Clear input event router entries for destroyed RWHVGuests

This is a speculative fix for crashes observed under the
--isolate-extensions trial. A RenderWidgetHostViewGuest currently only
clears its RenderWidgetHostInputEventRouter entry when the BrowserPlugin
is detached. However, there are other paths for destruction that cause
detachment, which might enable it to receive input events after
DestroyGuestView() has been called, potentially leading to the
observed null pointer crashes. This should be avoided by calling
UnregisterSurfaceNamespaceId() before clearing the host_ pointer.

BUG=571092
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation

Review URL: https://codereview.chromium.org/1642743002

Cr-Commit-Position: refs/heads/master@{#371924}

1 files changed, 1 insertions, 0 deletions

diff --git a/content/browser/frame_host/render_widget_host_view_guest.cc b/content/browser/frame_host/render_widget_host_view_guest.cc
index 99a235dc..b3b8d68 100644
--- a/content/browser/frame_host/render_widget_host_view_guest.cc
+++ b/content/browser/frame_host/render_widget_host_view_guest.cc
@@ -560,6 +560,7 @@ gfx::NativeViewId RenderWidgetHostViewGuest::GetParentForWindowlessPlugin()
 #endif
 
 void RenderWidgetHostViewGuest::DestroyGuestView() {
+  UnregisterSurfaceNamespaceId();
   host_->SetView(NULL);
   host_ = NULL;
   base::MessageLoop::current()->DeleteSoon(FROM_HERE, this);