Inherit nav_entry_id in subframes and fix check in UpdateStateForFrame. Newly created subframes weren't having their nav_entry_id assigned, and it's possible for an UpdateState message to arrive for a frame after its FrameNavigationEntry has been replaced by one in a different SiteInstance. This also adds test coverage for assigning nav_entry_ids. BUG=545219, 369661 TEST=No more UpdateStateForFrame crashes. Review URL: https://codereview.chromium.org/1437643004 Cr-Commit-Position: refs/heads/master@{#359031}

commit: d06a94221470dc09a3a393d4722b826967f6ea73 [log] [tgz]
author: creis <[email protected]> Wed Nov 11 03:08:45 2015
committer: Commit bot <[email protected]> Wed Nov 11 03:09:34 2015
tree: 2284dada6cf7623965966a9cda1c2dbd4c29d327
parent: 49fb320e6fd5bd71e799b216e4a5c784b6513e6b [diff] [blame]
diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc
index c07fa27..bfae0c2 100644
--- a/content/browser/web_contents/web_contents_impl.cc
+++ b/content/browser/web_contents/web_contents_impl.cc

@@ -4145,7 +4145,13 @@
   if (!frame_entry)
     return;
 
-  CHECK_EQ(frame_entry->site_instance(), rfhi->GetSiteInstance());
+  // The SiteInstance might not match if we do a cross-process navigation with
+  // replacement (e.g., auto-subframe), in which case the swap out of the old
+  // RenderFrameHost runs in the background after the old FrameNavigationEntry
+  // has already been replaced and destroyed.
+  if (frame_entry->site_instance() != rfhi->GetSiteInstance())
+    return;
+
   if (page_state == frame_entry->page_state())
     return;  // Nothing to update.
commit	d06a94221470dc09a3a393d4722b826967f6ea73	[log] [tgz]
author	creis <[email protected]>	Wed Nov 11 03:08:45 2015
committer	Commit bot <[email protected]>	Wed Nov 11 03:09:34 2015
tree	2284dada6cf7623965966a9cda1c2dbd4c29d327
parent	49fb320e6fd5bd71e799b216e4a5c784b6513e6b [diff] [blame]