Ensure a guest WebContent's view is removed from the InputEventRouter.

content/browser/web_contents/web_contents_impl.cc

Index: content/browser/web_contents/web_contents_impl.cc
diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc
index 956831386b133641428afd818ee075f0ba86cb72..9e26f45d048d73bb90921f295f83a0a3b8410803 100644
--- a/content/browser/web_contents/web_contents_impl.cc
+++ b/content/browser/web_contents/web_contents_impl.cc
@@ -418,6 +418,20 @@ WebContentsImpl::~WebContentsImpl() {
 
   rwh_input_event_router_.reset();
 
+  // If this WebContents is a guest and goes away before its view has
+  // de-registered its surface id namespace with the outermost WebContent's
+  // input event router (IER), we will lose the ability to ever deregister it,
+  // potentially resulting in a stale pointer in the IER's owner_map_.
+  // Speculative fix for https://crbug.com/570646.
+  auto input_event_router = GetOuterWebContents()
+                                ? GetOuterWebContents()->GetInputEventRouter()
+                                : nullptr;
+  auto render_widget_host_view =
+      static_cast<RenderWidgetHostViewBase*>(GetRenderWidgetHostView());
+  if (input_event_router && render_widget_host_view)
+    input_event_router->RemoveSurfaceIdNamespaceOwner(
+        render_widget_host_view->GetSurfaceIdNamespace());
+
   // Delete all RFH pending shutdown, which will lead the corresponding RVH to
   // shutdown and be deleted as well.
   frame_tree_.ForEach(