Clear the owner element's widget in Document::shutdown().

third_party/WebKit/Source/core/dom/Document.cpp

Index: third_party/WebKit/Source/core/dom/Document.cpp
diff --git a/third_party/WebKit/Source/core/dom/Document.cpp b/third_party/WebKit/Source/core/dom/Document.cpp
index 9a9a62cf84211a7d2ba2207616cd6c2efa932147..2be1ab3dff411920925961e8f3d423a8e7faf060 100644
--- a/third_party/WebKit/Source/core/dom/Document.cpp
+++ b/third_party/WebKit/Source/core/dom/Document.cpp
@@ -2404,6 +2404,15 @@ void Document::shutdown() {
   ScriptForbiddenScope forbidScript;
 
   view()->dispose();
+
+  // If the widget of the document's frame owner doesn't match view() then
+  // FrameView::dispose() didn't clear the owner's widget. If we don't clear it
+  // here, it may be clobbered later in LocalFrame::createView(). See also
+  // https://crbug.com/673170 and the comment in FrameView::dispose().
+  HTMLFrameOwnerElement* ownerElement = m_frame->deprecatedLocalOwner();
+  if (ownerElement)
+    ownerElement->setWidget(nullptr);
+
   m_markers->prepareForDestruction();
 
   m_lifecycle.advanceTo(DocumentLifecycle::Stopping);