Fix flakiness in NavigateToInaccessibleResourceFromChromeURL.

There was a race in this test where chrome.send() from
chrome://history might have occasionally been processed on a pending
delete RenderFrameHost, right after a cross-process navigation.  This
revealed a real bug in WebUIImpl::OnWebUISend(), which incorrectly
killed the renderer before checking whether the RFH is active.  Fix
this by checking whether the RFH is active and dropping the IPC if not
prior to checking WebUI bindings.

Change-Id: I672e8457b7a4a167ad31e5afa4b2059b2c92b97a
Bug: 836211
Tbr: rdevlin.cronin@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/1026803
Commit-Queue: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#553399}

chrome/browser/extensions/window_open_apitest.cc

@@ -350,19 +350,11 @@ IN_PROC_BROWSER_TEST_F(ExtensionBrowserTest,
                          6 /* SCHEME_DATA */, 2);
 }
 
-// Disabled on Win, Mac and ChromeOS due to https://crbug.com/836211
-#if defined(OS_WIN) || defined(OS_CHROMEOS) || defined(OS_MACOSX)
-#define MAYBE_NavigateToInaccessibleResourceFromChromeURL \
-  DISABLED_NavigateToInaccessibleResourceFromChromeURL
-#else
-#define MAYBE_NavigateToInaccessibleResourceFromChromeURL \
-  NavigateToInaccessibleResourceFromChromeURL
-#endif
 // Test that navigating to an extension URL is allowed on chrome:// and
 // chrome-search:// pages, even for URLs that are not web-accessible.
 // See https://crbug.com/662602.
 IN_PROC_BROWSER_TEST_F(ExtensionBrowserTest,
-                       MAYBE_NavigateToInaccessibleResourceFromChromeURL) {
+                       NavigateToInaccessibleResourceFromChromeURL) {
   // Mint an extension URL which is not web-accessible.
   const extensions::Extension* extension = LoadExtension(
       test_data_dir_.AppendASCII("uitest").AppendASCII("window_open"));

content/browser/webui/web_ui_impl.cc

@@ -109,6 +109,11 @@ bool WebUIImpl::OnMessageReceived(const IPC::Message& message,
 void WebUIImpl::OnWebUISend(RenderFrameHost* sender,
                             const std::string& message,
                             const base::ListValue& args) {
+  // Ignore IPCs from frames that are pending deletion.  See also
+  // https://crbug.com/780920.
+  if (!sender->IsCurrent())
+    return;
+
   const GURL& source_url = sender->GetLastCommittedURL();
   if (!ChildProcessSecurityPolicyImpl::GetInstance()->HasWebUIBindings(
           sender->GetProcess()->GetID()) ||
@@ -120,10 +125,6 @@ void WebUIImpl::OnWebUISend(RenderFrameHost* sender,
     return;
   }
 
-  // Ignore IPCs from swapped-out frames.  See also https://crbug.com/780920.
-  if (!sender->IsCurrent())
-    return;
-
   if (base::EndsWith(message, "RequiringGesture",
                      base::CompareCase::SENSITIVE) &&
       !web_contents_->HasRecentInteractiveInputEvent()) {