Add more checks to prevent crashes when accessing name/opener properties

Getting/setting these properties can depend on FrameLoaderClient, which
will be null if the frame containing the DOMWindow has already been
detached.

BUG=349956,352048

Review URL: https://codereview.chromium.org/203493005

git-svn-id: svn://svn.chromium.org/blink/trunk@169602 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/LayoutTests/fast/dom/Window/dom-access-from-closure-iframe-expected.txt

 document.URL: LayoutTests/fast/dom/Window/resources/dom-access-from-closure-iframe-child.html
 window.document.URL: LayoutTests/fast/dom/Window/resources/notify-parent-done.html
-name: child
+name: 
 window.name: child
 

third_party/WebKit/LayoutTests/fast/dom/Window/dom-access-from-closure-window-expected.txt

 document.URL: LayoutTests/fast/dom/Window/resources/dom-access-from-closure-window-child.html
 window.document.URL: LayoutTests/fast/dom/Window/resources/notify-opener-done.html
-name: child
+name: 
 window.name: child
 

third_party/WebKit/LayoutTests/fast/dom/Window/dom-access-from-closure-window-with-gc-expected.txt

 document.URL: LayoutTests/fast/dom/Window/resources/dom-access-from-closure-window-child.html
 window.document.URL: LayoutTests/fast/dom/Window/resources/notify-opener-done.html
-name: child
+name: 
 window.name: child
 

third_party/WebKit/LayoutTests/fast/dom/Window/name-and-opener-on-detached-window-expected.txt

+Tests that getting and setting name and opener on a cached DOMWindow after the associated frame is removed from a web page does not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS childWindow.name is 'oldname'
+PASS childWindow.opener is null
+PASS childWindow.name is ''
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

third_party/WebKit/LayoutTests/fast/dom/Window/name-and-opener-on-detached-window.html

+<html>
+<head>
+<script src="../../../resources/js-test.js"></script>
+<script>
+var childWindow;
+var propertiesToVerify = [];
+
+function runTest()
+{
+    description("Tests that getting and setting name and opener on a cached DOMWindow after the associated frame is removed from a web page does not crash.");
+    var frame = document.getElementById("frame");
+    childWindow = frame.contentWindow;
+    childWindow.name = "oldname";
+    shouldBe("childWindow.name", "'oldname'");
+    frame.parentNode.removeChild(frame);
+    childWindow.opener = null;
+    shouldBeNull("childWindow.opener");
+    childWindow.name = "newname";
+    shouldBe("childWindow.name", "''");
+}
+</script>
+</head>
+<body>
+<iframe id="frame" src="about:blank" onload="runTest()"></iframe>
+</body>
+</html>

third_party/WebKit/Source/core/frame/DOMWindow.cpp

@@ -1189,7 +1189,7 @@ unsigned DOMWindow::length() const
 
 const AtomicString& DOMWindow::name() const
 {
-    if (!m_frame)
+    if (!isCurrentlyDisplayedInFrame())
         return nullAtom;
 
     return m_frame->tree().name();
@@ -1197,10 +1197,11 @@ const AtomicString& DOMWindow::name() const
 
 void DOMWindow::setName(const AtomicString& name)
 {
-    if (!m_frame)
+    if (!isCurrentlyDisplayedInFrame())
         return;
 
     m_frame->tree().setName(name);
+    ASSERT(m_frame->loader().client());
     m_frame->loader().client()->didChangeName(name);
 }
 

third_party/WebKit/Source/core/loader/FrameLoader.cpp

@@ -544,15 +544,15 @@ void FrameLoader::scheduleCheckCompleted()
 
 LocalFrame* FrameLoader::opener()
 {
-    ASSERT(m_client);
     // FIXME: Temporary hack to stage converting locations that really should be Frame.
-    return toLocalFrame(m_client->opener());
+    return m_client ? toLocalFrame(m_client->opener()) : 0;
 }
 
 void FrameLoader::setOpener(LocalFrame* opener)
 {
-    ASSERT(m_client);
-    m_client->setOpener(opener);
+    // If the frame is already detached, the opener has already been cleared.
+    if (m_client)
+        m_client->setOpener(opener);
 }
 
 bool FrameLoader::allowPlugins(ReasonForCallingAllowPlugins reason)