Cherry pick "Fixes bug in GinJavaBridgeDispatcherHost"

Original description:
Fixes bug in GinJavaBridgeDispatcherHost

My try job kept failing on android and I finally tracked it down to
this code. GinJavaBridgeDispatcherHost::RemoveNamedObject may be
invoked with a value that comes from named_objects_ (see
AddNamedObject). RemoveNamedObject removes from named_object_ and then
uses the passed in value. If this happens |name| is no longer valid
and shouldn't be used.

BUG=none
TEST=none
R=mnaganov@chromium.org
TBR=mnaganov@chromium.org

Committed:
https://src.chromium.org/viewvc/chrome?view=rev&revision=288861

Bug: 17973356
Change-Id: I71ecab488994362f02ca7dbbe9a35e9514ee33fd
diff --git a/content/browser/android/java/gin_java_bridge_dispatcher_host.cc b/content/browser/android/java/gin_java_bridge_dispatcher_host.cc
index c961dd9..ca63276 100644
--- a/content/browser/android/java/gin_java_bridge_dispatcher_host.cc
+++ b/content/browser/android/java/gin_java_bridge_dispatcher_host.cc
@@ -202,6 +202,10 @@
   if (iter == named_objects_.end())
     return;
 
+  // |name| may come from |named_objects_|. Make a copy of name so that if
+  // |name| is from |named_objects_| it'll be valid after the remove below.
+  const std::string copied_name(name);
+
   scoped_refptr<GinJavaBoundObject> object(*objects_.Lookup(iter->second));
   named_objects_.erase(iter);
   object->RemoveName();
@@ -220,7 +224,7 @@
   }
 
   web_contents()->SendToAllFrames(
-      new GinJavaBridgeMsg_RemoveNamedObject(MSG_ROUTING_NONE, name));
+      new GinJavaBridgeMsg_RemoveNamedObject(MSG_ROUTING_NONE, copied_name));
 }
 
 void GinJavaBridgeDispatcherHost::SetAllowObjectContentsInspection(bool allow) {