Merge 251420 "Clear the pending_and_current_web_ui_ if we reuse it."

> Clear the pending_and_current_web_ui_ if we reuse it.
> 
> R=nasko@chromium.org
> TBR=estade@chromium.org
> BUG=330811
> TEST=See bug comment 9 for repro steps.
> 
> Review URL: https://codereview.chromium.org/166033006

TBR=creis@chromium.org

Review URL: https://codereview.chromium.org/167743002

git-svn-id: svn://svn.chromium.org/chrome/branches/1750/src@251428 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 31 insertions, 2 deletions

diff --git a/content/browser/frame_host/render_frame_host_manager.cc b/content/browser/frame_host/render_frame_host_manager.cc
index f49d50b..aeb87e7 100644
--- a/content/browser/frame_host/render_frame_host_manager.cc
+++ b/content/browser/frame_host/render_frame_host_manager.cc
@@ -826,10 +826,14 @@ void RenderFrameHostManager::CommitPending() {
   // |pending_web_ui_|, or clear |web_ui_| if there is no pending WebUI, or
   // leave |web_ui_| as is if reusing it.
   DCHECK(!(pending_web_ui_.get() && pending_and_current_web_ui_.get()));
-  if (pending_web_ui_)
+  if (pending_web_ui_) {
     web_ui_.reset(pending_web_ui_.release());
-  else if (!pending_and_current_web_ui_.get())
+  } else if (!pending_and_current_web_ui_.get()) {
     web_ui_.reset();
+  } else {
+    DCHECK_EQ(pending_and_current_web_ui_.get(), web_ui_.get());
+    pending_and_current_web_ui_.reset();
+  }
 
   // It's possible for the pending_render_view_host_ to be NULL when we aren't
   // crossing process boundaries. If so, we just needed to handle the Web UI
diff --git a/content/browser/frame_host/render_frame_host_manager_browsertest.cc b/content/browser/frame_host/render_frame_host_manager_browsertest.cc
index 0116c4d..67cdcc0 100644
--- a/content/browser/frame_host/render_frame_host_manager_browsertest.cc
+++ b/content/browser/frame_host/render_frame_host_manager_browsertest.cc
@@ -13,6 +13,7 @@
 #include "content/browser/renderer_host/render_view_host_impl.h"
 #include "content/browser/site_instance_impl.h"
 #include "content/browser/web_contents/web_contents_impl.h"
+#include "content/browser/webui/web_ui_impl.h"
 #include "content/common/content_constants_internal.h"
 #include "content/public/browser/navigation_controller.h"
 #include "content/public/browser/navigation_entry.h"
@@ -1427,4 +1428,28 @@ IN_PROC_BROWSER_TEST_F(RenderFrameHostManagerTest,
   crash_observer2.Wait();
 }
 
+// Ensure that pending_and_current_web_ui_ is cleared when a URL commits.
+// Otherwise it might get picked up by InitRenderView when granting bindings
+// to other RenderViewHosts.  See http://crbug.com/330811.
+IN_PROC_BROWSER_TEST_F(RenderFrameHostManagerTest, ClearPendingWebUIOnCommit) {
+  // Visit a WebUI page with bindings.
+  GURL webui_url(GURL(std::string(kChromeUIScheme) + "://" +
+                      std::string(kChromeUIGpuHost)));
+  NavigateToURL(shell(), webui_url);
+  EXPECT_TRUE(ChildProcessSecurityPolicyImpl::GetInstance()->HasWebUIBindings(
+                  shell()->web_contents()->GetRenderProcessHost()->GetID()));
+  WebContentsImpl* web_contents = static_cast<WebContentsImpl*>(
+      shell()->web_contents());
+  WebUIImpl* webui = web_contents->GetRenderManagerForTesting()->web_ui();
+  EXPECT_TRUE(webui);
+  EXPECT_FALSE(web_contents->GetRenderManagerForTesting()->pending_web_ui());
+
+  // Navigate to another WebUI URL that reuses the WebUI object.  Make sure we
+  // clear pending_web_ui() when it commits.
+  GURL webui_url2(webui_url.spec() + "#foo");
+  NavigateToURL(shell(), webui_url2);
+  EXPECT_EQ(webui, web_contents->GetRenderManagerForTesting()->web_ui());
+  EXPECT_FALSE(web_contents->GetRenderManagerForTesting()->pending_web_ui());
+}
+
 }  // namespace content