Fix use-after-free of TestRunner::main_view_

test_runner::TestRunner::WorkQueue::ProcessWork() can run after the
main WebView destruction, and we have to clear main_view_ when the
WebView is destructed.

The code assumed TestInterfaces::WindowClosed() cleared main_view_
if the closing WebView is the main WebView. However,
|proxy->webview()| is already null here because WebView is destructed
before calling WindowClosed().

This CL adds SetMainView(nullptr) to ~WebViewTestProxy(). It is called
if the global delegate is same as the delegate owned by the
WebViewTestProxy. This condition is equivalent to 'this
WebViewTestProxy is the owner of the main WebView.'

Bug: 1010581
Change-Id: I868ce9223d253dbf02620fdebff8ada4a51c60d7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1865734Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Kent Tamura <tkent@chromium.org>
Cr-Commit-Position: refs/heads/master@{#707717}

content/shell/test_runner/test_interfaces.cc

@@ -137,9 +137,6 @@ void TestInterfaces::WindowClosed(WebViewTestProxy* proxy) {
     return;
   }
   window_list_.erase(pos);
-
-  if (proxy->webview() == main_view_)
-    SetMainView(nullptr);
 }
 
 TestRunner* TestInterfaces::GetTestRunner() {

content/shell/test_runner/web_view_test_proxy.cc

@@ -101,8 +101,10 @@ void WebViewTestProxy::BindTo(blink::WebLocalFrame* frame) {
 
 WebViewTestProxy::~WebViewTestProxy() {
   test_interfaces_->WindowClosed(this);
-  if (test_interfaces_->GetDelegate() == delegate_.get())
+  if (test_interfaces_->GetDelegate() == delegate_.get()) {
     test_interfaces_->SetDelegate(nullptr);
+    test_interfaces_->SetMainView(nullptr);
+  }
 }
 
 TestRunner* WebViewTestProxy::GetTestRunner() {