Fix renderer crashes when frame gets detached while injectng user scripts.

content/renderer/render_view_browsertest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/basictypes.h"
 
 #include "base/memory/shared_memory.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/win/windows_version.h"
@@ skipping 18 matching lines @@
 #include "testing/gtest/include/gtest/gtest.h"
 #include "third_party/WebKit/public/platform/WebData.h"
 #include "third_party/WebKit/public/platform/WebHTTPBody.h"
 #include "third_party/WebKit/public/platform/WebString.h"
 #include "third_party/WebKit/public/platform/WebURLError.h"
 #include "third_party/WebKit/public/platform/WebURLResponse.h"
 #include "third_party/WebKit/public/web/WebDataSource.h"
 #include "third_party/WebKit/public/web/WebFrame.h"
 #include "third_party/WebKit/public/web/WebHistoryItem.h"
 #include "third_party/WebKit/public/web/WebRuntimeFeatures.h"
+#include "third_party/WebKit/public/web/WebScriptSource.h"
 #include "third_party/WebKit/public/web/WebView.h"
 #include "third_party/WebKit/public/web/WebWindowFeatures.h"
 #include "ui/events/keycodes/keyboard_codes.h"
 #include "ui/gfx/codec/jpeg_codec.h"
 #include "ui/gfx/range/range.h"
 
 #if defined(OS_LINUX) && !defined(USE_AURA)
 #include "ui/base/gtk/event_synthesis_gtk.h"
 #endif
 
@@ skipping 2184 matching lines @@
 
   view()->webview()->clearFocusedNode();
   const IPC::Message* msg3 = render_thread_->sink().GetFirstMessageMatching(
         ViewHostMsg_FocusedNodeChanged::ID);
   EXPECT_TRUE(msg3);
   ViewHostMsg_FocusedNodeChanged::Read(msg3, &params);
   EXPECT_FALSE(params.a);
   render_thread_->sink().ClearMessages();
 }
 
+class SynchronousFrameRemovalOnLoadTest : public RenderViewImplTest {
+ protected:
+  // Helper render view observer class that tries to remove
+  // element with id 'frame' from top frame/document DOM
+  // when non-top frame finishes loading.
+  class OnLoadFrameRemover : public RenderViewObserver {
+   public:
+    explicit OnLoadFrameRemover(RenderView* render_view) :
+        RenderViewObserver(render_view) {}
+    virtual ~OnLoadFrameRemover() {}
+
+    virtual void DidFinishDocumentLoad(blink::WebFrame* frame) OVERRIDE {
+      if (frame->top() != frame) {
+        frame->top()->executeScript(blink::WebScriptSource(
+            WebString::fromUTF8(
+                "document.getElementById('frame').remove();")));
+      }
+    }
+  };
+};
+
+// Tests if synchronously removing a frame on its load does not cause crashes.
+TEST_F(SynchronousFrameRemovalOnLoadTest, DynamicallyInsertedFrame) {
+  OnLoadFrameRemover remover(view());
+  LoadHTML("<!DOCTYPE html>"
+           "<html>"
+           "<head>"
+           "<title></title>"
+           "<script type='text/javascript' language='javascript'>"
+           "window.onload = function () {"
+           "  frame = document.createElement('iframe');"
+           "  frame.id = 'frame';"
+           "  document.body.appendChild(frame);"
+           "}"
+           "</script>"
+           "</head>"
+           "<body></body>"
+           "</html>");
+}
+
+TEST_F(SynchronousFrameRemovalOnLoadTest, StaticFrame) {
+  OnLoadFrameRemover remover(view());
+  LoadHTML("<!DOCTYPE html>"
+           "<html>"
+           "<head>"
+           "<title></title>"
+           "</head>"
+           "<body>"
+           "<iframe id='frame' src='about:blank'></iframe>"
+           "</body>"
+           "</html>");
+}
+
 }  // namespace content