr-Commit-Position: refs/heads/master@{#416082}
(cherry picked from commit ba53b47ffb07652d639e68db92743dc9aea21e5c)
==========

[commit-bot: I haz the power, 2016-09-12 19:04:27]

Committed patchset #1 (id:1)