Fix the crash that could occur when the window is closed while web contents drag is in progress.

content/browser/web_contents/web_contents_drag_win.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/web_contents/web_contents_drag_win.h"
 
 #include <windows.h>
 
 #include <string>
 
@@ skipping 53 matching lines @@
       // more.
       if (msg->message == WM_LBUTTONUP || !(GetKeyState(VK_LBUTTON) & 0x8000))
         mouse_up_received = true;
 
       return TRUE;
     }
   }
   return CallNextHookEx(msg_hook, code, wparam, lparam);
 }
 
+void EnableBackgroundDraggingSupport(DWORD thread_id) {
+  // Install a hook procedure to monitor the messages so that we can forward
+  // the appropriate ones to the background thread.
+  drag_out_thread_id = thread_id;
+  mouse_up_received = false;
+  DCHECK(!msg_hook);
+  msg_hook = SetWindowsHookEx(WH_MSGFILTER,
+                              MsgFilterProc,
+                              NULL,
+                              GetCurrentThreadId());
+
+  // Attach the input state of the background thread to the UI thread so that
+  // SetCursor can work from the background thread.
+  AttachThreadInput(drag_out_thread_id, GetCurrentThreadId(), TRUE);
+}
+
+void DisableBackgroundDraggingSupport() {
+  DCHECK(msg_hook);
+  AttachThreadInput(drag_out_thread_id, GetCurrentThreadId(), FALSE);
+  UnhookWindowsHookEx(msg_hook);
+  msg_hook = NULL;
+}
+
+bool IsBackgroundDraggingSupportEnabled() {
+  return msg_hook != NULL;
+}
+
 }  // namespace
 
 class DragDropThread : public base::Thread {
  public:
   explicit DragDropThread(WebContentsDragWin* drag_handler)
        : base::Thread("Chrome_DragDropThread"),
          drag_handler_(drag_handler) {
   }
 
   virtual ~DragDropThread() {
@@ skipping 43 matching lines @@
                                        const gfx::Point& image_offset) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
 
   drag_source_ = new WebDragSource(source_window_, web_contents_);
 
   const GURL& page_url = web_contents_->GetURL();
   const std::string& page_encoding = web_contents_->GetEncoding();
 
   // If it is not drag-out, do the drag-and-drop in the current UI thread.
   if (drop_data.download_metadata.empty()) {
-    DoDragging(drop_data, ops, page_url, page_encoding, image, image_offset);
-    EndDragging();
+    if (DoDragging(drop_data, ops, page_url, page_encoding,
+                   image, image_offset))
+      EndDragging();
     return;
   }
 
   // Start a background thread to do the drag-and-drop.
   DCHECK(!drag_drop_thread_.get());
   drag_drop_thread_.reset(new DragDropThread(this));
   base::Thread::Options options;
   options.message_loop_type = MessageLoop::TYPE_UI;
   if (drag_drop_thread_->StartWithOptions(options)) {
     gfx::Display display =
         gfx::Screen::GetDisplayNearestWindow(web_contents_->GetNativeView());
     ui::ScaleFactor scale_factor = ui::GetScaleFactorFromScale(
         display.device_scale_factor());
     drag_drop_thread_->message_loop()->PostTask(
         FROM_HERE,
         base::Bind(&WebContentsDragWin::StartBackgroundDragging, this,
                    drop_data, ops, page_url, page_encoding,
                    image.GetRepresentation(scale_factor).sk_bitmap(),
                    image_offset));
   }
 
-  // Install a hook procedure to monitor the messages so that we can forward
-  // the appropriate ones to the background thread.
-  drag_out_thread_id = drag_drop_thread_->thread_id();
-  mouse_up_received = false;
-  DCHECK(!msg_hook);
-  msg_hook = SetWindowsHookEx(WH_MSGFILTER,
-                              MsgFilterProc,
-                              NULL,
-                              GetCurrentThreadId());
-
-  // Attach the input state of the background thread to the UI thread so that
-  // SetCursor can work from the background thread.
-  AttachThreadInput(drag_out_thread_id, GetCurrentThreadId(), TRUE);
+  EnableBackgroundDraggingSupport(drag_drop_thread_->thread_id());
 }
 
 void WebContentsDragWin::StartBackgroundDragging(
     const WebDropData& drop_data,
     WebDragOperationsMask ops,
     const GURL& page_url,
     const std::string& page_encoding,
     const SkBitmap& image,
     const gfx::Point& image_offset) {
   drag_drop_thread_id_ = base::PlatformThread::CurrentId();
 
-  DoDragging(drop_data, ops, page_url, page_encoding, image, image_offset);
-  BrowserThread::PostTask(
-      BrowserThread::UI,
-      FROM_HERE,
-      base::Bind(&WebContentsDragWin::EndDragging, this));
+  if (DoDragging(drop_data, ops, page_url, page_encoding,
+                 image, image_offset)) {
+    BrowserThread::PostTask(
+        BrowserThread::UI,
+        FROM_HERE,
+        base::Bind(&WebContentsDragWin::EndDragging, this));
+  } else {
+    // When DoDragging returns false, the contents view window is gone and thus
+    // WebContentsViewWin instance becomes invalid though WebContentsDragWin
+    // instance is still alive bacuse the task holds a reference count to it.

