Abort forwarding remote input events when layoutObject is gone.

Source/web/RemoteFrameClientImpl.cpp

Index: Source/web/RemoteFrameClientImpl.cpp
diff --git a/Source/web/RemoteFrameClientImpl.cpp b/Source/web/RemoteFrameClientImpl.cpp
index c62abde994d28073a2bed36267f2633b8c758d5d..481bd9d90184cdce987fd64ed20e27062df138d7 100644
--- a/Source/web/RemoteFrameClientImpl.cpp
+++ b/Source/web/RemoteFrameClientImpl.cpp
@@ -123,6 +123,18 @@ unsigned RemoteFrameClientImpl::backForwardLength()
 // process. See http://crbug.com/339659.
 void RemoteFrameClientImpl::forwardInputEvent(Event* event)
 {
+    // It is possible for an event to cause the remote iframe element to be

[dcheng, 2015/08/19 16:28:10]

an event => a platform event

[kenrb, 2015/08/19 20:34:11]

Done.

+    // hidden, which destroys the layout object (for instance, a MouseOver

[dcheng, 2015/08/19 16:28:10]

for instance, a mouse event that moves between elements will trigger a mouseout
on the old element, which might hide the new element

[kenrb, 2015/08/19 20:34:11]

Done.

+    // event on the iframe can trigger a MouseOut handler on another element
+    // that hides the iframe). In that case we do not forward.
+    // This is divergent behavior from local frames, where the content of the
+    // frame can receive events even after the frame is hidden. We might
+    // need to revisit this after browser hit testing is fully implemented,
+    // since this code path will need to be removed or refactored anyway.
+    // See https://crbug.com/520705.
+    if (!toCoreFrame(m_webFrame)->ownerLayoutObject())
+        return;
+
     // This is only called when we have out-of-process iframes, which
     // need to forward input events across processes.
     // FIXME: Add a check for out-of-process iframes enabled.