Clear navigation_handle early in RenderFrameHostImpl destructor.

This is to avoid inconsistent (half-destructed) RenderFrameHostImpl instance
in WebContentsObserver::DidFinishNavigation, acessible through NavigationHandle
instance.

This happens in DevToolsManagerTest.ReattachOnCancelPendingNavigation, added
DCHECK to RenderFrameDevToolsAgentHost.

See crrev.com/2544893002 and crrev.com/2387353004 for more context.

BUG=none
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2563863002
Cr-Commit-Position: refs/heads/master@{#437658}

content/browser/devtools/render_frame_devtools_agent_host.cc

@@ -912,6 +912,12 @@ void RenderFrameDevToolsAgentHost::
 
 void RenderFrameDevToolsAgentHost::UpdateProtocolHandlers(
     RenderFrameHostImpl* host) {
+#if DCHECK_IS_ON()
+  // Check that we don't have stale host object here by accessing some random
+  // properties inside.
+  if (handlers_frame_host_ && handlers_frame_host_->GetRenderWidgetHost())
+    handlers_frame_host_->GetRenderWidgetHost()->GetRoutingID();
+#endif
   handlers_frame_host_ = host;
   dom_handler_->SetRenderFrameHost(host);
   if (emulation_handler_)

content/browser/frame_host/render_frame_host_impl.cc

@@ -383,6 +383,10 @@ RenderFrameHostImpl::RenderFrameHostImpl(SiteInstance* site_instance,
 }
 
 RenderFrameHostImpl::~RenderFrameHostImpl() {
+  // Destroying navigation handle may call into delegates/observers,
+  // so we do it early while |this| object is still in a sane state.
+  navigation_handle_.reset();
+
   // Release the WebUI instances before all else as the WebUI may accesses the
   // RenderFrameHost during cleanup.
   ClearAllWebUI();