Check if an iframe doesn't get detached twice

third_party/WebKit/Source/core/frame/LocalFrame.cpp

Index: third_party/WebKit/Source/core/frame/LocalFrame.cpp
diff --git a/third_party/WebKit/Source/core/frame/LocalFrame.cpp b/third_party/WebKit/Source/core/frame/LocalFrame.cpp
index 4f3f496b44233d9d1cbcaaca20c459b07bbd1504..9c68c203efb661ccf37b06829cd686d2df954288 100644
--- a/third_party/WebKit/Source/core/frame/LocalFrame.cpp
+++ b/third_party/WebKit/Source/core/frame/LocalFrame.cpp
@@ -379,6 +379,9 @@ void LocalFrame::reload(FrameLoadType loadType,
 }
 
 void LocalFrame::detach(FrameDetachType type) {
+  CHECK(!m_detached);
+  m_detached = true;
+
   PluginScriptForbiddenScope forbidPluginDestructorScripting;
   m_loader.stopAllLoaders();

[dcheng, 2016/10/08 04:59:50]

This can run script by causing a frame to be considered load complete: for an
example stack, see
https://bugs.chromium.org/p/chromium/issues/detail?id=561873#c127.

Note: the stack in that bug is past where we dispatch the load event; it's
actually a little higher in the stack in FrameLoader::checkCompleted, which can
call Document::implicitClose().

   // Don't allow any new child frames to load in this frame: attaching a new
@@ -855,7 +858,8 @@ inline LocalFrame::LocalFrame(FrameLoaderClient* client,
       m_pageZoomFactor(parentPageZoomFactor(this)),
       m_textZoomFactor(parentTextZoomFactor(this)),
       m_inViewSourceMode(false),
-      m_interfaceProvider(interfaceProvider) {
+      m_interfaceProvider(interfaceProvider),
+      m_detached(false) {
   if (isLocalRoot())
     m_instrumentingAgents = new InstrumentingAgents();
   else