Fix use-after-free when creating and detaching iframe during load.

Fix use-after-free when creating and detaching iframe during load.

WebLocalFrameImpl::createChildFrame needs to keep a reference to the
WebCore::LocalFrame in case LocalFrame::init() detaches the frame.

BUG=384890
TEST=fast/loader/create-frame-in-DOMContentLoaded.html
R=abarth@chromium.org

Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=176232

[dcheng, 2014-06-16 08:50:35]

During the investigation of this bug, I noticed something really weird--we can
fire the top-level load event while we're inside a DOMContentLoaded event
handler. Gecko does not seem to do this, and I find the behavior surprising, so
I filed this as crbug.com/384982.

I can't trigger the UaF without depending on this Blink quirk; however, even if
this quirk is changed, I'm not willing to bet that we won't run into a similar
situation in the future with some other event handler. Because of this, I'm
reverting to the original behavior of holding a reference to WebCore::LocalFrame
instead of the WebLocalFrameImpl.

[abarth-chromium, 2014-06-16 16:46:01]

Test?

[dcheng, 2014-06-16 16:48:02]

On 2014/06/16 at 16:46:01, abarth wrote:
> Test?

You caught me in the middle of updating the patch =)
There is already an existing test checked in for this:
fast/loader/create-frame-in-DOMContentLoaded.html

There's also several others that began failing on the ASAN bots at the same time
(I'm verifying locally that the patch fixes them in an ASAN build):
editing/execCommand/window-open-insert-list-crash.html,fast/frames/iframe-onload-remove-self-no-crash.html,fast/loader/create-frame-in-DOMContentLoaded.html,fast/loader/frame-creation-removal.html

[abarth-chromium, 2014-06-16 17:50:55]

Ok.  LGTM!

[dcheng, 2014-06-16 18:39:08]

Committed patchset #3 manually as r176232 (presubmit successful).