Destroy RenderWidgets asynchronously from IPC.

Asynchronous IPCs can be invoked re-entrantly from DevTools debugger. This means
that it is not safe to synchronously destroy RenderWidget from IPC.

Bug: 998419
Change-Id: I7bce6c00c82c93606fe978d5db1711035197fb37
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1776737
Commit-Queue: Erik Chen <erikchen@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Auto-Submit: Erik Chen <erikchen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#691871}

content/renderer/render_widget.cc

@@ -697,11 +697,14 @@ bool RenderWidget::ShouldHandleImeEvents() const {
 void RenderWidget::OnClose() {
   DCHECK(popup_ || pepper_fullscreen_);
 
-  // It is always safe to synchronously destroy this object from an IPC message.
-  // That's because the IPC message is asynchronous, which means it can never be
-  // called from a nested context.
   PrepareForClose();
-  Close(base::WrapUnique(this));
+
+  // IPCs can be invoked from nested message loops. We must dispatch this
+  // task non-nested to avoid re-entrancy issues.
+  GetCleanupTaskRunner()->PostNonNestableTask(
+      FROM_HERE,
+      base::BindOnce(&RenderWidget::Close, close_weak_ptr_factory_.GetWeakPtr(),
+                     base::WrapUnique(this)));
 }
 
 void RenderWidget::PrepareForClose() {

content/renderer/render_widget_unittest.cc

@@ -472,9 +472,8 @@ class PopupRenderWidget : public RenderWidget {
   void Shutdown(std::unique_ptr<RenderWidget> widget) {
     shutdown_ = true;
 
-    // OnClose takes ownership and destroys the widget.
-    widget->OnClose();
-    widget.release();
+    widget->PrepareForClose();
+    widget->Close(std::move(widget));
   }
 
  protected: