Destroy (Password)AutofillAgent safely

Destroy (Password)AutofillAgent safely

AutofillAgent and related code often edits field values. Those edits may trigger JavaScript capable of deleting the associated frame. Currently, AutofillAgent and related classes are RenderFrameObservers and delete themselves on the frame deletion. This results in use-after-free if the deletion happens up in the stack and there is still the method which changed the field value down on the stack.

Therefore this CL postpones deletion by sending a DeleteSoon task on the frame destruction. The CL also changes a couple of places relying on render frame being alive if the observer is alive to handle a null frame gratefully.

R=dvadym@chromium.org
BUG=609010, 609007, 608100, 608101
Review-Url: https://codereview.chromium.org/1946143002
Cr-Commit-Position: refs/heads/master@{#391524}
(cherry picked from commit d62bc3e6e2c3be6bbb01fa325e3389f089974017)

Committed: https://chromium.googlesource.com/chromium/src/+/7e112c1563632f57cfa1c4fa964987f823da17fa

[vabr (Chromium), 2016-05-09 07:20:56]

Description was changed from

==========
Destroy (Password)AutofillAgent safely

AutofillAgent and related code often edits field values. Those edits may trigger
JavaScript capable of deleting the associated frame. Currently, AutofillAgent
and related classes are RenderFrameObservers and delete themselves on the frame
deletion. This results in use-after-free if the deletion happens up in the stack
and there is still the method which changed the field value down on the stack.

Therefore this CL postpones deletion by sending a DeleteSoon task on the frame
destruction. The CL also changes a couple of places relying on render frame
being alive if the observer is alive to handle a null frame gratefully.

R=dvadym@chromium.org
BUG=609010,609007,608100,608101

Review-Url: https://codereview.chromium.org/1946143002
Cr-Commit-Position: refs/heads/master@{#391524}
(cherry picked from commit d62bc3e6e2c3be6bbb01fa325e3389f089974017)
==========

to

==========
Destroy (Password)AutofillAgent safely

AutofillAgent and related code often edits field values. Those edits may trigger
JavaScript capable of deleting the associated frame. Currently, AutofillAgent
and related classes are RenderFrameObservers and delete themselves on the frame
deletion. This results in use-after-free if the deletion happens up in the stack
and there is still the method which changed the field value down on the stack.

Therefore this CL postpones deletion by sending a DeleteSoon task on the frame
destruction. The CL also changes a couple of places relying on render frame
being alive if the observer is alive to handle a null frame gratefully.

R=dvadym@chromium.org
BUG=609010,609007,608100,608101

Review-Url: https://codereview.chromium.org/1946143002
Cr-Commit-Position: refs/heads/master@{#391524}
(cherry picked from commit d62bc3e6e2c3be6bbb01fa325e3389f089974017)

Committed:
https://chromium.googlesource.com/chromium/src/+/7e112c1563632f57cfa1c4fa9649...
==========

[vabr (Chromium), 2016-05-09 07:20:58]

Committed patchset #1 (id:1) manually as
7e112c1563632f57cfa1c4fa964987f823da17fa.