Avoid using stale UserScript pointers

extensions/renderer/user_script_injector.cc

Index: extensions/renderer/user_script_injector.cc
diff --git a/extensions/renderer/user_script_injector.cc b/extensions/renderer/user_script_injector.cc
index 71b41eb2e1d95b47c4b4b5538455d121a0363fc6..1910548ba24b340d720cd7eb4ea16d8af38e6416 100644
--- a/extensions/renderer/user_script_injector.cc
+++ b/extensions/renderer/user_script_injector.cc
@@ -104,8 +104,10 @@ void UserScriptInjector::OnUserScriptsUpdated(
     const std::vector<UserScript*>& scripts) {
   // If the host causing this injection changed, then this injection
   // will be removed, and there's no guarantee the backing script still exists.
-  if (changed_hosts.count(host_id_) > 0)
+  if (changed_hosts.count(host_id_) > 0) {
+    script_ = nullptr;

[Devlin, 2016/07/06 15:22:22]

We should call ScriptInjection::OnHostRemoved() when the extension is unloaded. 
If this only happens because of synchronous JS, would a simpler/cleaner solution
be to check injection_host_ in ScriptInjection() after we inject JS, rather than
adding a bunch of null checks here?

(optionally, you could also do also do this and then (D)CHECK script_ in most
places.)

[robwu, 2016/07/06 16:12:06]

I considered it, but because the bug is only related to user scripts, I decided
to put the checks in this class, without putting the burden of being aware of
this subtlety on the user of the class.

[Devlin, 2016/07/06 16:17:58]

I think I'd prefer checking the host in ScriptInjection for two reasons:
- We should be able to pinpoint when the host can be removed when synchronously
injecting (due to blocking) - specifically right after JS injection happens - so
there should only be a single check necessary.  In this file, it's not
immediately clear when script_ may or may not be null, and I can easily imagine
that someone will forget the null check at some point.
- This can actually affect programmatic scripts (e.g. tabs.executeScript) as
well.  While I don't think anything would necessarily break, I don't think we
should be injecting or handling scripts for removed extensions in general.

[robwu, 2016/07/06 16:26:57]

That's a good one. I will submit a separate CL since the current patch already
landed, and not injecting scripts after removal is a behavioral change (opposed
to the current patch, which fixes the bug without other side effects).

[Devlin, 2016/07/06 16:40:56]

Sounds good, thanks!

     return;
+  }
 
   for (std::vector<UserScript*>::const_iterator iter = scripts.begin();
        iter != scripts.end();
@@ -137,13 +139,13 @@ bool UserScriptInjector::ExpectsResults() const {
 
 bool UserScriptInjector::ShouldInjectJs(
     UserScript::RunLocation run_location) const {
-  return script_->run_location() == run_location &&
+  return script_ && script_->run_location() == run_location &&
          !script_->js_scripts().empty();
 }
 
 bool UserScriptInjector::ShouldInjectCss(
     UserScript::RunLocation run_location) const {
-  return run_location == UserScript::DOCUMENT_START &&
+  return script_ && run_location == UserScript::DOCUMENT_START &&
          !script_->css_scripts().empty();
 }
 
@@ -151,6 +153,11 @@ PermissionsData::AccessType UserScriptInjector::CanExecuteOnFrame(
     const InjectionHost* injection_host,
     blink::WebLocalFrame* web_frame,
     int tab_id) const {
+  // There is no harm in allowing the injection when the script is gone,
+  // because there is nothing to inject.
+  if (!script_)
+    return PermissionsData::ACCESS_ALLOWED;
+
   if (script_->consumer_instance_type() ==
           UserScript::ConsumerInstanceType::WEBVIEW) {
     int routing_id = content::RenderView::FromWebView(web_frame->top()->view())
@@ -191,9 +198,12 @@ PermissionsData::AccessType UserScriptInjector::CanExecuteOnFrame(
 
 std::vector<blink::WebScriptSource> UserScriptInjector::GetJsSources(
     UserScript::RunLocation run_location) const {
+  std::vector<blink::WebScriptSource> sources;
+  if (!script_)
+    return sources;
+
   DCHECK_EQ(script_->run_location(), run_location);
 
-  std::vector<blink::WebScriptSource> sources;
   const UserScript::FileList& js_scripts = script_->js_scripts();
 
   for (UserScript::FileList::const_iterator iter = js_scripts.begin();
@@ -224,6 +234,9 @@ std::vector<std::string> UserScriptInjector::GetCssSources(
   DCHECK_EQ(UserScript::DOCUMENT_START, run_location);
 
   std::vector<std::string> sources;
+  if (!script_)
+    return sources;
+
   const UserScript::FileList& css_scripts = script_->css_scripts();
   for (UserScript::FileList::const_iterator iter = css_scripts.begin();
        iter != css_scripts.end();
@@ -236,6 +249,9 @@ std::vector<std::string> UserScriptInjector::GetCssSources(
 void UserScriptInjector::GetRunInfo(
     ScriptsRunInfo* scripts_run_info,
     UserScript::RunLocation run_location) const {
+  if (!script_)
+    return;
+
   if (ShouldInjectJs(run_location)) {
     const UserScript::FileList& js_scripts = script_->js_scripts();
     scripts_run_info->num_js += js_scripts.size();