Index: third_party/WebKit/Source/core/dom/Document.cpp |
diff --git a/third_party/WebKit/Source/core/dom/Document.cpp b/third_party/WebKit/Source/core/dom/Document.cpp |
index 9a9a62cf84211a7d2ba2207616cd6c2efa932147..2be1ab3dff411920925961e8f3d423a8e7faf060 100644 |
--- a/third_party/WebKit/Source/core/dom/Document.cpp |
+++ b/third_party/WebKit/Source/core/dom/Document.cpp |
@@ -2404,6 +2404,15 @@ void Document::shutdown() { |
ScriptForbiddenScope forbidScript; |
view()->dispose(); |
+ |
+ // If the widget of the document's frame owner doesn't match view() then |
+ // FrameView::dispose() didn't clear the owner's widget. If we don't clear it |
+ // here, it may be clobbered later in LocalFrame::createView(). See also |
+ // https://crbug.com/673170 and the comment in FrameView::dispose(). |
+ HTMLFrameOwnerElement* ownerElement = m_frame->deprecatedLocalOwner(); |
+ if (ownerElement) |
+ ownerElement->setWidget(nullptr); |
+ |
m_markers->prepareForDestruction(); |
m_lifecycle.advanceTo(DocumentLifecycle::Stopping); |