Oilpan: update plugin handling to work over plugins persisted over reattach

Following Blink r201401, a plugin element's persisted plugin will be
cleared out upon the plugin element being removed from the tree or being
re-attached and there being no layout object. With Oilpan, this may
bring about disposal of the underlying plugin.

A disposed persisted plugin is consequently observable if subsequently
try to return the plugin wrapper object for the plugin element -- add
the required check so as to handle this properly.

R=haraken
BUG=526999

Review URL: https://codereview.chromium.org/1326603002

git-svn-id: svn://svn.chromium.org/blink/trunk@201572 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/Source/core/html/HTMLPlugInElement.cpp

@@ -116,6 +116,8 @@ void HTMLPlugInElement::setPersistedPluginWidget(Widget* widget)
         LocalFrame* frame = toPluginView(m_persistedPluginWidget.get())->pluginFrame();
         ASSERT(frame);
         frame->unregisterPluginElement(this);
+        if (!widget)
+            m_persistedPluginWidget->dispose();
     }
     if (widget && widget->isPluginView()) {
         LocalFrame* frame = toPluginView(widget)->pluginFrame();

third_party/WebKit/Source/web/WebPluginContainerImpl.cpp

@@ -606,6 +606,15 @@ WebLayer* WebPluginContainerImpl::platformLayer() const
 
 v8::Local<v8::Object> WebPluginContainerImpl::scriptableObject(v8::Isolate* isolate)
 {
+#if ENABLE(OILPAN)
+    // With Oilpan, on plugin element detach dispose() will be called to safely
+    // clear out references, including the pre-emptive destruction of the plugin.
+    //
+    // It clearly has no scriptable object if in such a disposed state.
+    if (!m_webPlugin)
+        return v8::Local<v8::Object>();
+#endif
+
     // The plugin may be destroyed due to re-entrancy when calling
     // v8ScriptableObject below. crbug.com/458776. Hold a reference to the
     // plugin container to prevent this from happening. For Oilpan, 'this'