In ChromeFrame the ChromeFrameAutomationProxy object is created on the background proxy channel thread and is accessed

from the UI thread, the proxy channel thread and the IPC thread. This leads to a race condition when ChromeFrame is being
torn down which occurs because the ChromeFrameAutomationProxy pointer is being set to NULL in the UI thread/deleted in
the proxy background thread while it could be accessed while processing a callback in the IPC thread thus causing a crash.

Fix is to ensure that the IPC thread does not access the ChromeFrameAutomationProxy pointer. To achieve this the callbacks
are now individual context objects which when invoked forward the actions to the ChromeFrameAutomationClient object.

The CreateExternalTab and ConnectExternalTab callbacks now complete their actions on the UI thread.

While at this based on a discussion and lot of help from Stoyan we decided to clean up the sync message dispatching code
used by ChromeFrame by having callbacks now derive from a SyncMessageCallContext class to ensure that these get cleaned
up correctly in all cases. For e.g. if we don't receive a response for a message, etc and thus enable them to present
a consistent interface to be invoked when we receive a response for a IPc message.

Fixes bug http://code.google.com/p/chromium/issues/detail?id=44245

Bug=44245

Review URL: http://codereview.chromium.org/2073007

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@47453 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 128 insertions, 92 deletions

diff --git a/chrome_frame/chrome_frame_automation.cc b/chrome_frame/chrome_frame_automation.cc
index 8d89cbd..bccdcc8 100644
--- a/chrome_frame/chrome_frame_automation.cc
+++ b/chrome_frame/chrome_frame_automation.cc
@@ -24,7 +24,6 @@
 #include "chrome/test/automation/tab_proxy.h"
 #include "chrome_frame/chrome_launcher.h"
 #include "chrome_frame/utils.h"
-#include "chrome_frame/sync_msg_reply_dispatcher.h"
 
 #ifdef NDEBUG
 int64 kAutomationServerReasonableLaunchDelay = 1000;  // in milliseconds
@@ -92,33 +91,135 @@ class ChromeFrameAutomationProxyImpl::TabProxyNotificationMessageFilter
   std::list<AutomationHandle> tabs_list_;
 };
 
