Schedule OnBeforeUnloadACK to prevent reentrancy when destroying a RFHI.

Previously, it was possible that in the middle of closing a tab and
shutting down the main frame's process, we could call
ResetForNewProcess() to clear the main frame's children, but
destroying a child's RenderFrameHostImpl could reenter
TabStripModel::CloseWebContentses if the main frame was also waiting
for that child's beforeunload ACK.  This could result in freeing state
such as the WebContents or main frame's RFHM and RFHI, and then later
unwinding the stack to proceed with the first CloseWebContentses and
running into crashes when trying to dereference pointers which were
already freed or nulled out.

To prevent this reentrancy, schedule the beforeunload ACK in the cases
where it's used for tab close.  This is similar to a fix for issue
851400, but addresses a new way to get the reentrant calls that became
possible after r575133.

Bug: 866382, 866365
Change-Id: Id20068cb24f457f1fae1005050d46441dac78d9a
Reviewed-on: https://chromium-review.googlesource.com/1148775
Reviewed-by: Charlie Reis <creis@chromium.org>
Commit-Queue: Alex Moshchuk <alexmos@chromium.org>
Cr-Commit-Position: refs/heads/master@{#577736}
3 files changed