Sets render_frame_proxy_ to null in the RenderFrameImpl when destroying the RenderFrameProxy.

This fixes with a use-after-free in the RenderFrameProxy reported by the asan bots, but uncovers another one.

TEST=NavigateRemoteFrame
BUG=357747

Review URL: https://codereview.chromium.org/929463004

Cr-Commit-Position: refs/heads/master@{#316337}

1 files changed, 9 insertions, 0 deletions

diff --git a/content/renderer/render_frame_proxy.cc b/content/renderer/render_frame_proxy.cc
index 5af5f57..cb42b40 100644
--- a/content/renderer/render_frame_proxy.cc
+++ b/content/renderer/render_frame_proxy.cc
@@ -117,6 +117,15 @@ RenderFrameProxy::RenderFrameProxy(int routing_id, int frame_routing_id)
 }
 
 RenderFrameProxy::~RenderFrameProxy() {
+  // TODO(nasko): Set the render_frame_proxy to null to avoid a double deletion
+  // when detaching the main frame. This can be removed once RenderFrameImpl and
+  // RenderFrameProxy have been completely decoupled. See
+  // https://crbug.com/357747.
+  RenderFrameImpl* render_frame =
+      RenderFrameImpl::FromRoutingID(frame_routing_id_);
+  if (render_frame)
+    render_frame->set_render_frame_proxy(nullptr);
+
   render_view()->UnregisterRenderFrameProxy(this);
 
   FrameMap::iterator it = g_frame_map.Get().find(web_frame_);