v8binding: Do not invoke FrameRequestCallback when iframe is detached.

Crash issue 887661 is happening because an iframe is detached, but
the iframe is still invoking FrameRequestCallback without performing
wrapper-tracing.

In the repro case, callback function's realm = the parent's one, and
the incumbent realm = the parent's one, however, the callback is
registered on the iframe that will be detached.  Thus, any check
against callback function's realm and the incumbent realm does not
work well in this case.

This patch fixes the crash issue by checking the execution context
on the call sites.

Bug: 887661
Change-Id: I1fa784add95424c9ff2c2b27ed3d2edbb920068e
Reviewed-on: https://chromium-review.googlesource.com/1237839Reviewed-by: Hitoshi Yoshida <peria@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
Cr-Commit-Position: refs/heads/master@{#593417}

third_party/blink/renderer/core/dom/frame_request_callback_collection.cc

@@ -63,6 +63,14 @@ void FrameRequestCallbackCollection::ExecuteCallbacks(
   swap(callbacks_to_invoke_, callbacks_);
 
   for (const auto& callback : callbacks_to_invoke_) {
+    // When the ExecutionContext is destroyed (e.g. an iframe is detached),
+    // there is no path to perform wrapper tracing for the callbacks. In such a
+    // case, the callback functions may already have been collected by V8 GC.
+    // Since it's possible that a callback function being invoked detaches an
+    // iframe, we need to check the condition for each callback.
+    if (context_->IsContextDestroyed())
+      break;
+
     if (!callback->IsCancelled()) {
       TRACE_EVENT1(
           "devtools.timeline", "FireAnimationFrame", "data",