Protect WebURLLoaderImpl::Context while receiving responses.

A client's didReceiveResponse can cancel a request; by protecting the
Context we avoid a use after free in this case.

Interestingly, we really had very good warning about this problem, see 
https://codereview.chromium.org/11900002/ back in January.

R=darin
BUG=241139

Review URL: https://chromiumcodereview.appspot.com/15738007

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@202821 0039d316-1c4b-4281-b951-d872f2087c98

content/browser/webkit_browsertest.cc

@@ -76,4 +76,19 @@ IN_PROC_BROWSER_TEST_F(WebKitBrowserTest, PrerenderNoCrash) {
   EXPECT_FALSE(shell()->web_contents()->IsCrashed());
 }
 
+// This is a browser test because DumpRenderTree doesn't run nested message
+// loops. The failure case was that a nested message triggered from an element
+// that has signalled an error but had an open request would receive a body for
+// the request and crash/fail an assertion.
+const char kErrorBodyNoCrash[] =
+    "files/error-body-no-crash.html";
+IN_PROC_BROWSER_TEST_F(WebKitBrowserTest, ErrorBodyNoCrash) {
+  ASSERT_TRUE(test_server()->Start());
+  GURL url = test_server()->GetURL(kErrorBodyNoCrash);
+
+  NavigateToURL(shell(), url);
+
+  EXPECT_FALSE(shell()->web_contents()->IsCrashed());
+}
+
 }  // namespace content

content/test/data/error-body-no-crash.html

+<!-- The showModalDialog call will force a nested message loop, which will
+     receive the 404 body and crash. -->
+<script src="page404.html"></script>
+<script>
+window.showModalDialog("javascript:window.close();");
+</script>

webkit/glue/weburlloader_impl.cc

@@ -637,6 +637,7 @@ void WebURLLoaderImpl::Context::OnReceivedResponse(
     }
   }
 
+  scoped_refptr<Context> protect(this);
   client_->didReceiveResponse(loader_, response);
 
   // We may have been cancelled after didReceiveResponse, which would leave us