Clear RenderFrameImpl::frame_ pointer after deleting it.

content/renderer/render_view_browsertest.cc

Index: content/renderer/render_view_browsertest.cc
diff --git a/content/renderer/render_view_browsertest.cc b/content/renderer/render_view_browsertest.cc
index 713c9767eb504864ad86320215278d86685fe238..288de21803381d2532af1781388d947c14f2923b 100644
--- a/content/renderer/render_view_browsertest.cc
+++ b/content/renderer/render_view_browsertest.cc
@@ -286,6 +286,30 @@ class RenderViewImplTest : public RenderViewTest {
   scoped_ptr<MockKeyboard> mock_keyboard_;
 };
 
+// Test for https://crbug.com/461191.
+TEST_F(RenderViewImplTest, RenderFrameMessageAfterDetach) {
+  // Create a new main frame RenderFrame so that we don't interfere with the
+  // shutdown of frame() in RenderViewTest.TearDown.
+  blink::WebURLRequest popup_request(GURL("http://foo.com"));
+  blink::WebView* new_web_view = view()->createView(
+      GetMainFrame(), popup_request, blink::WebWindowFeatures(), "foo",
+      blink::WebNavigationPolicyNewForegroundTab, false);
+  RenderViewImpl* new_view = RenderViewImpl::FromWebView(new_web_view);
+  RenderFrameImpl* new_frame =
+      static_cast<RenderFrameImpl*>(new_view->GetMainRenderFrame());
+
+  // Detach the main frame.
+  new_view->Close();
+
+  // Before the frame is asynchronously deleted, it may receive a message.
+  // We should not crash here.
+  const IPC::Message* msg = new FrameMsg_Stop(frame()->GetRoutingID());
+  new_frame->OnMessageReceived(*msg);
+
+  // Clean up after the new view so we don't leak it.
+  new_view->Release();
+}
+
 TEST_F(RenderViewImplTest, SaveImageFromDataURL) {
   const IPC::Message* msg1 = render_thread_->sink().GetFirstMessageMatching(
       ViewHostMsg_SaveImageFromDataURL::ID);