Clear input event router entries for destroyed RWHVGuests

Clear input event router entries for destroyed RWHVGuests

This is a speculative fix for crashes observed under the
--isolate-extensions trial. A RenderWidgetHostViewGuest currently only
clears its RenderWidgetHostInputEventRouter entry when the BrowserPlugin
is detached. However, there are other paths for destruction that cause
detachment, which might enable it to receive input events after
DestroyGuestView() has been called, potentially leading to the
observed null pointer crashes. This should be avoided by calling
UnregisterSurfaceNamespaceId() before clearing the host_ pointer.

BUG=571092
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation

Committed: https://crrev.com/329450ec62f0c6d67a3f842feb17a516721f04d1
Cr-Commit-Position: refs/heads/master@{#371924}

[kenrb, 2016-01-27 21:20:57]

Description was changed from

==========
Clear input event router entries for destroyed RWHVGuests

This is a speculative fix for crashes observed under the
--isolate-extensions trial. A RenderWidgetHostViewGuest currently only
clears its RenderWidgetHostInputEventRouter entry when the BrowserPlugin
is detached. However, there are other paths for destruction that cause
detachment, which might enable it to receive input events after
DestroyGuestView() has been called, potentially leading to the
observed null pointer crashes. This should be avoided by calling
UnregisterSurfaceNamespaceId() before clearing the host_ pointer.

BUG=571092
==========

to

==========
Clear input event router entries for destroyed RWHVGuests

This is a speculative fix for crashes observed under the
--isolate-extensions trial. A RenderWidgetHostViewGuest currently only
clears its RenderWidgetHostInputEventRouter entry when the BrowserPlugin
is detached. However, there are other paths for destruction that cause
detachment, which might enable it to receive input events after
DestroyGuestView() has been called, potentially leading to the
observed null pointer crashes. This should be avoided by calling
UnregisterSurfaceNamespaceId() before clearing the host_ pointer.

BUG=571092
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation
==========

[kenrb, 2016-01-27 21:23:08]

Description was changed from

==========
Clear input event router entries for destroyed RWHVGuests

This is a speculative fix for crashes observed under the
--isolate-extensions trial. A RenderWidgetHostViewGuest currently only
clears its RenderWidgetHostInputEventRouter entry when the BrowserPlugin
is detached. However, there are other paths for destruction that cause
detachment, which might enable it to receive input events after
DestroyGuestView() has been called, potentially leading to the
observed null pointer crashes. This should be avoided by calling
UnregisterSurfaceNamespaceId() before clearing the host_ pointer.

BUG=571092
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation
==========

to

==========
Clear input event router entries for destroyed RWHVGuests

This is a speculative fix for crashes observed under the
--isolate-extensions trial. A RenderWidgetHostViewGuest currently only
clears its RenderWidgetHostInputEventRouter entry when the BrowserPlugin
is detached. However, there are other paths for destruction that cause
detachment, which might enable it to receive input events after
DestroyGuestView() has been called, potentially leading to the
observed null pointer crashes. This should be avoided by calling
UnregisterSurfaceNamespaceId() before clearing the host_ pointer.

BUG=571092
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation
==========

[kenrb, 2016-01-27 21:23:08]

kenrb@chromium.org changed reviewers:
+ nick@chromium.org, wjmaclean@chromium.org

[kenrb, 2016-01-27 21:25:04]

PTAL?
- James for any thoughts on the change
- Nick as a content owner

[wjmaclean, 2016-01-27 21:39:28]

https://codereview.chromium.org/1642743002/diff/1/content/browser/frame_host/...
File content/browser/frame_host/render_widget_host_view_guest.cc (right):

https://codereview.chromium.org/1642743002/diff/1/content/browser/frame_host/...
content/browser/frame_host/render_widget_host_view_guest.cc:561:
UnregisterSurfaceNamespaceId();
So this eventually calls back to  WebContentsImpl::GetInputEventRouter() which
will give one of two answers, depending on whether the Guest WebContents has
been 'detached' from the owner WebContents (GetOuterWebContents()).

Since this also gets called from BrowserPluginGuest::OnDetach() we can hope that
GetOuterWebContents() is still non-null in the crash case, ** so this is worth
trying **. But if the crashes continue to occur, we should next try to check to
see if the owner has gone away unexpectedly somehow ...

[ncarter (slow), 2016-01-27 22:24:36]

rubber stamp lgtm

[kenrb, 2016-01-27 22:29:41]

The CQ bit was checked by kenrb@chromium.org

[commit-bot: I haz the power, 2016-01-27 22:33:36]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1642743002/1
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1642743002/1

[commit-bot: I haz the power, 2016-01-28 00:19:45]

Description was changed from

==========
Clear input event router entries for destroyed RWHVGuests

This is a speculative fix for crashes observed under the
--isolate-extensions trial. A RenderWidgetHostViewGuest currently only
clears its RenderWidgetHostInputEventRouter entry when the BrowserPlugin
is detached. However, there are other paths for destruction that cause
detachment, which might enable it to receive input events after
DestroyGuestView() has been called, potentially leading to the
observed null pointer crashes. This should be avoided by calling
UnregisterSurfaceNamespaceId() before clearing the host_ pointer.

BUG=571092
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation
==========

to

==========
Clear input event router entries for destroyed RWHVGuests

This is a speculative fix for crashes observed under the
--isolate-extensions trial. A RenderWidgetHostViewGuest currently only
clears its RenderWidgetHostInputEventRouter entry when the BrowserPlugin
is detached. However, there are other paths for destruction that cause
detachment, which might enable it to receive input events after
DestroyGuestView() has been called, potentially leading to the
observed null pointer crashes. This should be avoided by calling
UnregisterSurfaceNamespaceId() before clearing the host_ pointer.

BUG=571092
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation
==========

[commit-bot: I haz the power, 2016-01-28 00:19:46]

Committed patchset #1 (id:1)

[commit-bot: I haz the power, 2016-01-28 00:21:10]

Description was changed from

==========
Clear input event router entries for destroyed RWHVGuests

This is a speculative fix for crashes observed under the
--isolate-extensions trial. A RenderWidgetHostViewGuest currently only
clears its RenderWidgetHostInputEventRouter entry when the BrowserPlugin
is detached. However, there are other paths for destruction that cause
detachment, which might enable it to receive input events after
DestroyGuestView() has been called, potentially leading to the
observed null pointer crashes. This should be avoided by calling
UnregisterSurfaceNamespaceId() before clearing the host_ pointer.

BUG=571092
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation
==========

to

==========
Clear input event router entries for destroyed RWHVGuests

This is a speculative fix for crashes observed under the
--isolate-extensions trial. A RenderWidgetHostViewGuest currently only
clears its RenderWidgetHostInputEventRouter entry when the BrowserPlugin
is detached. However, there are other paths for destruction that cause
detachment, which might enable it to receive input events after
DestroyGuestView() has been called, potentially leading to the
observed null pointer crashes. This should be avoided by calling
UnregisterSurfaceNamespaceId() before clearing the host_ pointer.

BUG=571092
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation

Committed: https://crrev.com/329450ec62f0c6d67a3f842feb17a516721f04d1
Cr-Commit-Position: refs/heads/master@{#371924}
==========

[commit-bot: I haz the power, 2016-01-28 00:21:10]

Patchset 1 (id:??) landed as
https://crrev.com/329450ec62f0c6d67a3f842feb17a516721f04d1
Cr-Commit-Position: refs/heads/master@{#371924}