MutationObserver: Fix a null-pointer dereference in MutationObserverRegistration::unregister.

third_party/WebKit/Source/core/dom/MutationObserverRegistration.cpp

Index: third_party/WebKit/Source/core/dom/MutationObserverRegistration.cpp
diff --git a/third_party/WebKit/Source/core/dom/MutationObserverRegistration.cpp b/third_party/WebKit/Source/core/dom/MutationObserverRegistration.cpp
index e92b88a62ea344cbb8b2dfd9e05111b86480deeb..86bd65c37289fddbfa6b4b383112f11897d029f9 100644
--- a/third_party/WebKit/Source/core/dom/MutationObserverRegistration.cpp
+++ b/third_party/WebKit/Source/core/dom/MutationObserverRegistration.cpp
@@ -107,10 +107,11 @@ void MutationObserverRegistration::clearTransientRegistrations() {
 }
 
 void MutationObserverRegistration::unregister() {
-  DCHECK(m_registrationNode);
-  m_registrationNode->unregisterMutationObserver(this);
-  // The above line will cause this object to be deleted, so don't do any more
-  // in this function.
+  // |this| can outlives m_registrationNode.
+  if (m_registrationNode)
+    m_registrationNode->unregisterMutationObserver(this);
+  else
+    dispose();
 }
 
 bool MutationObserverRegistration::shouldReceiveMutationFrom(