skyostil@, could you please take a look?

This medium+ severity security issue is a regression on trunk.

Please fix this asap. If you are unable to look into this soon, please revert your change.

- Your friendly ClusterFuzz

Users experienced this crash on the following builds:

Win Canary 52.0.2714.0 -  1.49 CPM, 8 reports, 7 clients (signature base::trace_event::TraceLog::AddTraceEventWithThreadIdAndTimestamp)
Mac Canary 52.0.2714.0 -  6.34 CPM, 5 reports, 5 clients (signature base::trace_event::TraceLog::AddTraceEventWithThreadIdAndTimestamp)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

Reverting the change for now since the memory leak it fixes is miniscule: https://codereview.chromium.org/1909403002/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/aebd9e45b4f25580dc77fe706823f77e89a2865b

commit aebd9e45b4f25580dc77fe706823f77e89a2865b
Author: skyostil <skyostil@chromium.org>
Date: Fri Apr 22 14:43:29 2016

Revert of Make RenderFrameImpl own its frame blame context (patchset #2 id:20001 of https://codereview.chromium.org/1907453002/ )

Reason for revert:
This is causing a use-after-free:  crbug.com/605480 

BUG= 605480 

Original issue's description:
> Make RenderFrameImpl own its frame blame context
>
> RenderFrameImpl creates the respective frame blame context, but was
> mistakenly not freeing it.
>
> BUG= 546021 

TBR=jochen@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG= 546021 

Review URL: https://codereview.chromium.org/1909403002

Cr-Commit-Position: refs/heads/master@{#389104}

[modify] https://crrev.com/aebd9e45b4f25580dc77fe706823f77e89a2865b/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/aebd9e45b4f25580dc77fe706823f77e89a2865b/content/renderer/render_frame_impl.h

ClusterFuzz has detected this issue as fixed in range 388749:389333.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5120230254182400

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x60700002b2c0
Crash State:
  base::trace_event::BlameContext::Enter
  scheduler::internal::TaskQueueImpl::NotifyWillProcessTask
  scheduler::TaskQueueManager::ProcessTaskFromWorkQueue
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=388479:388495
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=388749:389333

Minimized Testcase (32.74 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Hrqtp0VcDhqw1ILyJLCqWV4TPbeyDoNkhe3ybULsHmQJ0aa8jXoNLMjghLj0Qe-QbDV7wz0fN_OPM1kzqxspmBveotIMpVIPU8BUC19r9EqNVx-1JOCdyR-a7P4YrRjH8d-AfFKiwl-rdXf263KOTtkqo9aV68LzgihWzORHyYwCBd30

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

I kicked off Redo 'Fixed' job to ensure that the issue is not reproducible now.

ClusterFuzz has detected this issue as fixed in range 388749:389333.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5120230254182400

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x60700002b2c0
Crash State:
  base::trace_event::BlameContext::Enter
  scheduler::internal::TaskQueueImpl::NotifyWillProcessTask
  scheduler::TaskQueueManager::ProcessTaskFromWorkQueue
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=388479:388495
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=388749:389333

Minimized Testcase (32.74 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Hrqtp0VcDhqw1ILyJLCqWV4TPbeyDoNkhe3ybULsHmQJ0aa8jXoNLMjghLj0Qe-QbDV7wz0fN_OPM1kzqxspmBveotIMpVIPU8BUC19r9EqNVx-1JOCdyR-a7P4YrRjH8d-AfFKiwl-rdXf263KOTtkqo9aV68LzgihWzORHyYwCBd30

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Well, looks fixed.

[Automated comment] Commit may have occurred before M52 branch point (5/19/2016), needs manual review.

It's fixed but there's still a (tiny) memory leak here we'll need to address.

Should we remove merge-request in this case?

Please address the memory leak in a new functional bug, no more work needed on security bug here.

M52 (branch 2743) Branched Chromium at revision: 394939. So cl listed at comment #7 (389104) is already in M52. Hence, removing "Merge-Review-52" label. 

Bug for memory leak:  crbug.com/618599 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot