Fix crash in content::BrowserPlugin::Destroy

We thought embedding_render_widget_ would outlive the BrowserPlugin, but
apparently not, so use weak pointers to ensure we don't access
embedding_render_widget_ once it's gone.

Bug: 812966
Change-Id: I7f374a63bd34db3cb616fa961d7c504570c5ef2d
Reviewed-on: https://chromium-review.googlesource.com/959239Reviewed-by: Antoine Labour <piman@chromium.org>
Commit-Queue: Saman Sami <samans@chromium.org>
Cr-Commit-Position: refs/heads/master@{#542890}

content/renderer/browser_plugin/browser_plugin.cc

@@ -389,7 +389,7 @@ gfx::Rect BrowserPlugin::FrameRectInPixels() const {
 }
 
 float BrowserPlugin::GetDeviceScaleFactor() const {
-  return embedding_render_widget_->GetOriginalScreenInfo().device_scale_factor;
+  return pending_resize_params_.screen_info.device_scale_factor;
 }
 
 void BrowserPlugin::UpdateInternalInstanceId() {
@@ -460,9 +460,8 @@ bool BrowserPlugin::Initialize(WebPluginContainer* container) {
 
   embedding_render_widget_ =
       RenderFrameImpl::FromWebFrame(container_->GetDocument().GetFrame())
-          ->GetRenderWidget();
-  pending_resize_params_.screen_info =
-      embedding_render_widget_->GetOriginalScreenInfo();
+          ->GetRenderWidget()
+          ->AsWeakPtr();
   embedding_render_widget_->RegisterBrowserPlugin(this);
 
   return true;
@@ -525,6 +524,12 @@ void BrowserPlugin::UpdateGeometry(const WebRect& plugin_rect_in_viewport,
                                    const WebRect& clip_rect,
                                    const WebRect& unobscured_rect,
                                    bool is_visible) {
+  // Ignore this call during teardown. If the embedding RenderWidget is gone,
+  // don't bother sending new geometry to the child because it's not being shown
+  // anymore.
+  if (!embedding_render_widget_)
+    return;
+
   // Convert the plugin_rect_in_viewport to window coordinates, which is css.
   WebRect rect_in_css(plugin_rect_in_viewport);
 
@@ -541,8 +546,6 @@ void BrowserPlugin::UpdateGeometry(const WebRect& plugin_rect_in_viewport,
   }
 
   pending_resize_params_.frame_rect = frame_rect;
-  pending_resize_params_.screen_info =
-      embedding_render_widget_->GetOriginalScreenInfo();
   if (guest_crashed_) {
     // Update the sad page to match the current ScreenInfo.
     compositing_helper_->ChildFrameGone(frame_rect.size(),

content/renderer/browser_plugin/browser_plugin.h

@@ -280,7 +280,7 @@ class CONTENT_EXPORT BrowserPlugin : public blink::WebPlugin,
   scoped_refptr<base::SingleThreadTaskRunner> task_runner_;
 
   // Pointer to the RenderWidget that embeds this plugin.
-  RenderWidget* embedding_render_widget_ = nullptr;
+  base::WeakPtr<RenderWidget> embedding_render_widget_;
 
   // The layer used to embed the out-of-process content.
   std::unique_ptr<blink::WebLayer> web_layer_;

content/renderer/render_widget.cc

@@ -2617,6 +2617,7 @@ void RenderWidget::UnregisterRenderFrame(RenderFrameImpl* frame) {
 
 void RenderWidget::RegisterBrowserPlugin(BrowserPlugin* browser_plugin) {
   browser_plugins_.AddObserver(browser_plugin);
+  browser_plugin->ScreenInfoChanged(GetOriginalScreenInfo());
 }
 
 void RenderWidget::UnregisterBrowserPlugin(BrowserPlugin* browser_plugin) {
@@ -2790,4 +2791,8 @@ gfx::Rect RenderWidget::ViewportVisibleRect() {
                     : gfx::Rect(compositor_viewport_pixel_size_);
 }
 
+base::WeakPtr<RenderWidget> RenderWidget::AsWeakPtr() {
+  return weak_ptr_factory_.GetWeakPtr();
+}
+
 }  // namespace content

content/renderer/render_widget.h

@@ -469,6 +469,8 @@ class CONTENT_EXPORT RenderWidget
 
   void DidResizeOrRepaintAck();
 
+  base::WeakPtr<RenderWidget> AsWeakPtr();
+
  protected:
   // Friend RefCounted so that the dtor can be non-public. Using this class
   // without ref-counting is an error.