OOPIF: Call setCoreFrame on remote-to-local swaps.

This ensures that various initializion in setCoreFrame is triggered when
doing remote-to-local swaps.

BUG=525285

Review URL: https://codereview.chromium.org/1316863009

git-svn-id: svn://svn.chromium.org/blink/trunk@201726 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/Source/web/WebLocalFrameImpl.cpp

@@ -747,7 +747,8 @@ void WebLocalFrameImpl::setOpener(WebFrame* opener)
 
     WebFrame::setOpener(opener);
 
-    ASSERT(m_frame);
+    // TODO(alexmos,dcheng): This should ASSERT(m_frame) once we no longer have
+    // provisional local frames.
     if (m_frame && m_frame->document())
         m_frame->document()->initSecurityContext();
 }
@@ -2002,17 +2003,18 @@ void WebLocalFrameImpl::initializeToReplaceRemoteFrame(WebRemoteFrame* oldWebFra
     // the main frame of the Page. However, this is a provisional frame, and may
     // disappear, so Page::m_mainFrame can't be updated just yet.
     OwnPtrWillBeRawPtr<FrameOwner> tempOwner = RemoteBridgeFrameOwner::create(nullptr, SandboxNone);
-    m_frame = LocalFrame::create(m_frameLoaderClientImpl.get(), oldFrame->host(), tempOwner.get());
-    m_frame->setOwner(oldFrame->owner());
-    if (m_frame->owner() && !m_frame->owner()->isLocal())
-        toRemoteBridgeFrameOwner(m_frame->owner())->setSandboxFlags(static_cast<SandboxFlags>(flags));
-    m_frame->tree().setName(name);
+    RefPtrWillBeRawPtr<LocalFrame> frame = LocalFrame::create(m_frameLoaderClientImpl.get(), oldFrame->host(), tempOwner.get());
+    frame->setOwner(oldFrame->owner());
+    if (frame->owner() && !frame->owner()->isLocal())
+        toRemoteBridgeFrameOwner(frame->owner())->setSandboxFlags(static_cast<SandboxFlags>(flags));
+    frame->tree().setName(name);
     setParent(oldWebFrame->parent());
     setOpener(oldWebFrame->opener());
+    setCoreFrame(frame);
     // We must call init() after m_frame is assigned because it is referenced
     // during init(). Note that this may dispatch JS events; the frame may be
     // detached after init() returns.
-    m_frame->init();
+    frame->init();
 }
 
 void WebLocalFrameImpl::setAutofillClient(WebAutofillClient* autofillClient)

third_party/WebKit/Source/web/tests/WebFrameTest.cpp

@@ -7815,6 +7815,32 @@ TEST_P(ParameterizedWebFrameTest, SendBeaconFromChildWithRemoteMainFrame)
     view->close();
 }
 
+// See https://crbug.com/525285.
+TEST_P(ParameterizedWebFrameTest, RemoteToLocalSwapOnMainFrameInitializesCoreFrame)
+{
+    FrameTestHelpers::TestWebViewClient viewClient;
+    FrameTestHelpers::TestWebRemoteFrameClient remoteClient;
+    WebView* view = WebView::create(&viewClient);
+    view->setMainFrame(remoteClient.frame());
+    WebRemoteFrame* remoteRoot = view->mainFrame()->toWebRemoteFrame();
+    remoteRoot->setReplicatedOrigin(SecurityOrigin::createUnique());
+
+    FrameTestHelpers::TestWebFrameClient localFrameClient;
+    remoteRoot->createLocalChild(WebTreeScopeType::Document, "", WebSandboxFlags::None, &localFrameClient, nullptr);
+
+    // Do a remote-to-local swap of the top frame.
+    FrameTestHelpers::TestWebFrameClient localClient;
+    WebLocalFrame* localRoot = WebLocalFrame::create(WebTreeScopeType::Document, &localClient);
+    localRoot->initializeToReplaceRemoteFrame(remoteRoot, "", WebSandboxFlags::None);
+    remoteRoot->swap(localRoot);
+
+    // Load a page with a child frame in the new root to make sure this doesn't
+    // crash when the child frame invokes setCoreFrame.
+    FrameTestHelpers::loadFrame(localRoot, "data:text/html,<iframe></iframe>");
+
+    view->close();
+}
+
 class OverscrollWebViewClient : public FrameTestHelpers::TestWebViewClient {
 public:
     MOCK_METHOD4(didOverscroll, void(const WebFloatSize&, const WebFloatSize&, const WebFloatPoint&, const WebFloatSize&));