summaryrefslogtreecommitdiffstats
path: root/Source/WebCore/bindings/ScriptControllerBase.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'Source/WebCore/bindings/ScriptControllerBase.cpp')
-rw-r--r--Source/WebCore/bindings/ScriptControllerBase.cpp12
1 files changed, 9 insertions, 3 deletions
diff --git a/Source/WebCore/bindings/ScriptControllerBase.cpp b/Source/WebCore/bindings/ScriptControllerBase.cpp
index 5e87dbf..b7da74d 100644
--- a/Source/WebCore/bindings/ScriptControllerBase.cpp
+++ b/Source/WebCore/bindings/ScriptControllerBase.cpp
@@ -107,9 +107,15 @@ bool ScriptController::executeIfJavaScriptURL(const KURL& url, ShouldReplaceDocu
// FIXME: We should always replace the document, but doing so
// synchronously can cause crashes:
// http://bugs.webkit.org/show_bug.cgi?id=16782
- if (shouldReplaceDocumentIfJavaScriptURL == ReplaceDocumentIfJavaScriptURL)
- m_frame->document()->loader()->writer()->replaceDocument(scriptResult);
-
+ if (shouldReplaceDocumentIfJavaScriptURL == ReplaceDocumentIfJavaScriptURL) {
+ // We're still in a frame, so there should be a DocumentLoader.
+ ASSERT(m_frame->document()->loader());
+
+ // DocumentWriter::replaceDocument can cause the DocumentLoader to get deref'ed and possible destroyed,
+ // so protect it with a RefPtr.
+ if (RefPtr<DocumentLoader> loader = m_frame->document()->loader())
+ loader->writer()->replaceDocument(scriptResult);
+ }
return true;
}
generated by cgit v1.1 at 2025-05-13 13:50:15 +0000