Fix flaky crash in WebPagePopupImpl::closePopup.

Fix flaky crash in WebPagePopupImpl::closePopup.

Reentrance to WebViewImpl::closePagePopup() was possible.  closePopup() crashed
in that case because m_page was valid and m_page->mainFrame() was nullptr.

The details:
If WebViewImpl::closePagePopup() is called, and the LocalFrame in the page popup
has the last references to the page popup owner Element,
 1. WebPagePopupImpl::closePopup() calls destroyPage().
 2. destroyPage() calls Page::willBeDestroyed().
 3. willBeDestroyed() destructs the LocalFrame.
 4. The LocalFrame destructor destructs the owner Element.
 5. The owner Element destructor destructs PickerIndicatorElement.
 6. PickerIndicatorElement destructor calls WebViewImpl::closePagePopup().

This CL changes the code so that the frame doesn't have the last reference
to the owner Element.  We explicitly close the popup on
 - Owner detach (not PickerIndicatorElement detach)
 - Owner removal from the document tree.

This fixes a testcase in crbug.com/454043.  However we failed to make
a stable test.

BUG=454043
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=200645

[tkent, 2015-08-17 05:12:34]

tkent@chromium.org changed reviewers:
+ keishi@chromium.org

[tkent, 2015-08-17 05:12:35]

keishi, would you review this please?

[keishi, 2015-08-17 05:13:53]

LGTM

[tkent, 2015-08-17 05:44:11]

The CQ bit was checked by tkent@chromium.org

[commit-bot: I haz the power, 2015-08-17 05:44:18]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1293953003/1
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1293953003/1

[commit-bot: I haz the power, 2015-08-17 06:50:59]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2015-08-17 06:50:59]

Try jobs failed on following builders:
  win_chromium_rel_ng on tryserver.chromium.win (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_rel_...)

[tkent, 2015-08-17 07:07:17]

Oh, Patch Set 1 didn't work.
 - ownerElement is <input>, and closePopup() can be called after disconnection
PickerIndicatorElement from <input>.
 - We can't change ownerElement to PickerIndicatorElement because
~PickerIndicatorElement can call closePopup() and we can't call ref()/deref() in
the destructor.

[tkent, 2015-08-17 10:04:10]

Keishi, please look at Patch Set 2.

[keishi, 2015-08-17 10:15:28]

LGTM

[tkent, 2015-08-17 10:15:53]

The CQ bit was checked by tkent@chromium.org

[commit-bot: I haz the power, 2015-08-17 10:16:02]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1293953003/20001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1293953003/20001

[commit-bot: I haz the power, 2015-08-17 14:06:01]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2015-08-17 14:06:02]

Try jobs failed on following builders:
  win_chromium_rel_ng on tryserver.chromium.win (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_rel_...)

[tkent, 2015-08-17 14:10:42]

The CQ bit was checked by tkent@chromium.org

[commit-bot: I haz the power, 2015-08-17 14:10:49]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1293953003/20001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1293953003/20001

[commit-bot: I haz the power, 2015-08-17 15:05:27]

Committed patchset #2 (id:20001) as
https://src.chromium.org/viewvc/blink?view=rev&revision=200645