+// Class that maintains context during the async load/install extension
+// operation.  When done, InstallExtensionComplete is posted back to the UI
+// thread so that the users of ChromeFrameAutomationClient can be notified.
+class InstallExtensionContext
+    : public SyncMessageReplyDispatcher::SyncMessageCallContext {
+ public:
+  typedef Tuple1<AutomationMsg_ExtensionResponseValues> output_type;
+
+  InstallExtensionContext(ChromeFrameAutomationClient* client,
+      const FilePath& crx_path, void* user_data) : client_(client),
+      crx_path_(crx_path), user_data_(user_data) {
+  }
+
+  ~InstallExtensionContext() {
+  }
+
+  void Completed(AutomationMsg_ExtensionResponseValues res) {
+    client_->PostTask(FROM_HERE, NewRunnableMethod(client_.get(),
+        &ChromeFrameAutomationClient::InstallExtensionComplete, crx_path_,
+        user_data_, res));
+  }
+
+ private:
+  scoped_refptr<ChromeFrameAutomationClient> client_;
+  FilePath crx_path_;
+  void* user_data_;
+};
+
+// Class that maintains context during the async retrieval of fetching the
+// list of enabled extensions.  When done, GetEnabledExtensionsComplete is
+// posted back to the UI thread so that the users of
+// ChromeFrameAutomationClient can be notified.
+class GetEnabledExtensionsContext
+    : public SyncMessageReplyDispatcher::SyncMessageCallContext {
+ public:
+  typedef Tuple1<std::vector<FilePath> > output_type;
+
+  GetEnabledExtensionsContext(
+      ChromeFrameAutomationClient* client, void* user_data) : client_(client),
+          user_data_(user_data) {
+    extension_directories_ = new std::vector<FilePath>();
+  }
+
+  ~GetEnabledExtensionsContext() {
+    // ChromeFrameAutomationClient::GetEnabledExtensionsComplete takes
+    // ownership of extension_directories_.
+  }
+
+  std::vector<FilePath>* extension_directories() {
+    return extension_directories_;
+  }
+
+  void Completed(
+      std::vector<FilePath> result) {
+    (*extension_directories_) = result;
+    client_->PostTask(FROM_HERE, NewRunnableMethod(client_.get(),
+      &ChromeFrameAutomationClient::GetEnabledExtensionsComplete,
+      user_data_, extension_directories_));
+  }
+
+ private:
+  scoped_refptr<ChromeFrameAutomationClient> client_;
+  std::vector<FilePath>* extension_directories_;
+  void* user_data_;
+};
+
+// Class that maintains contextual information for the create and connect
+// external tab operations.
+class CreateExternalTabContext
+    : public SyncMessageReplyDispatcher::SyncMessageCallContext {
+ public:
+  typedef Tuple3<HWND, HWND, int> output_type;
+  explicit CreateExternalTabContext(ChromeFrameAutomationClient* client)
+      : client_(client) {
+  }
+
+  void Completed(HWND chrome_window, HWND tab_window, int tab_handle) {
+    client_->PostTask(FROM_HERE,
+                      NewRunnableMethod(client_.get(),
+                      &ChromeFrameAutomationClient::CreateExternalTabComplete,
+                      chrome_window, tab_window, tab_handle));
+  }
+
+ private:
+  scoped_refptr<ChromeFrameAutomationClient> client_;
+};
+
+// This class maintains context information for the BeginNavigate operations
+// pertaining to the external tab.
+class BeginNavigateContext
+    : public SyncMessageReplyDispatcher::SyncMessageCallContext {
+ public:
+  explicit BeginNavigateContext(ChromeFrameAutomationClient* client)
+      : client_(client) {}
+
+  typedef Tuple1<AutomationMsg_NavigationResponseValues> output_type;
+
+  void Completed(AutomationMsg_NavigationResponseValues response) {
+    client_->BeginNavigateCompleted(response);
+  }
+
+ private:
+  scoped_refptr<ChromeFrameAutomationClient> client_;
+};
+
 class ChromeFrameAutomationProxyImpl::CFMsgDispatcher
     : public SyncMessageReplyDispatcher {
  public:
   CFMsgDispatcher() : SyncMessageReplyDispatcher() {}
  protected:
   virtual bool HandleMessageType(const IPC::Message& msg,
-                                 const MessageSent& origin) {
-    switch (origin.type) {
+                                 SyncMessageCallContext* context) {
+    switch (context->message_type()) {
       case AutomationMsg_CreateExternalTab::ID:
       case AutomationMsg_ConnectExternalTab::ID:
-        InvokeCallback<Tuple3<HWND, HWND, int> >(msg, origin);
+        InvokeCallback<CreateExternalTabContext>(msg, context);
         break;
       case AutomationMsg_NavigateExternalTabAtIndex::ID:
       case AutomationMsg_NavigateInExternalTab::ID:
-        InvokeCallback<Tuple1<AutomationMsg_NavigationResponseValues> >(msg,
-              origin);
+        InvokeCallback<BeginNavigateContext>(msg, context);
         break;
       case AutomationMsg_InstallExtension::ID:
-        InvokeCallback<Tuple1<AutomationMsg_ExtensionResponseValues> >(msg,
-              origin);
+        InvokeCallback<InstallExtensionContext>(msg, context);
         break;
       case AutomationMsg_LoadExpandedExtension::ID:
-        InvokeCallback<Tuple1<AutomationMsg_ExtensionResponseValues> >(msg,
-              origin);
+        InvokeCallback<InstallExtensionContext>(msg, context);
         break;
       case AutomationMsg_GetEnabledExtensions::ID:
-        InvokeCallback<Tuple1<std::vector<FilePath> > >(msg, origin);
+        InvokeCallback<GetEnabledExtensionsContext>(msg, context);
         break;
       default:
         NOTREACHED();
@@ -143,9 +244,10 @@ ChromeFrameAutomationProxyImpl::~ChromeFrameAutomationProxyImpl() {
   TRACE_EVENT_END("chromeframe.automationproxy", this, "");
 }
 
