[root-scroller] Fix crash when considering plugin

Root scroller shouldn't consider plugins. However, the current method of
getting the scrollable area would check for a local frame and try to
convert its view to a LocalFrameView. In the case of a plugin, the
ContentFrame()->IsLocalFrame may return true but the EmbededContentView
is a PluginView rather than a LocalFrameView.

This CL cleans up these checks by looking exclusively at the
EmbeddedContentView since that's all we care about.

Bug: 903440
Change-Id: I7f172559321ecb4777e1fd85ed63f105798df257
Reviewed-on: https://chromium-review.googlesource.com/c/1330330Reviewed-by: Dave Tapuska <dtapuska@chromium.org>
Commit-Queue: David Bokan <bokan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#607651}

third_party/blink/renderer/core/BUILD.gn

@@ -1830,8 +1830,6 @@ jumbo_source_set("unit_tests") {
     "events/pointer_event_factory_test.cc",
     "events/touch_event_test.cc",
     "events/web_input_event_conversion_test.cc",
-    "exported/fake_web_plugin.cc",
-    "exported/fake_web_plugin.h",
     "exported/local_frame_client_impl_test.cc",
     "exported/prerendering_test.cc",
     "exported/web_associated_url_loader_impl_test.cc",
@@ -2183,6 +2181,8 @@ jumbo_source_set("unit_tests") {
     "svg/svg_path_parser_test.cc",
     "svg/svg_text_content_element_test.cc",
     "svg/unsafe_svg_attribute_sanitization_test.cc",
+    "testing/fake_web_plugin.cc",
+    "testing/fake_web_plugin.h",
     "testing/sim/sim_canvas.cc",
     "testing/sim/sim_canvas.h",
     "testing/sim/sim_compositor.cc",

third_party/blink/renderer/core/exported/web_plugin_container_test.cc

@@ -52,7 +52,6 @@
 #include "third_party/blink/renderer/core/clipboard/system_clipboard.h"
 #include "third_party/blink/renderer/core/dom/element.h"
 #include "third_party/blink/renderer/core/events/keyboard_event.h"
-#include "third_party/blink/renderer/core/exported/fake_web_plugin.h"
 #include "third_party/blink/renderer/core/exported/web_plugin_container_impl.h"
 #include "third_party/blink/renderer/core/exported/web_view_impl.h"
 #include "third_party/blink/renderer/core/frame/event_handler_registry.h"
@@ -61,6 +60,7 @@
 #include "third_party/blink/renderer/core/html/html_element.h"
 #include "third_party/blink/renderer/core/layout/layout_object.h"
 #include "third_party/blink/renderer/core/page/page.h"
+#include "third_party/blink/renderer/core/testing/fake_web_plugin.h"
 #include "third_party/blink/renderer/platform/graphics/graphics_context.h"
 #include "third_party/blink/renderer/platform/graphics/paint/cull_rect.h"
 #include "third_party/blink/renderer/platform/graphics/paint/foreign_layer_display_item.h"

third_party/blink/renderer/core/exported/web_view_test.cc

@@ -83,7 +83,6 @@
 #include "third_party/blink/renderer/core/editing/frame_selection.h"
 #include "third_party/blink/renderer/core/editing/ime/input_method_controller.h"
 #include "third_party/blink/renderer/core/editing/markers/document_marker_controller.h"
-#include "third_party/blink/renderer/core/exported/fake_web_plugin.h"
 #include "third_party/blink/renderer/core/exported/web_settings_impl.h"
 #include "third_party/blink/renderer/core/exported/web_view_impl.h"
 #include "third_party/blink/renderer/core/frame/event_handler_registry.h"
@@ -113,6 +112,7 @@
 #include "third_party/blink/renderer/core/paint/paint_layer.h"
 #include "third_party/blink/renderer/core/paint/paint_layer_painter.h"
 #include "third_party/blink/renderer/core/paint/paint_layer_scrollable_area.h"
+#include "third_party/blink/renderer/core/testing/fake_web_plugin.h"
 #include "third_party/blink/renderer/core/timing/dom_window_performance.h"
 #include "third_party/blink/renderer/core/timing/window_performance.h"
 #include "third_party/blink/renderer/platform/geometry/int_rect.h"

third_party/blink/renderer/core/page/scrolling/root_scroller_controller.cc

@@ -70,17 +70,16 @@ PaintLayerScrollableArea* GetScrollableArea(const Element& element) {
   if (element.IsFrameOwnerElement()) {
     const HTMLFrameOwnerElement* frame_owner =
         ToHTMLFrameOwnerElement(&element);
-    if (!frame_owner->ContentFrame())
+    EmbeddedContentView* content_view = frame_owner->OwnedEmbeddedContentView();
+    if (!content_view)
       return nullptr;
 