[tony, 2012/09/21 21:11:11]

Nit: bacuse -> because

+    // We should not do more than the following cleanup items:
+    // 1) Remove the background dragging support. This is safe since it does not
+    //    access the instance at all.
+    // 2) Stop the background thread. This is done in OnDataObjectDisposed.
+    //    Only drag_drop_thread_ member is accessed.
+    BrowserThread::PostTask(
+        BrowserThread::UI,
+        FROM_HERE,
+        base::Bind(&DisableBackgroundDraggingSupport));
+  }
 }
 
 void WebContentsDragWin::PrepareDragForDownload(
     const WebDropData& drop_data,
     ui::OSExchangeData* data,
     const GURL& page_url,
     const std::string& page_encoding) {
   // Parse the download metadata.
   string16 mime_type;
   FilePath file_name;
@@ skipping 58 matching lines @@
 void WebContentsDragWin::PrepareDragForUrl(const WebDropData& drop_data,
                                            ui::OSExchangeData* data) {
   if (drag_dest_->delegate() &&
       drag_dest_->delegate()->AddDragData(drop_data, data)) {
     return;
   }
 
   data->SetURL(drop_data.url, drop_data.url_title);
 }
 
-void WebContentsDragWin::DoDragging(const WebDropData& drop_data,
+bool WebContentsDragWin::DoDragging(const WebDropData& drop_data,
                                     WebDragOperationsMask ops,
                                     const GURL& page_url,
                                     const std::string& page_encoding,
                                     const gfx::ImageSkia& image,
                                     const gfx::Point& image_offset) {
   ui::OSExchangeData data;
 
   if (!drop_data.download_metadata.empty()) {
     PrepareDragForDownload(drop_data, &data, page_url, page_encoding);
 
@@ skipping 20 matching lines @@
     data.SetPickledData(ui::ClipboardUtil::GetWebCustomDataFormat()->cfFormat,
                         pickle);
   }
 
   // Set drag image.
   if (!image.isNull()) {
     drag_utils::SetDragImageOnDataObject(image,
         gfx::Size(image.width(), image.height()), image_offset, &data);
   }
 
+  // Use a local variable to keep track of the contents view window handle.
+  // It might not be safe to access the instance after DoDragDrop returns
+  // because the window could be disposed in the nested message loop.
+  HWND native_window = web_contents_->GetNativeView();
+
   // We need to enable recursive tasks on the message loop so we can get
   // updates while in the system DoDragDrop loop.
   DWORD effect;
   {
+    // Keep a reference count such that |drag_source_| will not get deleted
+    // if the contents view window is gone in the nested message loop invoked
+    // from DoDragDrop.
+    scoped_refptr<WebDragSource> retain_this(drag_source_);
+
     MessageLoop::ScopedNestableTaskAllower allow(MessageLoop::current());
     DoDragDrop(ui::OSExchangeDataProviderWin::GetIDataObject(data),
                drag_source_,
                web_drag_utils_win::WebDragOpMaskToWinDragOpMask(ops),
                &effect);
   }
 
+  // Bail out immediately if the contents view window is gone.
+  if (!IsWindow(native_window))
+    return false;
+
   // Normally, the drop and dragend events get dispatched in the system
   // DoDragDrop message loop so it'd be too late to set the effect to send back
   // to the renderer here. However, we use PostTask to delay the execution of
   // WebDragSource::OnDragSourceDrop, which means that the delayed dragend
   // callback to the renderer doesn't run until this has been set to the correct
   // value.
   drag_source_->set_effect(effect);
+
+  return true;
 }
 
 void WebContentsDragWin::EndDragging() {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
 
   if (drag_ended_)
     return;
   drag_ended_ = true;
 
-  if (msg_hook) {
-    AttachThreadInput(drag_out_thread_id, GetCurrentThreadId(), FALSE);
-    UnhookWindowsHookEx(msg_hook);
-    msg_hook = NULL;
-  }
+  if (IsBackgroundDraggingSupportEnabled())
+    DisableBackgroundDraggingSupport();
 
   drag_end_callback_.Run();
 }
 
 void WebContentsDragWin::CancelDrag() {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
 
   drag_source_->CancelDrag();
 }
 
@@ skipping 18 matching lines @@
 void WebContentsDragWin::OnDataObjectDisposed() {
   DCHECK(drag_drop_thread_id_ == base::PlatformThread::CurrentId());
 
   // The drag-and-drop thread is only closed after OLE is done with
   // DataObjectImpl.
   BrowserThread::PostTask(
       BrowserThread::UI,
       FROM_HERE,
       base::Bind(&WebContentsDragWin::CloseThread, this));
 }