NavigatorServiceWorker: Avoid instantiating if being navigated away.

This CL fixes a clusterfuzz crash which fails to minimize. Bug: 872320 Change-Id: Ied4ba2d6143573a4b66fc85fc4fc0fd3b2fbc0ec Reviewed-on: https://chromium-review.googlesource.com/1170160 Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org> Reviewed-by: Matt Falkenhagen <falken@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Commit-Queue: Kouhei Ueno <kouhei@chromium.org> Cr-Commit-Position: refs/heads/master@{#582126}
nwjs · Aug 10, 2018 · d995adf · d995adf
1 parent f5d6027
commit d995adf
Showing 1 changed file with 17 additions and 2 deletions.
diff --git a/third_party/blink/renderer/modules/service_worker/navigator_service_worker.cc b/third_party/blink/renderer/modules/service_worker/navigator_service_worker.cc
@@ -18,9 +18,24 @@ namespace blink {
 NavigatorServiceWorker::NavigatorServiceWorker(Navigator& navigator) {}
 
 NavigatorServiceWorker* NavigatorServiceWorker::From(Document& document) {
-  if (!document.GetFrame() || !document.GetFrame()->DomWindow())
+  LocalFrame* frame = document.GetFrame();
+  if (!frame)
     return nullptr;
-  Navigator& navigator = *document.GetFrame()->DomWindow()->navigator();
+
+  // Bail-out if we are about to be navigated away.
+  // We check that DocumentLoader is attached since:
+  // - This serves as the signal since the DocumentLoader is detached in
+  //   FrameLoader::PrepareForCommit().
+  // - Creating ServiceWorkerProvider in
+  //   RenderFrameImpl::CreateServiceWorkerProvider() assumes that there is a
+  //   DocumentLoader attached to the frame.
+  if (!frame->Loader().GetDocumentLoader())
+    return nullptr;
+
+  LocalDOMWindow* dom_window = frame->DomWindow();
+  if (!dom_window)
+    return nullptr;
+  Navigator& navigator = *dom_window->navigator();
   return &From(navigator);
 }