Proposed fix for http://b/issue?id=1362948, which is a crash in the rendererwhen we invoke the setCursor call on the parent view in WebPluginImpl::handleEvent.

This crash occurs because the plugin is deleted in the context of a mouse down event. This could occur by invoking a javascript function via NPN_Evaluate. On return from the HandleEvent sync call we attempt to retreive the parent frame, which 
returns NULL and hence the crash. 

The fix is to retreive the parent frameview at the start of the WebPluginImpl::handleMouseEvent function and use it whereever needed. 

Added a unit test which deletes the plugin instance in a mousemove event.R=jamBug=1362948
Review URL: http://codereview.chromium.org/8178

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@4094 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 48 insertions, 17 deletions

diff --git a/webkit/glue/plugins/test/plugin_client.cc b/webkit/glue/plugins/test/plugin_client.cc
index 868810e..b0e7e91 100644
--- a/webkit/glue/plugins/test/plugin_client.cc
+++ b/webkit/glue/plugins/test/plugin_client.cc
@@ -102,7 +102,7 @@ NPError NPP_New(NPMIMEType pluginType, NPP instance, uint16 mode,
   } else if (base::strcasecmp(argv[name_index],
              "execute_script_delete_in_paint") == 0) {
     new_test = new NPAPIClient::ExecuteScriptDeleteTest(instance,
-      NPAPIClient::PluginClient::HostFunctions());
+      NPAPIClient::PluginClient::HostFunctions(), argv[name_index]);
     windowless_plugin = true;
   } else if (base::strcasecmp(argv[name_index], "getjavascripturl") == 0) {
     new_test = new NPAPIClient::ExecuteGetJavascriptUrlTest(instance,
@@ -137,6 +137,11 @@ NPError NPP_New(NPMIMEType pluginType, NPP instance, uint16 mode,
              "plugin_popup_with_plugin_target") == 0) {
     new_test = new NPAPIClient::ExecuteJavascriptPopupWindowTargetPluginTest(
         instance, NPAPIClient::PluginClient::HostFunctions());
+  } else if (base::strcasecmp(argv[name_index],
+                              "execute_script_delete_in_mouse_move") == 0) {
+    new_test = new NPAPIClient::ExecuteScriptDeleteTest(instance,
+      NPAPIClient::PluginClient::HostFunctions(), argv[name_index]);
+    windowless_plugin = true;
   } else {
     // If we don't have a test case for this, create a
     // generic one which basically never fails.
diff --git a/webkit/glue/plugins/test/plugin_execute_script_delete_test.cc b/webkit/glue/plugins/test/plugin_execute_script_delete_test.cc
index 7137ceb..3f1d0e1 100644
--- a/webkit/glue/plugins/test/plugin_execute_script_delete_test.cc
+++ b/webkit/glue/plugins/test/plugin_execute_script_delete_test.cc
@@ -8,25 +8,47 @@
 
 namespace NPAPIClient {
 
-ExecuteScriptDeleteTest::ExecuteScriptDeleteTest(NPP id, NPNetscapeFuncs *host_functions)
-  : PluginTest(id, host_functions) {
+ExecuteScriptDeleteTest::ExecuteScriptDeleteTest(
+    NPP id, NPNetscapeFuncs *host_functions, const std::string& test_name)
+  : PluginTest(id, host_functions),
+    test_name_(test_name) {
 }
 
 int16 ExecuteScriptDeleteTest::HandleEvent(void* event) {
+
+  NPNetscapeFuncs* browser = NPAPIClient::PluginClient::HostFunctions();  
+  
+  NPBool supports_windowless = 0;
+  NPError result = browser->getvalue(id(), NPNVSupportsWindowless,
+                                     &supports_windowless);
+  if ((result != NPERR_NO_ERROR) || (supports_windowless != TRUE)) {
+    SetError("Failed to read NPNVSupportsWindowless value");
+    SignalTestCompleted();
+    return PluginTest::HandleEvent(event);
+  }
+
   NPEvent* np_event = reinterpret_cast<NPEvent*>(event);
-  if (WM_PAINT == np_event->event ) {
-    NPNetscapeFuncs* browser = NPAPIClient::PluginClient::HostFunctions();
-
-    NPBool supports_windowless = 0;
-    NPError result = browser->getvalue(id(), NPNVSupportsWindowless,
-                                       &supports_windowless);
-    if ((result != NPERR_NO_ERROR) || (supports_windowless != TRUE)) {
-      SetError("Failed to read NPNVSupportsWindowless value");
-    } else {
-      NPUTF8* urlString = "javascript:DeletePluginWithinScript()";
-      NPUTF8* targetString = NULL;
-      browser->geturl(id(), urlString, targetString);
-    }
+  if (WM_PAINT == np_event->event && 
+      base::strcasecmp(test_name_.c_str(),
+                       "execute_script_delete_in_paint") == 0) {
+    NPUTF8* urlString = "javascript:DeletePluginWithinScript()";
+    NPUTF8* targetString = NULL;
+    browser->geturl(id(), urlString, targetString);
+    SignalTestCompleted();
+  } else if (WM_MOUSEMOVE == np_event->event && 
+             base::strcasecmp(test_name_.c_str(),
+                              "execute_script_delete_in_mouse_move") == 0) {
+    std::string script = "javascript:DeletePluginWithinScript()";
+    NPString script_string;
+    script_string.UTF8Characters = script.c_str();
+    script_string.UTF8Length = 
+        static_cast<unsigned int>(script.length());
+
+    NPObject *window_obj = NULL;
+    browser->getvalue(id(), NPNVWindowNPObject, &window_obj);
+    NPVariant result_var;
+    NPError result = browser->evaluate(id(), window_obj,
+                                       &script_string, &result_var);
     SignalTestCompleted();
   }
   // If this test failed, then we'd have crashed by now.
diff --git a/webkit/glue/plugins/test/plugin_execute_script_delete_test.h b/webkit/glue/plugins/test/plugin_execute_script_delete_test.h
index 5266d6d..92a1d04 100644
--- a/webkit/glue/plugins/test/plugin_execute_script_delete_test.h
+++ b/webkit/glue/plugins/test/plugin_execute_script_delete_test.h
@@ -14,9 +14,13 @@ namespace NPAPIClient {
 class ExecuteScriptDeleteTest : public PluginTest {
  public:
   // Constructor.
-  ExecuteScriptDeleteTest(NPP id, NPNetscapeFuncs *host_functions);
+  ExecuteScriptDeleteTest(NPP id, NPNetscapeFuncs *host_functions,
+                          const std::string& test_name);
   // NPAPI HandleEvent handler
   virtual int16 HandleEvent(void* event);
+
+ private:
+  std::string test_name_;
 };
 
 } // namespace NPAPIClient