Fix crash that could happen when setting up caching of the wrapper for

a document with no frame which was about to be deleted.

The crash only happened occasionally when a JavaScript garbage
collection happened in the process of setting up the caching.  When
performing the garbage collection, the global handle to the document
might get cleared and the document deleted.

BUG=13780
Review URL: http://codereview.chromium.org/122032

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@18157 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 13 insertions, 0 deletions

diff --git a/webkit/port/bindings/v8/v8_proxy.cpp b/webkit/port/bindings/v8/v8_proxy.cpp
index 48f0ec4..7831b39 100644
--- a/webkit/port/bindings/v8/v8_proxy.cpp
+++ b/webkit/port/bindings/v8/v8_proxy.cpp
@@ -1795,6 +1795,19 @@ void V8Proxy::UpdateDocumentWrapperCache()
 {
     v8::HandleScope handle_scope;
     v8::Context::Scope context_scope(GetContext());
+
+    // If the document has no frame, NodeToV8Object might get the
+    // document wrapper for a document that is about to be deleted.
+    // If the ForceSet below causes a garbage collection, the document
+    // might get deleted and the global handle for the document
+    // wrapper cleared. Using the cleared global handle will lead to
+    // crashes.  In this case we clear the cache and let the DOMWindow
+    // accessor handle access to the document.
+    if (!m_frame->document()->frame()) {
+        ClearDocumentWrapperCache();
+        return;
+    }
+
     v8::Handle<v8::Value> document_wrapper = NodeToV8Object(m_frame->document());
     m_context->Global()->ForceSet(v8::String::New("document"),
                                   document_wrapper,