Speculative fix for crasher, take 2

The throttling check, added in a previous CL for this bug, appears to
have fixed some but not all of the crashes.

It's not clear how this point in the code could be reached for a
detached iframe. Nevertheless, the stack trace for the remaining
crashes suggests this might be the case:

When a frame becomes detached, it resets its page_ to nullptr; this is
the only way that Frame::GetPage() can return nullptr. In
EventHandler::HitTestResultAtLocation, if GetPage() returns nullptr, it
skips trying to re-dispatch the hit test to the local frame root, and
instead just falls through to PerformHitTest on the current frame.

If GetPage() is in fact null, we would expect not to see any
recursion in HitTestResultAtLocation; and that holds true in all of
the recent crash reports. Hence the speculation that we might be
trying to hit-test a detached frame.

BUG=1041252
R=chrishtr@chromium.org

Change-Id: I3bf8482867a26f5f7a0369a0e9015c237744c0e4
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2017933Reviewed-by: Chris Harrelson <chrishtr@chromium.org>
Commit-Queue: Stefan Zager <szager@chromium.org>
Cr-Commit-Position: refs/heads/master@{#735039}

third_party/blink/renderer/core/frame/remote_frame.cc

@@ -437,7 +437,8 @@ void RemoteFrame::UpdateHitTestOcclusionData() {
   if (base::FeatureList::IsEnabled(
           blink::features::kVizHitTestOcclusionCheck)) {
     if (LayoutEmbeddedContent* owner = OwnerLayoutObject()) {
-      if (!owner->GetFrameView()->CanThrottleRendering()) {
+      if (owner->GetFrame()->IsAttached() &&
+          !owner->GetFrameView()->CanThrottleRendering()) {
         HitTestResult hit_test_result(owner->HitTestForOcclusion());
         const Node* hit_node = hit_test_result.InnerNode();
         unoccluded = (!hit_node || hit_node == owner->GetNode());