Abort forwarding remote input events when layoutObject is gone.

Source/web/RemoteFrameClientImpl.cpp

Index: Source/web/RemoteFrameClientImpl.cpp
diff --git a/Source/web/RemoteFrameClientImpl.cpp b/Source/web/RemoteFrameClientImpl.cpp
index c62abde994d28073a2bed36267f2633b8c758d5d..40405eb83ea2bbc3915130668038167f44584744 100644
--- a/Source/web/RemoteFrameClientImpl.cpp
+++ b/Source/web/RemoteFrameClientImpl.cpp
@@ -123,6 +123,12 @@ unsigned RemoteFrameClientImpl::backForwardLength()
 // process. See http://crbug.com/339659.
 void RemoteFrameClientImpl::forwardInputEvent(Event* event)
 {
+    // It is possible for an event to cause the remote iframe element to be
+    // hidden, which destroys the layout object. In that case we do not
+    // forward. See https://crbug.com/520705.

[dcheng, 2015/08/18 17:44:19]

I don't think I followed the explanation in the bug. Would you be able to
explain this in more detail? VC or expanding the comment would be helpful, since
we don't have a layout test.

[kenrb, 2015/08/19 15:53:51]

Comment expanded.

+    if (!toCoreFrame(m_webFrame)->ownerLayoutObject())
+        return;
+
     // This is only called when we have out-of-process iframes, which
     // need to forward input events across processes.
     // FIXME: Add a check for out-of-process iframes enabled.