Plugins: Fix crash in PepperPluginInstanceImpl when render frame gone

content/renderer/pepper/pepper_plugin_instance_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/pepper/pepper_plugin_instance_impl.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/bit_cast.h"
@@ skipping 1102 matching lines @@
   caret.Offset(view_data_.rect.point.x, view_data_.rect.point.y);
   ConvertDIPToViewport(&caret);
   return caret;
 }
 
 bool PepperPluginInstanceImpl::HandleInputEvent(
     const blink::WebInputEvent& event,
     WebCursorInfo* cursor_info) {
   TRACE_EVENT0("ppapi", "PepperPluginInstanceImpl::HandleInputEvent");
 
+  if (!render_frame_)
+    return false;
+
   if (!has_been_clicked_ && is_flash_plugin_ &&
       event.GetType() == blink::WebInputEvent::kMouseDown &&
       (event.GetModifiers() & blink::WebInputEvent::kLeftButtonDown)) {
     has_been_clicked_ = true;
     blink::WebRect bounds = container()->GetElement().BoundsInViewport();
     render_frame()->GetRenderWidget()->ConvertViewportToWindow(&bounds);
     RecordFlashClickSizeMetric(bounds.width, bounds.height);
   }
 
   if (throttler_ && throttler_->ConsumeInputEvent(event))
     return true;
 
-  if (!render_frame_)
-    return false;
   if (WebInputEvent::IsMouseEventType(event.GetType())) {
     render_frame_->PepperDidReceiveMouseEvent(this);
   }
 
   // Don't dispatch input events to crashed plugins.
   if (module()->is_crashed())
     return false;
 
   // Don't send reserved system key events to plugins.
   if (IsReservedSystemInputEvent(event))
@@ skipping 108 matching lines @@
   // instance object.
   if (LoadPrivateInterface())
     return plugin_private_interface_->GetInstanceObject(pp_instance());
   return PP_MakeUndefined();
 }
 
 void PepperPluginInstanceImpl::ViewChanged(
     const gfx::Rect& window,
     const gfx::Rect& clip,
     const gfx::Rect& unobscured) {
+  if (!render_frame_)
+    return;
+
   // WebKit can give weird (x,y) positions for empty clip rects (since the
   // position technically doesn't matter). But we want to make these
   // consistent since this is given to the plugin, so force everything to 0
   // in the "everything is clipped" case.
   gfx::Rect new_clip;
   if (!clip.IsEmpty())
     new_clip = clip;
 
   unobscured_rect_ = unobscured;
 
@@ skipping 98 matching lines @@
   if (bound_graphics_2d_platform_)
     bound_graphics_2d_platform_->ViewInitiatedPaint();
   else if (bound_graphics_3d_.get())
     bound_graphics_3d_->ViewInitiatedPaint();
   else if (bound_compositor_)
     bound_compositor_->ViewInitiatedPaint();
 }
 
 void PepperPluginInstanceImpl::SetSelectedText(
     const base::string16& selected_text) {
+  if (!render_frame_)
+    return;
+
   selected_text_ = selected_text;
   gfx::Range range(0, selected_text.length());
   render_frame_->SetSelectedText(selected_text, 0, range);
 }
 
 void PepperPluginInstanceImpl::SetLinkUnderCursor(const std::string& url) {
   link_under_cursor_ = base::UTF8ToUTF16(url);
 }
 
 void PepperPluginInstanceImpl::SetTextInputType(ui::TextInputType type) {
+  if (!render_frame_)
+    return;
+
   text_input_type_ = type;
   render_frame_->PepperTextInputTypeChanged(this);
 }
 
 void PepperPluginInstanceImpl::PostMessageToJavaScript(PP_Var message) {
   if (message_channel_)
     message_channel_->PostMessageToJavaScript(message);
 }
 
 int32_t PepperPluginInstanceImpl::RegisterMessageHandler(
@@ skipping 275 matching lines @@
   // The bound callback that owns the weak pointer is still valid until after
   // this function returns. SendDidChangeView checks HasWeakPtrs, so we need to
   // invalidate them here.
   // NOTE: If we ever want to have more than one pending callback, it should
   // use a different factory, or we should have a different strategy here.
   view_change_weak_ptr_factory_.InvalidateWeakPtrs();
   SendDidChangeView();
 }
 
 void PepperPluginInstanceImpl::SendDidChangeView() {
+  if (!render_frame_)
+    return;
+
   // An asynchronous view update is scheduled. Skip sending this update.
   if (view_change_weak_ptr_factory_.HasWeakPtrs())
     return;
 
   // Don't send DidChangeView to crashed plugins.
   if (module()->is_crashed())
     return;
 
   if (bound_compositor_)
     bound_compositor_->set_viewport_to_dip_scale(viewport_to_dip_scale_);
@@ skipping 450 matching lines @@
 bool PepperPluginInstanceImpl::PrepareTextureMailbox(
     cc::TextureMailbox* mailbox,
     std::unique_ptr<cc::SingleReleaseCallback>* release_callback) {
   if (!bound_graphics_2d_platform_)
     return false;
   return bound_graphics_2d_platform_->PrepareTextureMailbox(mailbox,
                                                             release_callback);
 }
 
 void PepperPluginInstanceImpl::AccessibilityModeChanged() {
-  if (render_frame_->render_accessibility() && LoadPdfInterface())
+  if (render_frame_ && render_frame_->render_accessibility() &&
+      LoadPdfInterface()) {
     plugin_pdf_interface_->EnableAccessibility(pp_instance());
+  }
 }
 
 void PepperPluginInstanceImpl::OnDestruct() {
   render_frame_ = nullptr;
 }
 
 void PepperPluginInstanceImpl::OnThrottleStateChange() {
+  if (!render_frame_)
+    return;
+
   SendDidChangeView();
 
   bool is_throttled = throttler_->IsThrottled();
   render_frame()->Send(new FrameHostMsg_PluginInstanceThrottleStateChange(
       module_->GetPluginChildId(), pp_instance_, is_throttled));
 }
 
 void PepperPluginInstanceImpl::OnHiddenForPlaceholder(bool hidden) {
   UpdateLayer(false /* device_changed */);
 }
@@ skipping 1276 matching lines @@
     const cc::TextureMailbox& mailbox) const {
   auto it =
       std::find_if(texture_ref_counts_.begin(), texture_ref_counts_.end(),
                    [&mailbox](const TextureMailboxRefCount& ref_count) {
                      return ref_count.first.mailbox() == mailbox.mailbox();
                    });
   return it != texture_ref_counts_.end();
 }
 
 }  // namespace content