synchronize access to pictureReady, copyContentPicture

Two methods in WebViewCore are called from WebView. The C
underpinnings were synchronized with a mutex, but the Java
shell was not, so under rare cirumstances, the Java side might
delete the native class. Add Java synchronization to
protect against this.

Fixes http://b/issue?id=2121684
diff --git a/core/java/android/webkit/WebViewCore.java b/core/java/android/webkit/WebViewCore.java
index 799312d..5f2d65e 100644
--- a/core/java/android/webkit/WebViewCore.java
+++ b/core/java/android/webkit/WebViewCore.java
@@ -837,9 +837,11 @@
                         case DESTROY:
                             // Time to take down the world. Cancel all pending
                             // loads and destroy the native view and frame.
-                            mBrowserFrame.destroy();
-                            mBrowserFrame = null;
-                            mNativeClass = 0;
+                            synchronized (WebViewCore.this) {
+                                mBrowserFrame.destroy();
+                                mBrowserFrame = null;
+                                mNativeClass = 0;
+                            }
                             break;
 
                         case UPDATE_FRAME_CACHE_IF_LOADING:
@@ -1623,11 +1625,11 @@
         }
     }
 
-    /* package */ boolean pictureReady() {
+    /* package */ synchronized boolean pictureReady() {
         return nativePictureReady();
     }
 
-    /*package*/ Picture copyContentPicture() {
+    /*package*/ synchronized Picture copyContentPicture() {
         Picture result = new Picture();
         nativeCopyContentToPicture(result);
         return result;