Chrome Version: Dev 61.0.3163.27
OS: Android

What steps will reproduce the problem?
(1) Go to about:flags and set "Enable browser side navigation (aka PlzNavigate)" to Disabled. Restart Chrome.
(2) Open attached web page using a local web server.
(3) Click "Big file" link. Grant download permissions and wait until the download is started.
(4) Trigger renderer crash by typing "about:crash" in the omnibox.
(5) Reload the page.
(6) Click on the "Trigger the problem" link.

What is the expected result?

Current tab's renderer does not crash.

What happens instead?

Current tab's renderer is killed with bad_message_reason 108.

The bad message kill is caused by GlobalRequestID collision in ResourceDispatcherHostImpl::pending_loaders_. When there is a pending download and the renderer crashes, the download continues and the request is not removed from pending_loaders_. When the renderer process is re-created after page reload, it starts issuing resource requests with the same child_id and request_id starts form the initial value. As soon as request_id reaches the one used by the pending download, ResourceDispatcherHostImpl sees that this (child_id, request_id) combination is already in use and kills the renderer in ResourceDispatcherHostImpl::BeginRequest with bad message reason 108 (RDH_INVALID_REQUEST_ID).

The problem is not reproduced with browser-side navigation (PlzNavigate) enabled.

All current chrome versions (stable, beta, dev, canary, public apk) are affected, provided that PlzNavigate is not enabled.
 

Deleted: kill_108_repro_for_chrome.html 875 bytes

kill_108_repro_for_chrome.html 875 bytes View Download