Fix renderer crash on reading cookieStore on DOMWindow of detached iframe.

The crash can only occur when the "Enable Experimental Web Platform
Features" flag is turned on.

Bug: 774626
Change-Id: I4e8170d2c82db53d8bacd5c8586ef4cce3000be4
Reviewed-on: https://chromium-review.googlesource.com/722038Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Victor Costan <pwnall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#509302}

third_party/WebKit/LayoutTests/http/tests/storage/async_cookies/bug774626.html

+<!doctype html>
+<meta charset="utf-8">
+<title>cookieStore on DOMWindow of detached iframe (crbug.com/774626)</title>
+<script src="../../resources/testharness.js"></script>
+<script src="../../resources/testharnessreport.js"></script>
+<iframe id="iframe"></iframe>
+<script>
+'use strict';
+
+test(() => {
+  const iframe = document.getElementById('iframe');
+  const frameWindow = iframe.contentWindow;
+
+  iframe.parentNode.removeChild(iframe);
+  assert_equals(null, frameWindow.cookieStore);
+});
+</script>

third_party/WebKit/Source/modules/cookie_store/GlobalCookieStore.cpp

@@ -52,8 +52,11 @@ class GlobalCookieStoreImpl final
   CookieStore* GetCookieStore(ExecutionContext* execution_context) {
     if (!cookie_store_) {
       network::mojom::blink::RestrictedCookieManagerPtr cookie_manager_ptr;
-      execution_context->GetInterfaceProvider()->GetInterface(
-          mojo::MakeRequest(&cookie_manager_ptr));
+      service_manager::InterfaceProvider* interface_provider =
+          execution_context->GetInterfaceProvider();
+      if (!interface_provider)
+        return nullptr;
+      interface_provider->GetInterface(mojo::MakeRequest(&cookie_manager_ptr));
       cookie_store_ =
           CookieStore::Create(execution_context, std::move(cookie_manager_ptr));
     }