Detach PaintLayerScrollableArea from RootFrameViewport when disposed.

third_party/WebKit/Source/core/page/scrolling/RootScrollerController.cpp

Index: third_party/WebKit/Source/core/page/scrolling/RootScrollerController.cpp
diff --git a/third_party/WebKit/Source/core/page/scrolling/RootScrollerController.cpp b/third_party/WebKit/Source/core/page/scrolling/RootScrollerController.cpp
index 6dfa436619f353c1f553182fe0ce08030e4a2ecb..b8bb4cc8bf34a2ccb44b1682ab5ac679cc7c97f1 100644
--- a/third_party/WebKit/Source/core/page/scrolling/RootScrollerController.cpp
+++ b/third_party/WebKit/Source/core/page/scrolling/RootScrollerController.cpp
@@ -88,6 +88,19 @@ void RootScrollerController::didUpdateLayout()
     recomputeEffectiveRootScroller();
 }
 
+void RootScrollerController::didDisposePaintLayerScrollableArea(
+    PaintLayerScrollableArea& area)
+{
+    // If the document is being torn down we'll skip a bunch of notifications
+    // so recomputing the effective root scroller could touch dead objects.
+    // (e.g. ScrollAnchor keeps a pointer to dead LayoutObjects).
+    if (!m_effectiveRootScroller || area.box().documentBeingDestroyed())
+        return;
+
+    if (&area.box() == m_effectiveRootScroller->layoutObject())
+        recomputeEffectiveRootScroller();
+}
+
 void RootScrollerController::recomputeEffectiveRootScroller()
 {
     bool rootScrollerValid =
@@ -150,8 +163,11 @@ PaintLayer* RootScrollerController::rootScrollerPaintLayer() const
     // PaintLayer (i.e. the PaintLayerCompositor's root layer). The reason the root
     // scroller is the <html> layer and not #document is because the latter is a Node
     // but not an Element.
-    if (m_effectiveRootScroller->isSameNode(m_document->documentElement()))
+    if (m_effectiveRootScroller->isSameNode(m_document->documentElement())) {
+        if (!layer || !layer->compositor())
+            return nullptr;
         return layer->compositor()->rootLayer();
+    }
 
     return layer;
 }