-    if (!frame_owner->ContentFrame()->IsLocalFrame())
+    if (!content_view->IsLocalFrameView())
       return nullptr;
 
-    LocalFrameView* frame_view =
-        ToLocalFrameView(frame_owner->OwnedEmbeddedContentView());
+    LocalFrameView* frame_view = ToLocalFrameView(content_view);
 
-    if (!frame_view)
-      return nullptr;
+    DCHECK(frame_view);
 
     return frame_view->LayoutViewport();
   }

third_party/blink/renderer/core/page/scrolling/root_scroller_test.cc

@@ -1775,6 +1775,25 @@ TEST_F(ImplicitRootScrollerSimTest, CandidateLosesLayoutBoxDontCrash) {
   Compositor().BeginFrame();
 }
 
+// Ensure that a plugin view being considered for implicit promotion doesn't
+// cause a crash. https://crbug.com/903440.
+TEST_F(ImplicitRootScrollerSimTest, ConsiderEmbedCrash) {
+  WebView().Resize(WebSize(800, 600));
+  SimRequest request("https://example.com/test.html", "text/html");
+  LoadURL("https://example.com/test.html");
+  request.Complete(R"HTML(
+          <!DOCTYPE html>
+          <embed id="embed" height="1" src="data:video/mp4,">
+          <script>
+           embed.type = "JavaScript 1.5";
+           embed.src = "x";
+          </script>
+      )HTML");
+  Compositor().BeginFrame();
+  Element* embed = GetDocument().getElementById("embed");
+  GetDocument().GetRootScrollerController().ConsiderForImplicit(*embed);
+}
+
 // Test that a valid implicit root scroller wont be promoted/will be demoted if
 // the main document has overflow.
 TEST_F(ImplicitRootScrollerSimTest,

third_party/blink/renderer/core/exported/fake_web_plugin.cc → third_party/blink/renderer/core/testing/fake_web_plugin.cc

@@ -28,7 +28,7 @@
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-#include "third_party/blink/renderer/core/exported/fake_web_plugin.h"
+#include "third_party/blink/renderer/core/testing/fake_web_plugin.h"
 
 namespace blink {
 

third_party/blink/renderer/core/exported/fake_web_plugin.h → third_party/blink/renderer/core/testing/fake_web_plugin.h

@@ -28,8 +28,8 @@
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-#ifndef THIRD_PARTY_BLINK_RENDERER_CORE_EXPORTED_FAKE_WEB_PLUGIN_H_
-#define THIRD_PARTY_BLINK_RENDERER_CORE_EXPORTED_FAKE_WEB_PLUGIN_H_
+#ifndef THIRD_PARTY_BLINK_RENDERER_CORE_TESTING_FAKE_WEB_PLUGIN_H_
+#define THIRD_PARTY_BLINK_RENDERER_CORE_TESTING_FAKE_WEB_PLUGIN_H_
 
 #include "third_party/blink/public/web/web_plugin.h"
 
@@ -89,4 +89,4 @@ class FakeWebPlugin : public WebPlugin {
 
 }  // namespace blink
 
-#endif  // THIRD_PARTY_BLINK_RENDERER_CORE_EXPORTED_FAKE_WEB_PLUGIN_H_
+#endif  // THIRD_PARTY_BLINK_RENDERER_CORE_TESTING_FAKE_WEB_PLUGIN_H_

third_party/blink/renderer/core/testing/sim/sim_web_frame_client.h

@@ -7,6 +7,7 @@
 
 #include "third_party/blink/public/platform/web_effective_connection_type.h"
 #include "third_party/blink/renderer/core/frame/frame_test_helpers.h"
+#include "third_party/blink/renderer/core/testing/fake_web_plugin.h"
 
 namespace blink {
 
@@ -26,6 +27,10 @@ class SimWebFrameClient final : public frame_test_helpers::TestWebFrameClient {
   void SetEffectiveConnectionTypeForTesting(
       WebEffectiveConnectionType) override;
 
+  WebPlugin* CreatePlugin(const WebPluginParams& params) override {
+    return new FakeWebPlugin(params);
+  }
+
  private:
   SimTest* test_;
   WebEffectiveConnectionType effective_connection_type_;