Initialize |PolicyContainerHost| following a crashed frame

This ensures that the |RenderFrameHost|'s Policy Container is properly
initialized when a speculative |RenderFrameHost| is committed early
following a crash of the RenderProcess.
This allows the following navigation to have a properly initialized
|PolicyContainerHost|.

Change-Id: Ie8274bdcbdebcf5a0b9b7023ef5c137ab9688ecc
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2536466Reviewed-by: Antonio Sartori <antoniosartori@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Commit-Queue: Pâris Meuleman <pmeuleman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#843001}

content/browser/renderer_host/render_frame_host_impl.cc

@@ -10398,6 +10398,13 @@ bool RenderFrameHostImpl::DocumentUsedWebOTP() {
   return document_used_web_otp_;
 }
 
+void RenderFrameHostImpl::SetPolicyContainerForEarlyCommitAfterCrash(
+    std::unique_ptr<PolicyContainerHost> policy_container_host) {
+  DCHECK_EQ(lifecycle_state_, LifecycleState::kSpeculative);
+  DCHECK(!policy_container_host_);
+  policy_container_host_ = std::move(policy_container_host);
+}
+
 std::ostream& operator<<(std::ostream& o,
                          const RenderFrameHostImpl::LifecycleState& s) {
   return o << LifecycleStateToString(s);

content/browser/renderer_host/render_frame_host_impl.h

@@ -1547,6 +1547,14 @@ class CONTENT_EXPORT RenderFrameHostImpl
     return policy_container_host_.get();
   }
 
+  // This is used by RenderFrameHostManager to ensure the replacement
+  // RenderFrameHost is properly initialized when performing an early commit
+  // as a recovery for a crashed frame.
+  // TODO(https://crbug.com/1072817): Remove this logic when removing the
+  // early commit.
+  void SetPolicyContainerForEarlyCommitAfterCrash(
+      std::unique_ptr<PolicyContainerHost> policy_container_host);
+
   // This function mimics DidCommitProvisionalLoad for navigations served from
   // the back-forward cache.
   void DidCommitBackForwardCacheNavigation(

content/browser/renderer_host/render_frame_host_manager.cc

@@ -905,6 +905,20 @@ RenderFrameHostImpl* RenderFrameHostManager::GetFrameHostForNavigation(
       if (GetRenderFrameProxyHost(dest_site_instance.get()))
         navigation_rfh->SwapIn();
       navigation_rfh->OnCommittedSpeculativeBeforeNavigationCommit();
+
+      // An Active RenderFrameHost MUST always have a PolicyContainerHost. A new
+      // document is either:
+      // - The initial empty document, via frame creation.
+      // - A new document replacing the previous one, via a navigation.
+      // Here this is an additional case: A new document (in a weird state) is
+      // replacing the one crashed. In this case, it is not entirely clear what
+      // PolicyContainerHost should be used. In the absence of anything better,
+      // we simply keep the PolicyContainerHost that was previously active.
+      // TODO(https://crbug.com/1072817): Remove this logic when removing the
+      // early commit.
+      navigation_rfh->SetPolicyContainerForEarlyCommitAfterCrash(
+          current_frame_host()->policy_container_host()->Clone());
+
       CommitPending(std::move(speculative_render_frame_host_), nullptr,
                     request->coop_status().require_browsing_instance_swap());
     }