Early return from WebPluginContainerImpl::scriptableObject if the plugin gets destroyed

WebPluginContainerImpl::scriptableObject calls into WebPlugin::scriptableObject
which (in the PepperWebPluginImpl implementation) sends synchronous messages
to the plugin which can result in re-entrancy. This re-entrancy may cause the
plugin to be destroyed, which sets m_webPlugin to null in
WebPluginContainerImpl::dispose. We need to check for a null value to avoid
dereferencing a null pointer.

BUG=423263

Review URL: https://codereview.chromium.org/715073002

git-svn-id: svn://svn.chromium.org/blink/trunk@185182 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/Source/web/WebPluginContainerImpl.cpp

@@ -591,6 +591,12 @@ WebLayer* WebPluginContainerImpl::platformLayer() const
 v8::Local<v8::Object> WebPluginContainerImpl::scriptableObject(v8::Isolate* isolate)
 {
     v8::Local<v8::Object> object = m_webPlugin->v8ScriptableObject(isolate);
+    // |m_webPlugin| may be destroyed during the above line due to re-entrancy
+    // caused by sync messages to the plugin. If this is the case just return an
+    // empty handle. crbug.com/423263.
+    if (!m_webPlugin)
+        return v8::Local<v8::Object>();
+
     if (!object.IsEmpty()) {
         // WebPlugin implementation can't provide the obsolete NPObject at the same time:
         ASSERT(!m_webPlugin->scriptableObject());