NavigateFrameToURL may segfault when the navigation deletes the frame.

A FrameTreeNode may be deleted during navigations (e.g. by an unload
handler), NavigateFrameToURL needs to check for this before using the
FrameTreeNode object.

Fixed: 1149380
Change-Id: I0bc361f7cee17fda0cbef7ec8d2b40a777f3018f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2543533
Auto-Submit: Fergal Daly <fergal@chromium.org>
Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Fergal Daly <fergal@chromium.org>
Cr-Commit-Position: refs/heads/master@{#828617}

content/test/content_browser_test_utils_internal.cc

@@ -49,6 +49,8 @@ bool NavigateFrameToURL(FrameTreeNode* node, const GURL& url) {
   NavigationController::LoadURLParams params(url);
   params.transition_type = ui::PAGE_TRANSITION_LINK;
   params.frame_tree_node_id = node->frame_tree_node_id();
+  FrameTree* frame_tree = node->frame_tree();
+
   node->navigator().GetController()->LoadURLWithParams(params);
   observer.Wait();
 
@@ -56,7 +58,12 @@ bool NavigateFrameToURL(FrameTreeNode* node, const GURL& url) {
     DLOG(WARNING) << "Navigation did not succeed: " << url;
     return false;
   }
-  if (url != node->current_url()) {
+
+  // It's possible for JS handlers triggered during the navigation to remove
+  // the node, so retrieve it by ID again to check if that occurred.
+  node = frame_tree->FindByID(params.frame_tree_node_id);
+
+  if (node && url != node->current_url()) {
     DLOG(WARNING) << "Expected URL " << url << " but observed "
                   << node->current_url();
     return false;