-void ChromeFrameAutomationProxyImpl::SendAsAsync(IPC::SyncMessage* msg,
-                                                 void* callback, void* key) {
-  sync_->Push(msg, callback, key);
+void ChromeFrameAutomationProxyImpl::SendAsAsync(
+    IPC::SyncMessage* msg,
+    SyncMessageReplyDispatcher::SyncMessageCallContext* context, void* key) {
+  sync_->Push(msg, context, key);
   channel_->ChannelProxy::Send(msg);
 }
 
@@ -613,8 +715,8 @@ bool ChromeFrameAutomationClient::NavigateToIndex(int index) {
 
   IPC::SyncMessage* msg = new AutomationMsg_NavigateExternalTabAtIndex(
       0, tab_->handle(), index, NULL);
-  automation_server_->SendAsAsync(msg, NewCallback(this,
-      &ChromeFrameAutomationClient::BeginNavigateCompleted), this);
+  automation_server_->SendAsAsync(msg, new BeginNavigateContext(this),
+                                  this);
   return true;
 }
 
@@ -656,8 +758,7 @@ void ChromeFrameAutomationClient::BeginNavigate(const GURL& url,
   IPC::SyncMessage* msg =
       new AutomationMsg_NavigateInExternalTab(0, tab_->handle(), url,
                                               referrer, NULL);
-  automation_server_->SendAsAsync(msg, NewCallback(this,
-      &ChromeFrameAutomationClient::BeginNavigateCompleted), this);
+  automation_server_->SendAsAsync(msg, new BeginNavigateContext(this), this);
 
   RECT client_rect = {0};
   chrome_frame_delegate_->GetBounds(&client_rect);
@@ -693,32 +794,6 @@ void ChromeFrameAutomationClient::FindInPage(const std::wstring& search_string,
   automation_server_->SendAsAsync(msg, NULL, this);
 }
 
-// Class that maintains context during the async load/install extension
-// operation.  When done, InstallExtensionComplete is posted back to the UI
-// thread so that the users of ChromeFrameAutomationClient can be notified.
-class InstallExtensionContext {
- public:
-  InstallExtensionContext(ChromeFrameAutomationClient* client,
-      const FilePath& crx_path, void* user_data) : client_(client),
-      crx_path_(crx_path), user_data_(user_data) {
-  }
-
-  ~InstallExtensionContext() {
-  }
-
-  void InstallExtensionComplete(AutomationMsg_ExtensionResponseValues res) {
-    client_->PostTask(FROM_HERE, NewRunnableMethod(client_.get(),
-        &ChromeFrameAutomationClient::InstallExtensionComplete, crx_path_,
-        user_data_, res));
-    delete this;
-  }
-
- private:
-  scoped_refptr<ChromeFrameAutomationClient> client_;
-  FilePath crx_path_;
-  void* user_data_;
-};
-
 void ChromeFrameAutomationClient::InstallExtension(
     const FilePath& crx_path,
     void* user_data) {
@@ -736,8 +811,7 @@ void ChromeFrameAutomationClient::InstallExtension(
       new AutomationMsg_InstallExtension(0, crx_path, NULL);
 
   // The context will delete itself after it is called.
-  automation_server_->SendAsAsync(msg, NewCallback(ctx,
-      &InstallExtensionContext::InstallExtensionComplete), this);
+  automation_server_->SendAsAsync(msg, ctx, this);
 }
 
 void ChromeFrameAutomationClient::InstallExtensionComplete(
@@ -751,42 +825,6 @@ void ChromeFrameAutomationClient::InstallExtensionComplete(
   }
 }
 
