Revert of Revert of Fix use-after-free in WebSocketHost::AddChannel()...

Revert of Revert of Fix use-after-free in WebSocketHost::AddChannel() (patchset #1 id:1 of https://codereview.chromium.org/1006293002/)

Reason for revert:
The breakage still persists https://crbug.com/467471 after the original CL was reverted.

Original issue's description:
> Revert of Fix use-after-free in WebSocketHost::AddChannel() (patchset #3 id:40001 of https://codereview.chromium.org/998173003/)
>
> Reason for revert:
> Speculatively revert for https://crbug.com/467471
>
> Original issue's description:
> > Fix heap-use-after-free in WebSocketHost::AddChannel()
> >
> > WebSocketHost can be deleted in channel_->SendAddChannelRequest() and this
> > caused heap-use-after-free when |pending_flow_control_quota_| is accessed in
> > WebSocketHost::AddChannel().
> > This CL fixes it by posting OnFlowControl() with WeakPtr instead of calling
> > SendFlowControl() directly in WebSocketHost::AddChannel().
> >
> > BUG=466335
> >
> > Committed: https://crrev.com/d3a1d188162e45f75c87a218a70681c5d92139a8
> > Cr-Commit-Position: refs/heads/master@{#320260}
>
> TBR=ricea@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=466335
>
> Committed: https://crrev.com/4f078b9b59cbf2c1ea7098835c6488fa32d46474
> Cr-Commit-Position: refs/heads/master@{#320703}

TBR=ricea@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=466335

Review URL: https://codereview.chromium.org/1014543002

Cr-Commit-Position: refs/heads/master@{#320716}

content/browser/renderer_host/websocket_host.cc

@@ -367,6 +367,7 @@ void WebSocketHost::OnAddChannelRequest(
   } else {
     AddChannel(socket_url, requested_protocols, origin, render_frame_id);
   }
+  // |this| may have been deleted here.
 }
 
 void WebSocketHost::AddChannel(
@@ -386,12 +387,23 @@ void WebSocketHost::AddChannel(
       new WebSocketEventHandler(dispatcher_, routing_id_, render_frame_id));
   channel_.reset(
       new net::WebSocketChannel(event_interface.Pass(), url_request_context_));
-  channel_->SendAddChannelRequest(socket_url, requested_protocols, origin);
 
   if (pending_flow_control_quota_ > 0) {
-    channel_->SendFlowControl(pending_flow_control_quota_);
+    // channel_->SendFlowControl(pending_flow_control_quota_) must be called
+    // after channel_->SendAddChannelRequest() below.
+    // We post OnFlowControl() here using |weak_ptr_factory_| instead of
+    // calling SendFlowControl directly, because |this| may have been deleted
+    // after channel_->SendAddChannelRequest().
+    base::MessageLoop::current()->PostTask(
+        FROM_HERE,
+        base::Bind(&WebSocketHost::OnFlowControl,
+                   weak_ptr_factory_.GetWeakPtr(),
+                   pending_flow_control_quota_));
     pending_flow_control_quota_ = 0;
   }
+
+  channel_->SendAddChannelRequest(socket_url, requested_protocols, origin);
+  // |this| may have been deleted here.
 }
 
 void WebSocketHost::OnSendFrame(bool fin,