Drop CreateChildFrame messages when swapping out.

content/browser/frame_host/render_frame_host_impl.cc

Index: content/browser/frame_host/render_frame_host_impl.cc
diff --git a/content/browser/frame_host/render_frame_host_impl.cc b/content/browser/frame_host/render_frame_host_impl.cc
index 436f4fbad1ac99df7ec45e782d7218d9f4df1774..c854ad147ab228cc2cd32d0a141de87a9bd64e87 100644
--- a/content/browser/frame_host/render_frame_host_impl.cc
+++ b/content/browser/frame_host/render_frame_host_impl.cc
@@ -611,8 +611,17 @@ void RenderFrameHostImpl::OnAddMessageToConsole(
 
 void RenderFrameHostImpl::OnCreateChildFrame(int new_routing_id,
                                              const std::string& frame_name) {
+  // It is possible that while a new RenderFrameHost was committed, the
+  // RenderFrame corresponding to this host sent an IPC message to create a
+  // frame and it is delivered after this host is swapped out.
+  // Ignore such messages, as we know this RenderFrameHost is going away.
+  if (rfh_state_ != RenderFrameHostImpl::STATE_DEFAULT)
+    return;
+
   RenderFrameHostImpl* new_frame = frame_tree_->AddFrame(
-      frame_tree_node_, new_routing_id, frame_name);
+      frame_tree_node_, GetProcess()->GetID(), new_routing_id, frame_name);
+  if (!new_frame)
+    return;
 
   // We know that the RenderFrame has been created in this case, immediately
   // after the CreateChildFrame IPC was sent.