WebSocket: stop removing an iframe in onerror from crashing

There was an issue that if the iframe owning a WebSocket was
synchronously removed in the onerror handler then it would crash the
render process. This was caused by unconditionally calling Close()
without checking the current state.

Fix it.

Also add a web platform test.

Bug: 974667
Change-Id: Iaeb8f96cf600a2c052f06b5b59f4444b02615e83
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1663681Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Commit-Queue: Adam Rice <ricea@chromium.org>
Cr-Commit-Position: refs/heads/master@{#670061}

third_party/blink/renderer/modules/websockets/dom_websocket.cc

@@ -679,7 +679,9 @@ void DOMWebSocket::ContextDestroyed(ExecutionContext*) {
   NETWORK_DVLOG(1) << "WebSocket " << this << " contextDestroyed()";
   event_queue_->ContextDestroyed();
   if (channel_) {
-    channel_->Close(WebSocketChannel::kCloseEventCodeGoingAway, String());
+    if (state_ == kOpen) {
+      channel_->Close(WebSocketChannel::kCloseEventCodeGoingAway, String());
+    }
     ReleaseChannel();
   }
   if (state_ != kClosed)

third_party/blink/web_tests/external/wpt/websockets/remove-own-iframe-during-onerror.window.js

+// META: script=websocket.sub.js
+
+async_test(t => {
+  window.wsurl = 'wss://' + __SERVER__NAME + ':' + __SECURE__PORT +
+      '/does-not-exist';
+  let wsframe;
+  window.wsonerror = () => {
+    wsframe.remove();
+    // If this didn't crash then the test passed.
+    t.done();
+  };
+  wsframe = document.createElement('iframe');
+  wsframe.srcdoc = `<script>
+const ws = new WebSocket(parent.wsurl);
+ws.onerror = parent.wsonerror;
+</script>`;
+  onload = () => document.body.appendChild(wsframe);
+}, 'removing an iframe from within an onerror handler should work');
+
+done();