Prevent entering XHR methods while loader is being cancelled.

Source/core/xml/XMLHttpRequest.cpp

Index: Source/core/xml/XMLHttpRequest.cpp
diff --git a/Source/core/xml/XMLHttpRequest.cpp b/Source/core/xml/XMLHttpRequest.cpp
index 4b5e89b3c6d69426433a210501c3727047a47b99..a0077bc3c31f13380f8ca23356680180fe6a8ce7 100644
--- a/Source/core/xml/XMLHttpRequest.cpp
+++ b/Source/core/xml/XMLHttpRequest.cpp
@@ -172,6 +172,7 @@ XMLHttpRequest::XMLHttpRequest(ScriptExecutionContext* context, PassRefPtr<Secur
     , m_timeoutMilliseconds(0)
     , m_state(UNSENT)
     , m_createdDocument(false)
+    , m_preventReentrant(false)
     , m_error(false)
     , m_uploadEventsAllowed(true)
     , m_uploadComplete(false)
@@ -481,6 +482,11 @@ void XMLHttpRequest::open(const String& method, const KURL& url, ExceptionState&
 
 void XMLHttpRequest::open(const String& method, const KURL& url, bool async, ExceptionState& es)
 {
+    if (m_preventReentrant) {
+        es.throwDOMException(InvalidStateError, ExceptionMessages::failedToExecute("open", "XMLHttpRequest", "reentrant is not allowed."));
+        return;
+    }
+
     internalAbort();
     State previousState = m_state;
     m_state = UNSENT;
@@ -566,6 +572,11 @@ void XMLHttpRequest::open(const String& method, const KURL& url, bool async, con
 
 bool XMLHttpRequest::initSend(ExceptionState& es)
 {
+    if (m_preventReentrant) {
+        es.throwDOMException(InvalidStateError, ExceptionMessages::failedToExecute("send", "XMLHttpRequest", "reentrant is not allowed."));
+        return false;
+    }
+
     if (!scriptExecutionContext())
         return false;
 
@@ -716,6 +727,11 @@ void XMLHttpRequest::sendBytesData(const void* data, size_t length, ExceptionSta
 
 void XMLHttpRequest::sendForInspectorXHRReplay(PassRefPtr<FormData> formData, ExceptionState& es)
 {
+    if (m_preventReentrant) {
+        es.throwDOMException(InvalidStateError, ExceptionMessages::failedToExecute("sendForInspectorXHRReplay", "XMLHttpRequest", "reentrant is not allowed."));
+        return;
+    }
+
     m_requestEntityBody = formData ? formData->deepCopy() : 0;
     createRequest(es);
     m_exceptionCode = es.code();
@@ -810,8 +826,13 @@ void XMLHttpRequest::createRequest(ExceptionState& es)
         es.throwDOMException(m_exceptionCode);
 }
 
-void XMLHttpRequest::abort()
+void XMLHttpRequest::abort(ExceptionState& es)
 {
+    if (m_preventReentrant) {
+        es.throwDOMException(InvalidStateError, ExceptionMessages::failedToExecute("abort", "XMLHttpRequest", "reentrant is not allowed."));
+        return;
+    }
+
     // internalAbort() calls dropProtection(), which may release the last reference.
     RefPtr<XMLHttpRequest> protect(this);
 
@@ -856,7 +877,9 @@ void XMLHttpRequest::internalAbort(DropProtection async)
     if (!m_loader)
         return;
 
+    m_preventReentrant = true;
     m_loader->cancel();

[Nate Chapin, 2013/09/19 16:31:30]

Is it possible to solve this similarly to
http://src.chromium.org/viewvc/blink?view=revision&revision=120845, by storing
an RefPtr locally and clearing m_loader before calling cancel()?

+    m_preventReentrant = false;
     m_loader = 0;
 
     if (async == DropProtectionAsync)