Fix crash in NavigationControllerImpl::RendererDidNavigateToNewPage

It's possible that the renderer does a same-document navigation before
NavigationController has committed an entry, so null-check GetLastCommittedEntry
before using it.

BUG=380127
TEST=NavigationControllerTest.PushStateWithoutPreviousEntry

Review URL: https://codereview.chromium.org/311783005

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@274612 0039d316-1c4b-4281-b951-d872f2087c98

content/browser/frame_host/navigation_controller_impl.cc

@@ -1060,7 +1060,7 @@ void NavigationControllerImpl::RendererDidNavigateToNewPage(
   // history.pushState() is classified as a navigation to a new page, but
   // sets was_within_same_page to true. In this case, we already have the
   // title available, so set it immediately.
-  if (params.was_within_same_page)
+  if (params.was_within_same_page && GetLastCommittedEntry())
     new_entry->SetTitle(GetLastCommittedEntry()->GetTitle());
 
   DCHECK(!params.history_list_was_cleared || !replace_entry);

content/browser/frame_host/navigation_controller_impl_unittest.cc

@@ -2261,6 +2261,19 @@ TEST_F(NavigationControllerTest, ClientRedirectAfterInPageNavigation) {
   }
 }
 
+TEST_F(NavigationControllerTest, PushStateWithoutPreviousEntry)
+{
+  ASSERT_FALSE(controller_impl().GetLastCommittedEntry());
+  FrameHostMsg_DidCommitProvisionalLoad_Params params;
+  GURL url("http://foo");
+  params.page_id = 1;
+  params.url = url;
+  params.page_state = PageState::CreateFromURL(url);
+  params.was_within_same_page = true;
+  test_rvh()->SendNavigateWithParams(&params);
+  // We pass if we don't crash.
+}
+
 // NotificationObserver implementation used in verifying we've received the
 // NOTIFICATION_NAV_LIST_PRUNED method.
 class PrunedListener : public NotificationObserver {