Prevent renderer kills for in-page navigations on subframes.

content/renderer/history_controller.cc

Index: content/renderer/history_controller.cc
diff --git a/content/renderer/history_controller.cc b/content/renderer/history_controller.cc
index ddd187853be623ef5d15238c56eb3b139108b7ce..8f1bc3462f72bd98e69822ffddff0db57b4e1350 100644
--- a/content/renderer/history_controller.cc
+++ b/content/renderer/history_controller.cc
@@ -135,8 +135,12 @@ void HistoryController::RecursiveGoToEntry(
   RenderFrameImpl* render_frame = RenderFrameImpl::FromWebFrame(frame);
   const WebHistoryItem& new_item =
       provisional_entry_->GetItemForFrame(render_frame);
-  const WebHistoryItem& old_item =
-      current_entry_->GetItemForFrame(render_frame);
+
+  // Use the last committed history item for the frame rather than
+  // current_entry_, since the latter may not accurately reflect which URL is
+  // currently committed in the frame.  See https://crbug.com/612713#c12.
+  const WebHistoryItem& old_item = render_frame->current_history_item();
+
   if (new_item.isNull())
     return;