Fix use-after-free when creating and detaching iframe during load.

Source/web/WebLocalFrameImpl.cpp

 /*
  * Copyright (C) 2009 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 1652 matching lines @@
     setWebCoreFrame(LocalFrame::create(&m_frameLoaderClientImpl, &page->frameHost(), 0));
 
     // We must call init() after m_frame is assigned because it is referenced
     // during init().
     m_frame->init();
 }
 
 PassRefPtr<LocalFrame> WebLocalFrameImpl::createChildFrame(const FrameLoadRequest& request, HTMLFrameOwnerElement* ownerElement)
 {
     ASSERT(m_client);
-    // Protect a reference to the new child frame, in case it gets detached.
-    RefPtr<WebLocalFrameImpl> child = toWebLocalFrameImpl(m_client->createChildFrame(this, request.frameName()));
-    if (!child)
+    WebLocalFrameImpl* webframeChild = toWebLocalFrameImpl(m_client->createChildFrame(this, request.frameName()));
+    if (!webframeChild)
         return nullptr;
 
     // FIXME: Using subResourceAttributeName as fallback is not a perfect
     // solution. subResourceAttributeName returns just one attribute name. The
     // element might not have the attribute, and there might be other attributes
     // which can identify the element.
-    child->initializeAsChildFrame(frame()->host(), ownerElement, request.frameName(), ownerElement->getAttribute(ownerElement->subResourceAttributeName()));
+    RefPtr<LocalFrame> child = webframeChild->initializeAsChildFrame(frame()->host(), ownerElement, request.frameName(), ownerElement->getAttribute(ownerElement->subResourceAttributeName()));
     // Initializing the WebCore frame may cause the new child to be detached, since it may dispatch a load event in the parent.
-    if (!child->frame())
+    if (!child->tree().parent())
         return nullptr;
 
     // If we're moving in the back/forward list, we might want to replace the content
     // of this child frame with whatever was there at that point.
     RefPtr<HistoryItem> childItem;
     if (isBackForwardLoadType(frame()->loader().loadType()) && !frame()->document()->loadEventFinished())
-        childItem = PassRefPtr<HistoryItem>(child->client()->historyItemForNewChildFrame(child.get()));
+        childItem = PassRefPtr<HistoryItem>(webframeChild->client()->historyItemForNewChildFrame(webframeChild));
 
     if (childItem)
-        child->frame()->loader().loadHistoryItem(childItem.get());
+        child->loader().loadHistoryItem(childItem.get());
     else
-        child->frame()->loader().load(FrameLoadRequest(0, request.resourceRequest(), "_self"));
+        child->loader().load(FrameLoadRequest(0, request.resourceRequest(), "_self"));
 
     // Note a synchronous navigation (about:blank) would have already processed
-    // onload, so it is possible for the child frame to have already been destroyed by
-    // script in the page.
-    return child->frame();
+    // onload, so it is possible for the child frame to have already been
+    // detached by script in the page.
+    if (!child->tree().parent())
+        return nullptr;
+    return child;
 }
 
 void WebLocalFrameImpl::didChangeContentsSize(const IntSize& size)
 {
     // This is only possible on the main frame.
     if (m_textFinder && m_textFinder->totalMatchCount() > 0) {
         ASSERT(!parent());
         m_textFinder->increaseMarkerVersion();
     }
 }
@@ skipping 225 matching lines @@
 }
 
 void WebLocalFrameImpl::invalidateAll() const
 {
     ASSERT(frame() && frame()->view());
     FrameView* view = frame()->view();
     view->invalidateRect(view->frameRect());
     invalidateScrollbar();
 }
 
-void WebLocalFrameImpl::initializeAsChildFrame(FrameHost* host, FrameOwner* owner, const AtomicString& name, const AtomicString& fallbackName)
+PassRefPtr<LocalFrame> WebLocalFrameImpl::initializeAsChildFrame(FrameHost* host, FrameOwner* owner, const AtomicString& name, const AtomicString& fallbackName)
 {
-    setWebCoreFrame(LocalFrame::create(&m_frameLoaderClientImpl, host, owner));
-    frame()->tree().setName(name, fallbackName);
-    // May dispatch JS events; frame() may be null after this.
-    frame()->init();
+    RefPtr<LocalFrame> frame = LocalFrame::create(&m_frameLoaderClientImpl, host, owner);
+    setWebCoreFrame(frame);
+    frame->tree().setName(name, fallbackName);
+    // May dispatch JS events; frame may be detached after this.
+    frame->init();
+    return frame;
 }
 
 } // namespace blink