[Fetch, Loader] Expect on-heap objects will never get destroyed with a reference

third_party/WebKit/Source/core/loader/FrameLoader.cpp

 /*
  * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights
  * reserved.
  * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved.
  * (http://www.torchmobile.com/)
  * Copyright (C) 2008 Alp Toker <alp@atoker.com>
  * Copyright (C) Research In Motion Limited 2009. All rights reserved.
  * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com>
  * Copyright (C) 2011 Google Inc. All rights reserved.
@@ skipping 336 matching lines @@
 // always contains the result of evaluating a javascript: url. This is the
 // <iframe src="javascript:'html'"> case.
 void FrameLoader::replaceDocumentWhileExecutingJavaScriptURL(
     const String& source,
     Document* ownerDocument) {
   if (!m_frame->document()->loader() ||
       m_frame->document()->pageDismissalEventBeingDispatched() !=
           Document::NoDismissal)
     return;
 
-  // DocumentLoader::replaceDocumentWhileExecutingJavaScriptURL can cause the
-  // DocumentLoader to get deref'ed and possible destroyed, so protect it with a
-  // RefPtr.
   DocumentLoader* documentLoader(m_frame->document()->loader());
 
   UseCounter::count(*m_frame->document(),
                     UseCounter::ReplaceDocumentViaJavaScriptURL);
 
   // Prepare a DocumentInit before clearing the frame, because it may need to
   // inherit an aliased security context.
   DocumentInit init(ownerDocument, m_frame->document()->url(), m_frame);
   init.withNewRegistrationContext();
 
@@ skipping 236 matching lines @@
   }
 
   if (client()) {
     client()->runScriptsAtDocumentReady(
         m_documentLoader ? m_documentLoader->isCommittedButEmpty() : true);
   }
 
   checkCompleted();
 
   if (!m_frame->view())
-    return;  // We are being destroyed by something checkCompleted called.

[hiroshige, 2016/10/21 05:45:14]

If this |if| block remains, then should we leave some comments that mentions
this condition holds due to something checkCompleted called (if not destroyed
though)?

[yhirano, 2016/10/26 11:09:34]

I'm not 100% sure but it looks FrameLoaderClient::runScriptsAtDocumentReady may
invalidate the frame, too. Regardless of the reason, we shouldn't run L620 if
m_frame->view() is null.

https://cs.chromium.org/chromium/src/content/public/renderer/content_renderer...

+    return;
 
   // Check if the scrollbars are really needed for the content. If not, remove
   // them, relayout, and repaint.
   m_frame->view()->restoreScrollbar();
   processFragment(m_frame->document()->url(), NavigationToDifferentDocument);
 }
 
 static bool allDescendantsAreComplete(Frame* frame) {
   for (Frame* child = frame->tree().firstChild(); child;
        child = child->tree().traverseNext(frame)) {
@@ skipping 1289 matching lines @@
                          m_documentLoader ? m_documentLoader->url() : String());
   return tracedValue;
 }
 
 inline void FrameLoader::takeObjectSnapshot() const {
   TRACE_EVENT_OBJECT_SNAPSHOT_WITH_ID("loading", "FrameLoader", this,
                                       toTracedValue());
 }
 
 }  // namespace blink