Speculative fix for History::ScrollRestorationInternal null deref

This is a speculative fix for crash reported on crbug.com/872672 .

There is no guarantee that the DocumentLoader is always attached [1],
so let's introduce a null check.

[1] The DocumentLoader may be detached while FrameLoader::PrepareForCommit.

Bug: 872672
Change-Id: I015651506a891c3344f1bdbf40ea013ce988a95f
Reviewed-on: https://chromium-review.googlesource.com/1171972Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Commit-Queue: Kouhei Ueno <kouhei@chromium.org>
Cr-Commit-Position: refs/heads/master@{#582509}

third_party/blink/renderer/core/frame/history.cc

@@ -134,11 +134,21 @@ String History::scrollRestoration(ExceptionState& exception_state) {
 }
 
 HistoryScrollRestorationType History::ScrollRestorationInternal() const {
-  HistoryItem* history_item =
-      GetFrame() ? GetFrame()->Loader().GetDocumentLoader()->GetHistoryItem()
-                 : nullptr;
-  return history_item ? history_item->ScrollRestorationType()
-                      : kScrollRestorationAuto;
+  constexpr HistoryScrollRestorationType default_type = kScrollRestorationAuto;
+
+  LocalFrame* frame = GetFrame();
+  if (!frame)
+    return default_type;
+
+  DocumentLoader* document_loader = frame->Loader().GetDocumentLoader();
+  if (!document_loader)
+    return default_type;
+
+  HistoryItem* history_item = document_loader->GetHistoryItem();
+  if (!history_item)
+    return default_type;
+
+  return history_item->ScrollRestorationType();
 }
 
 // TODO(crbug.com/394296): This is not the long-term fix to IPC flooding that we