The DOM Automation controller object uses the RenderView instance as the message sender, i.e. to send replies to javascript requests issued by the browser.

The DOM automation controller object is bound to the frame in the WindowObjectcleared code path.The current implementation maintains the message sender object as a static pointer, which causes a crash if the RenderView instance goes out of scope. 

This can be reproduced with a page which causes a popup window to show up and close. If we attempt to use the Dom Automation controller instance bound to the original Renderview, which is still valid, we crash.

The fix is to maintain the message sender as a member variable. The lifetime of the Dom Automation controller instance depends on the RenderView lifetime anyway as it is a member variable. This mimics the other CppBindings like the external host bindings, etc.

Added an automation test to test this case. I verified that the test crashes without this fix.

This fixes bug http://code.google.com/p/chromium/issues/detail?id=3941

Bug=3941

Review URL: http://codereview.chromium.org/21441

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@9963 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 14 insertions, 9 deletions

diff --git a/chrome/renderer/automation/dom_automation_controller.cc b/chrome/renderer/automation/dom_automation_controller.cc
index 56aea6e..0c320ca 100644
--- a/chrome/renderer/automation/dom_automation_controller.cc
+++ b/chrome/renderer/automation/dom_automation_controller.cc
@@ -8,16 +8,15 @@
 #include "chrome/common/render_messages.h"
 #include "base/string_util.h"
 
-IPC::Message::Sender* DomAutomationController::sender_(NULL);
-int DomAutomationController::routing_id_(MSG_ROUTING_NONE);
-int DomAutomationController::automation_id_(MSG_ROUTING_NONE);
-
-DomAutomationController::DomAutomationController(){
-  BindMethod("send", &DomAutomationController::send);
-  BindMethod("setAutomationId", &DomAutomationController::setAutomationId);
+DomAutomationController::DomAutomationController()
+    : sender_(NULL),
+      routing_id_(MSG_ROUTING_NONE),
+      automation_id_(MSG_ROUTING_NONE) {
+  BindMethod("send", &DomAutomationController::Send);
+  BindMethod("setAutomationId", &DomAutomationController::SetAutomationId);
 }
 
-void DomAutomationController::send(const CppArgumentList& args,
+void DomAutomationController::Send(const CppArgumentList& args,
                                    CppVariant* result) {
   if (args.size() != 1) {
     result->SetNull();
@@ -29,6 +28,12 @@ void DomAutomationController::send(const CppArgumentList& args,
     return;
   }
 
+  if (!sender_) {
+    NOTREACHED();
+    result->SetNull();
+    return;
+  }
+
   std::string json;
   JSONStringValueSerializer serializer(&json);
   scoped_ptr<Value> value;
@@ -81,7 +86,7 @@ void DomAutomationController::send(const CppArgumentList& args,
   return;
 }
 
-void DomAutomationController::setAutomationId(
+void DomAutomationController::SetAutomationId(
     const CppArgumentList& args, CppVariant* result) {
   if (args.size() != 1) {
     result->SetNull();