Speculative crash fix for navigator.serviceworker access during unload

This should fix crash/caab6eb137e58385

This CL addresses the unhandled case in crrev.com/582126

TBR=falken@chromium.org

Bug: 881126, 868592
Change-Id: I906eecc3bf21aa9900355b1f312bd5025375fa8d
Reviewed-on: https://chromium-review.googlesource.com/1207781
Commit-Queue: Kouhei Ueno <kouhei@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#589419}

content/renderer/render_frame_impl.cc

@@ -3731,8 +3731,17 @@ blink::BlameContext* RenderFrameImpl::GetFrameBlameContext() {
 
 std::unique_ptr<blink::WebServiceWorkerProvider>
 RenderFrameImpl::CreateServiceWorkerProvider() {
+  // Bail-out if we are about to be navigated away.
+  // We check that DocumentLoader is attached since:
+  // - This serves as the signal since the DocumentLoader is detached in
+  //   FrameLoader::PrepareForCommit().
+  // - Creating ServiceWorkerProvider in
+  //   RenderFrameImpl::CreateServiceWorkerProvider() assumes that there is a
+  //   DocumentLoader attached to the frame.
+  if (!frame_->GetDocumentLoader())
+    return nullptr;
+
   // At this point we should have non-null data source.
-  DCHECK(frame_->GetDocumentLoader());
   if (!ChildThreadImpl::current())
     return nullptr;  // May be null in some tests.
   ServiceWorkerNetworkProvider* provider =

third_party/blink/renderer/modules/service_worker/navigator_service_worker.cc

@@ -22,6 +22,9 @@ NavigatorServiceWorker* NavigatorServiceWorker::From(Document& document) {
   if (!frame)
     return nullptr;
 
+  // TODO(kouhei): Remove below after M72, since the check is now done in
+  // RenderFrameImpl::CreateServiceWorkerProvider instead.
+  //
   // Bail-out if we are about to be navigated away.
   // We check that DocumentLoader is attached since:
   // - This serves as the signal since the DocumentLoader is detached in