-// Class that maintains context during the async retrieval of fetching the
-// list of enabled extensions.  When done, GetEnabledExtensionsComplete is
-// posted back to the UI thread so that the users of
-// ChromeFrameAutomationClient can be notified.
-class GetEnabledExtensionsContext {
- public:
-  GetEnabledExtensionsContext(
-      ChromeFrameAutomationClient* client, void* user_data) : client_(client),
-          user_data_(user_data) {
-    extension_directories_ = new std::vector<FilePath>();
-  }
-
-  ~GetEnabledExtensionsContext() {
-    // ChromeFrameAutomationClient::GetEnabledExtensionsComplete takes
-    // ownership of extension_directories_.
-  }
-
-  std::vector<FilePath>* extension_directories() {
-    return extension_directories_;
-  }
-
-  void GetEnabledExtensionsComplete(
-      std::vector<FilePath> result) {
-    (*extension_directories_) = result;
-    client_->PostTask(FROM_HERE, NewRunnableMethod(client_.get(),
-      &ChromeFrameAutomationClient::GetEnabledExtensionsComplete,
-      user_data_, extension_directories_));
-    delete this;
-  }
-
- private:
-  scoped_refptr<ChromeFrameAutomationClient> client_;
-  std::vector<FilePath>* extension_directories_;
-  void* user_data_;
-};
-
 void ChromeFrameAutomationClient::GetEnabledExtensions(void* user_data) {
     if (automation_server_ == NULL) {
       GetEnabledExtensionsComplete(user_data, &std::vector<FilePath>());
@@ -800,8 +838,7 @@ void ChromeFrameAutomationClient::GetEnabledExtensions(void* user_data) {
         0, ctx->extension_directories());
 
     // The context will delete itself after it is called.
-    automation_server_->SendAsAsync(msg, NewCallback(ctx,
-        &GetEnabledExtensionsContext::GetEnabledExtensionsComplete), this);
+    automation_server_->SendAsAsync(msg, ctx, this);
 }
 
 void ChromeFrameAutomationClient::GetEnabledExtensionsComplete(
@@ -845,8 +882,7 @@ void ChromeFrameAutomationClient::LoadExpandedExtension(
       new AutomationMsg_LoadExpandedExtension(0, path, NULL);
 
   // The context will delete itself after it is called.
-  automation_server_->SendAsAsync(msg, NewCallback(ctx,
-      &InstallExtensionContext::InstallExtensionComplete), this);
+  automation_server_->SendAsAsync(msg, ctx, this);
 }
 
 void ChromeFrameAutomationClient::CreateExternalTab() {
@@ -877,8 +913,8 @@ void ChromeFrameAutomationClient::CreateExternalTab() {
 
   IPC::SyncMessage* message =
       new AutomationMsg_CreateExternalTab(0, settings, NULL, NULL, NULL);
-  automation_server_->SendAsAsync(message, NewCallback(this,
-      &ChromeFrameAutomationClient::CreateExternalTabComplete), this);
+  automation_server_->SendAsAsync(message, new CreateExternalTabContext(this),
+                                  this);
 }
 
 void ChromeFrameAutomationClient::CreateExternalTabComplete(HWND chrome_window,
@@ -901,8 +937,7 @@ void ChromeFrameAutomationClient::CreateExternalTabComplete(HWND chrome_window,
     tab_handle_ = tab_handle;
   }
 
-  PostTask(FROM_HERE, NewRunnableMethod(this,
-      &ChromeFrameAutomationClient::InitializeComplete, launch_result));
+  InitializeComplete(launch_result);
 }
 
 void ChromeFrameAutomationClient::SetEnableExtensionAutomation(
@@ -948,8 +983,9 @@ void ChromeFrameAutomationClient::LaunchComplete(
         IPC::SyncMessage* message =
             new AutomationMsg_ConnectExternalTab(0, external_tab_cookie_, true,
               NULL, NULL, NULL);
-        automation_server_->SendAsAsync(message, NewCallback(this,
-            &ChromeFrameAutomationClient::CreateExternalTabComplete), this);
+        automation_server_->SendAsAsync(message,
+                                        new CreateExternalTabContext(this),
+                                        this);
         DLOG(INFO) << __FUNCTION__ << ": sending CreateExternalTabComplete";
       }
     }