NavigatorImpl::NavigateToEntry currently checks whether a request results in a transfer to the same RenderFrameHost that started the request using process IDs:

    bool is_transfer_to_same =
        is_transfer &&
        entry.transferred_global_request_id().child_id ==
            dest_render_frame_host->GetProcess()->GetID();

This is problematic if we've over process limit.  For example, if foo.com navigates cross-process to bar.com, and foo and bar SiteInstances end up sharing the same RenderProcessHost, this will cause us to first initiate a transfer in RenderFrameHostManager::UpdateStateForNavigate because the SiteInstances are different, but then we'll incorrectly think that the transfer is to the same RFH that started the request and not send the Navigate IPC.  This will cause the navigation to hang.

I first hit this for isolated origins while working on https://codereview.chromium.org/2921063003.  Charlie mentions that this also might come up for a redirect from one extension to another when we're over the process limit and the extensions end up sharing a process.  

This path is only used without PlzNavigate, and I've confirmed this isn't a problem with PlzNavigate enabled.  So we could just wait for PlzNavigate to ship to get this fixed.