Move Renderer-side NPObject owner tracking to JavaBridgeChannel.

content/browser/renderer_host/java/java_bound_object.cc

Index: content/browser/renderer_host/java/java_bound_object.cc
diff --git a/content/browser/renderer_host/java/java_bound_object.cc b/content/browser/renderer_host/java/java_bound_object.cc
index 4199cca77b8086243fc0611aefbb1e5f53f7f77d..fafa5bd19497dfd6fe1a6f036edcfbbca0956d24 100644
--- a/content/browser/renderer_host/java/java_bound_object.cc
+++ b/content/browser/renderer_host/java/java_bound_object.cc
@@ -213,7 +213,15 @@ bool CallJNIMethod(
         NULL_TO_NPVARIANT(*result);
         break;
       }
-      OBJECT_TO_NPVARIANT(JavaBoundObject::Create(scoped_java_object,
+      // Every NPObject must have an owner. All JavaBoundObjects are owned by
+      // the JavaBridgeDispatcherHostManager, so if it's already gone, return
+      // null instead of an object.
+      if (!manager) {
+        NULL_TO_NPVARIANT(*result);
+        break;
+      }
+      OBJECT_TO_NPVARIANT(JavaBoundObject::Create(manager->object_owner_id(),
+                                                  scoped_java_object,
                                                   safe_annotation_clazz,
                                                   manager),
                           *result);
@@ -776,14 +784,13 @@ jvalue CoerceJavaScriptValueToJavaValue(const NPVariant& variant,
 }  // namespace
 
 NPObject* JavaBoundObject::Create(
+    struct _NPP* object_owner_id,
     const JavaRef<jobject>& object,
     const JavaRef<jclass>& safe_annotation_clazz,
     const base::WeakPtr<JavaBridgeDispatcherHostManager>& manager) {
-  // The first argument (a plugin's instance handle) is passed through to the
-  // allocate function directly, and we don't use it, so it's ok to be 0.
   // The object is created with a ref count of one.
-  NPObject* np_object = WebBindings::createObject(0, const_cast<NPClass*>(
-      &JavaNPObject::kNPClass));
+  NPObject* np_object = WebBindings::createObject(object_owner_id,
+      const_cast<NPClass*>(&JavaNPObject::kNPClass));
   // The NPObject takes ownership of the JavaBoundObject.
   reinterpret_cast<JavaNPObject*>(np_object)->bound_object =
       new JavaBoundObject(object, safe_annotation_clazz, manager);