android: Fix OOB crash in ChildProcessRanking

ChildProcessLauncherHelperImpl assumes onConnectionEstablished and
onConnectionLost are paired when in reality they might not be. Former is
called after setupConnection is completed (when child sends its pid),
and the latter is called from onServiceDisconnected (and posted once).
It is possible that the child dies after onServiceConnected, but before
setupConnection is complete.

It should not be possible for onConnectionEstablished to come after
onServiceDisconnected however.

Add a check in onConnectionLost for this case and skip the rest of clean
up if needed.

Bug: 1013667
Change-Id: I56d83863be440810238d743083250c72c48160c1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1860036Reviewed-by: ssid <ssid@chromium.org>
Commit-Queue: Bo <boliu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#705881}

content/public/android/java/src/org/chromium/content/browser/ChildProcessLauncherHelperImpl.java

@@ -162,7 +162,12 @@ public final class ChildProcessLauncherHelperImpl {
                 public void onConnectionLost(ChildProcessConnection connection) {
                     assert LauncherThread.runningOnLauncherThread();
                     if (connection.getPid() == 0) return;
-                    sLauncherByPid.remove(connection.getPid());
+
+                    ChildProcessLauncherHelperImpl result =
+                            sLauncherByPid.remove(connection.getPid());
+                    // Child process might die before onConnectionEstablished.
+                    if (result == null) return;
+
                     if (mBindingManager != null) mBindingManager.removeConnection(connection);
                     if (mRanking != null) {
                         setReverseRankWhenConnectionLost(mRanking.getReverseRank(connection));