Delete NavigationRequest(s) in RenderFrameHostImpl::RenderProcessGone.

Bug: 869193
Change-Id: I911ec71a13c432a0111bdd8ec9da0f5ab679d082
Reviewed-on: https://chromium-review.googlesource.com/1155828
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#579596}

content/browser/frame_host/render_frame_host_impl.cc

@@ -1233,6 +1233,7 @@ void RenderFrameHostImpl::RenderProcessGone(SiteInstanceImpl* site_instance) {
   // The renderer process is gone, so this frame can no longer be loading.
   if (GetNavigationHandle())
     GetNavigationHandle()->set_net_error_code(net::ERR_ABORTED);
+  ResetNavigationRequests();
   ResetLoadingState();
 
   // Any future UpdateState or UpdateTitle messages from this or a recreated

content/browser/security_exploit_browsertest.cc

@@ -623,13 +623,18 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
 
   EXPECT_TRUE(NavigateToURL(shell(), start_url));
 
-  RenderProcessHostKillWaiter kill_waiter(
-      shell()->web_contents()->GetMainFrame()->GetProcess());
+  RenderFrameHostImpl* frame = static_cast<RenderFrameHostImpl*>(
+      shell()->web_contents()->GetMainFrame());
+  RenderProcessHostKillWaiter kill_waiter(frame->GetProcess());
 
   ScopedInterfaceProviderRequestReplacer replacer(shell()->web_contents(),
                                                   nullptr);
   NavigateToURLAndExpectNoCommit(shell(), non_same_document_url);
   EXPECT_EQ(bad_message::RFH_INTERFACE_PROVIDER_MISSING, kill_waiter.Wait());
+
+  // Verify that the death of the renderer process doesn't leave behing and leak
+  // NavigationRequests - see https://crbug.com/869193.
+  EXPECT_EQ(0u, frame->GetNavigationEntryIdsPendingCommit().size());
 }
 
 // Test that a compromised renderer cannot ask to upload an arbitrary file in