Null out LocalDOMWindow::m_frame on navigation.

third_party/WebKit/Source/core/frame/DOMWindow.cpp

Index: third_party/WebKit/Source/core/frame/DOMWindow.cpp
diff --git a/third_party/WebKit/Source/core/frame/DOMWindow.cpp b/third_party/WebKit/Source/core/frame/DOMWindow.cpp
index b514d469fe941be440f78783a670567f6b5e445a..9db02c90ab4c773cf4b08ae3d073bb313a219816 100644
--- a/third_party/WebKit/Source/core/frame/DOMWindow.cpp
+++ b/third_party/WebKit/Source/core/frame/DOMWindow.cpp
@@ -120,7 +120,9 @@ DOMWindow* DOMWindow::anonymousIndexedGetter(uint32_t index) const
 
 bool DOMWindow::isCurrentlyDisplayedInFrame() const
 {
-    return frame() && frame()->domWindow() == this && frame()->host();
+    if (frame())
+        RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(frame()->domWindow() == this);
+    return frame() && frame()->host();

[Nate Chapin, 2015/09/29 21:49:00]

Is this host() check necessary? Can a DOMWindow and Frame remain attached while
the Frame is detached from the host?

[dcheng, 2015/09/29 21:53:52]

This doesn't affect when LocalDOMWindow::frame() becomes null during frame
detach. I did try adding setDOMWindow(nullptr) to LocalFrame::detach(), but that
broke a lot of code that assumes that Frame::document() will be non-null during
detach.

 }
 
 bool DOMWindow::isInsecureScriptAccess(LocalDOMWindow& callingWindow, const String& urlString)