Should not call FocusController::setFocusedFrame() for detached frame

third_party/WebKit/LayoutTests/fast/dom/Selection/selection-crash.html

Index: third_party/WebKit/LayoutTests/fast/dom/Selection/selection-crash.html
diff --git a/third_party/WebKit/LayoutTests/fast/dom/Selection/selection-crash.html b/third_party/WebKit/LayoutTests/fast/dom/Selection/selection-crash.html
new file mode 100644
index 0000000000000000000000000000000000000000..e222eb5fb73be5ab5f642eb8a2cd05900c57182e
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/fast/dom/Selection/selection-crash.html
@@ -0,0 +1,34 @@
+<!DOCTYPE HTML>
+<script src="../../../resources/testharness.js"></script>
+<script src="../../../resources/testharnessreport.js"></script>
+<button id="button"></button>
+<iframe id="iframe"></iframe>
+<script>
+// This is a crash reproduction case for crbug.com/626750.
+
+// Things are expected to happen in this order:
+// 1. window.onload event fires
+// 2. button.focus()
+// 3. button's focus event handler is called
+// 4. iframe.contentWindow.focus()
+// 5. button's blur event handler is called (due to 4)
+// 6. document.open() (detaches <iframe>)
+// 7. focus in iframe blurs
+// 8. iframe is set to active while detached <- crash due to crbug.com/626750
+// 9. script execution gets back to button's focus event handler
+//    (4-8 happen while iframe.contentWindow.focus() is handled)
+
+async_test((test) => {
+    button.addEventListener('focus', test.step_func_done(() => {
+        iframe.contentWindow.focus();
+        assert_equals(document.activeElement, null, 'blur handler properly finished.');
+    }));
+
+    button.addEventListener('blur', test.step_func(() => {
+        // This detaches <iframe>.
+        document.open();
+    }));
+
+    window.addEventListener('load', () => button.focus());
+}, 'focusing on detached frame should not crash');
+</script>