Fix Android WebView crash when an app loads a JavaScript URL during navigation.

When there's an ongoing navigation, if the app loada a JavaScript URL we create
a temporary NavigationRequest in NavigatorImpl::RequestNavigation. However the
call to RenderFrameHostManager::GetFrameHostForNavigation was resetting the
speculative RFH of the original NavigationRequest since the site instance of a
JavaScript load is always the same as the existing frame.

Bug: 793432
Change-Id: I5a25eea9a8733cd5cebe71f700b30ebb4c0b1710
Reviewed-on: https://chromium-review.googlesource.com/820453
Commit-Queue: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#523264}

content/browser/frame_host/navigator_impl.cc

@@ -1154,9 +1154,10 @@ void NavigatorImpl::RequestNavigation(
   // a Javascript URL should not interrupt a previous navigation.
   // Note: The scoped_request will be destroyed at the end of this function.
   if (dest_url.SchemeIs(url::kJavaScriptScheme)) {
+    // Don't call frame_tree_node->render_manager()->GetFrameHostForNavigation
+    // as that might clear the speculative RFH of an ongoing navigation.
     RenderFrameHostImpl* render_frame_host =
-        frame_tree_node->render_manager()->GetFrameHostForNavigation(
-            *scoped_request.get());
+        frame_tree_node->current_frame_host();
     render_frame_host->CommitNavigation(
         nullptr,  // response
         mojom::URLLoaderClientEndpointsPtr(),

content/browser/web_contents/web_contents_view_android.cc

@@ -211,7 +211,7 @@ void WebContentsViewAndroid::Focus() {
   RenderWidgetHostViewAndroid* rwhv = GetRenderWidgetHostViewAndroid();
   if (web_contents_->ShowingInterstitialPage()) {
     web_contents_->GetInterstitialPage()->Focus();
-  } else {
+  } else if (rwhv) {
     rwhv->Focus();
   }
 }