Make FindInPage be a ContextLifecycleObserver

frame_ in FindInPage might be null when GetWebPluginForFind is called,
causing a crash in crbug.com/848032. This happens when the frame had
detached but the pre-finalizer for FindInPage is not called yet, making
it possible for FindInPage to still receive mojo calls even though
the frame is null. This CL makes FindInPage observe when its document/
execution context is destroyed so that it will close its mojo binding
when that happens.

Bug: 848032
Change-Id: Ifac00128e4efeb98f73fdcb98a944164d9ca1bf1
Reviewed-on: https://chromium-review.googlesource.com/1107032
Commit-Queue: Rakina Zata Amni <rakina@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/master@{#575560}

third_party/blink/renderer/core/frame/find_in_page.cc

@@ -41,6 +41,22 @@
 
 namespace blink {
 
+FindInPage::FindInPage(WebLocalFrameImpl& frame,
+                       InterfaceRegistry* interface_registry)
+    : ContextLifecycleObserver(
+          frame.GetFrame() ? frame.GetFrame()->GetDocument() : nullptr),
+      frame_(&frame),
+      binding_(this) {
+  // TODO(rakina): Use InterfaceRegistry of |frame| directly rather than passing
+  // both of them.
+  if (!interface_registry)
+    return;
+  // TODO(crbug.com/800641): Use InterfaceValidator when it works for associated
+  // interfaces.
+  interface_registry->AddAssociatedInterface(
+      WTF::BindRepeating(&FindInPage::BindToRequest, WrapWeakPersistent(this)));
+}
+
 void WebLocalFrameImpl::RequestFind(int identifier,
                                     const WebString& search_text,
                                     const WebFindOptions& options) {
@@ -287,4 +303,8 @@ void FindInPage::Dispose() {
   binding_.Close();
 }
 
+void FindInPage::ContextDestroyed(ExecutionContext* context) {
+  binding_.Close();
+}
+
 }  // namespace blink

third_party/blink/renderer/core/frame/find_in_page.h

@@ -12,6 +12,7 @@
 #include "third_party/blink/public/web/web_local_frame.h"
 #include "third_party/blink/public/web/web_plugin_container.h"
 #include "third_party/blink/renderer/core/core_export.h"
+#include "third_party/blink/renderer/core/dom/context_lifecycle_observer.h"
 #include "third_party/blink/renderer/core/editing/finder/text_finder.h"
 #include "third_party/blink/renderer/platform/heap/garbage_collected.h"
 
@@ -24,6 +25,7 @@ struct WebFloatRect;
 
 class CORE_EXPORT FindInPage final
     : public GarbageCollectedFinalized<FindInPage>,
+      public ContextLifecycleObserver,
       public mojom::blink::FindInPage {
   USING_PRE_FINALIZER(FindInPage, Dispose);
 
@@ -88,19 +90,16 @@ class CORE_EXPORT FindInPage final
 
   void Dispose();
 
-  void Trace(blink::Visitor* visitor) {
+  void ContextDestroyed(ExecutionContext*) override;
+
+  void Trace(blink::Visitor* visitor) override {
     visitor->Trace(text_finder_);
     visitor->Trace(frame_);
+    ContextLifecycleObserver::Trace(visitor);
   }
 
  private:
-  FindInPage(WebLocalFrameImpl& frame, InterfaceRegistry* interface_registry)
-      : frame_(&frame), binding_(this) {
-    if (!interface_registry)
-      return;
-    interface_registry->AddAssociatedInterface(WTF::BindRepeating(
-        &FindInPage::BindToRequest, WrapWeakPersistent(this)));
-  }
+  FindInPage(WebLocalFrameImpl& frame, InterfaceRegistry* interface_registry);
 
   // Will be initialized after first call to ensureTextFinder().
   Member<TextFinder> text_finder_;