Fix CacheStorage null ptr access

When this code was changed to not use the RevocableInterfacePtr it was
assumed that the calls into the mojo bindings only occurred while the
object's associated context was still alive. It is possible to have
a reference to a cache storage object from a frame that has been
destroyed and make calls to it. In this case the RevocableInterfacePtr
previously dropped them because the calls would fail. Now we will
return a promise that is rejected.

BUG=1012781,1012358

Change-Id: I9504af8245be13137db82e39e3dc5a702c89e7d1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1854184
Commit-Queue: Dave Tapuska <dtapuska@chromium.org>
Reviewed-by: Ben Kelly <wanderview@chromium.org>
Cr-Commit-Position: refs/heads/master@{#705122}

third_party/blink/renderer/modules/cache_storage/cache_storage.cc

@@ -100,6 +100,14 @@ ScriptPromise CacheStorage::open(ScriptState* script_state,
     return promise;
   }
 
+  // The context may be destroyed and the mojo connection unbound. However the
+  // object may live on, reject any requests after the context is destroyed.
+  if (!cache_storage_remote_) {
+    resolver->Reject(MakeGarbageCollected<DOMException>(
+        DOMExceptionCode::kInvalidStateError));
+    return promise;
+  }
+
   ever_used_ = true;
 
   // Make sure to bind the CacheStorage object to keep the mojo interface
@@ -166,6 +174,14 @@ ScriptPromise CacheStorage::has(ScriptState* script_state,
     return promise;
   }
 
+  // The context may be destroyed and the mojo connection unbound. However the
+  // object may live on, reject any requests after the context is destroyed.
+  if (!cache_storage_remote_) {
+    resolver->Reject(MakeGarbageCollected<DOMException>(
+        DOMExceptionCode::kInvalidStateError));
+    return promise;
+  }
+
   ever_used_ = true;
 
   // Make sure to bind the CacheStorage object to keep the mojo interface
@@ -218,6 +234,14 @@ ScriptPromise CacheStorage::Delete(ScriptState* script_state,
     return promise;
   }
 
+  // The context may be destroyed and the mojo connection unbound. However the
+  // object may live on, reject any requests after the context is destroyed.
+  if (!cache_storage_remote_) {
+    resolver->Reject(MakeGarbageCollected<DOMException>(
+        DOMExceptionCode::kInvalidStateError));
+    return promise;
+  }
+
   ever_used_ = true;
 
   // Make sure to bind the CacheStorage object to keep the mojo interface
@@ -270,6 +294,14 @@ ScriptPromise CacheStorage::keys(ScriptState* script_state) {
     return promise;
   }
 
+  // The context may be destroyed and the mojo connection unbound. However the
+  // object may live on, reject any requests after the context is destroyed.
+  if (!cache_storage_remote_) {
+    resolver->Reject(MakeGarbageCollected<DOMException>(
+        DOMExceptionCode::kInvalidStateError));
+    return promise;
+  }
+
   ever_used_ = true;
 
   // Make sure to bind the CacheStorage object to keep the mojo interface
@@ -333,6 +365,14 @@ ScriptPromise CacheStorage::MatchImpl(ScriptState* script_state,
     return promise;
   }
 
+  // The context may be destroyed and the mojo connection unbound. However the
+  // object may live on, reject any requests after the context is destroyed.
+  if (!cache_storage_remote_) {
+    resolver->Reject(MakeGarbageCollected<DOMException>(
+        DOMExceptionCode::kInvalidStateError));
+    return promise;
+  }
+
   if (request->method() != http_names::kGET && !options->ignoreMethod()) {
     resolver->Resolve();
     return promise;