PPAPI: Don't dispatch messages to NULL container

If the plugin is being deleted, its WebPluginContainer might be NULL (i.e., it's already been removed from the DOM). If the ppapi::PluginInstance handles a "PpapiHostMsg_PPBInstance_PostMessage" message while blocked waiting for the plugin to return from "PpapiPluginMsg_PPPInstance_DidDestroy", we can enter PostMessageToJavaScript when the container is NULL. This makes us just drop the message if the container is NULL.

BUG=233354
TEST=Install chromoting extension (https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp). Connect to a remote computer. Close the chromoting window. The Chromoting plugin should not crash. See bug 233354 for more info.

Review URL: https://chromiumcodereview.appspot.com/14438003

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@196067 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 8 insertions, 3 deletions

diff --git a/webkit/plugins/ppapi/message_channel.cc b/webkit/plugins/ppapi/message_channel.cc
index b4d207e..059a06b 100644
--- a/webkit/plugins/ppapi/message_channel.cc
+++ b/webkit/plugins/ppapi/message_channel.cc
@@ -342,13 +342,18 @@ MessageChannel::MessageChannel(PluginInstance* instance)
 }
 
 void MessageChannel::PostMessageToJavaScript(PP_Var message_data) {
-  // Serialize the message data.
   v8::HandleScope scope;
+
   // Because V8 is probably not on the stack for Native->JS calls, we need to
   // enter the appropriate context for the plugin.
+  WebPluginContainer* container = instance_->container();
+  // It's possible that container() is NULL if the plugin has been removed from
+  // the DOM (but the PluginInstance is not destroyed yet).
+  if (!container)
+    return;
+
   v8::Local<v8::Context> context =
-      instance_->container()->element().document().frame()->
-          mainWorldScriptContext();
+      container->element().document().frame()->mainWorldScriptContext();
   v8::Context::Scope context_scope(context);
 
   v8::Local<v8::Value> v8_val;