A previous attempt was made in https://codereview.chromium.org/1907453002, but got reverted due to causing use-after-free:  crbug.com/605480 

I'm investigating the root cause of  crbug.com/605480  to see what else is needed in order to fix the leak.

The root cause of the use-after-free has been identified.

A FrameBlameContext is owned by RenderFrameImpl, but can also be kept as raw ptrs in WebFrameSchedulerImpl. The raw ptrs should be cleared when LocalFrame::detach() is called.

The current implementation does it by clearing |m_frameScheduler| in LocalFrame::detach() after detachChildren() and before m_loader.stopAllLoaders(). However, the later may dispatch events which results in creation of new WebFrameSchedulerImpl, which again grabs and stores the about-to-be-destoryed FrameBlameContext as a raw ptr.

I'm crafting a patch and will upload it tomorrow.

Thanks a lot for getting to the bottom of this.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/01c3b106a46f15a7250ce869b294fcc35fe0662f

commit 01c3b106a46f15a7250ce869b294fcc35fe0662f
Author: xiaochengh <xiaochengh@chromium.org>
Date: Mon Jun 13 23:56:08 2016

Make sure FrameScheduler is cleared when LocalFrame::detach() finishes

This patch is a relanding of https://codereview.chromium.org/1907453002 (Make
RenderFrameImpl own its frame blame context) with necessary modification:

Since a FrameScheduler may be created in LocalFrame::detach() due to scripting,
this patch adds an extra clearing of |m_frameScheduler| to make sure it is cleared.

BUG= 618599 

Review-Url: https://codereview.chromium.org/2053233002
Cr-Commit-Position: refs/heads/master@{#399607}

[modify] https://crrev.com/01c3b106a46f15a7250ce869b294fcc35fe0662f/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/01c3b106a46f15a7250ce869b294fcc35fe0662f/content/renderer/render_frame_impl.h
[modify] https://crrev.com/01c3b106a46f15a7250ce869b294fcc35fe0662f/third_party/WebKit/Source/core/frame/LocalFrame.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/01c3b106a46f15a7250ce869b294fcc35fe0662f

commit 01c3b106a46f15a7250ce869b294fcc35fe0662f
Author: xiaochengh <xiaochengh@chromium.org>
Date: Mon Jun 13 23:56:08 2016

Make sure FrameScheduler is cleared when LocalFrame::detach() finishes

This patch is a relanding of https://codereview.chromium.org/1907453002 (Make
RenderFrameImpl own its frame blame context) with necessary modification:

Since a FrameScheduler may be created in LocalFrame::detach() due to scripting,
this patch adds an extra clearing of |m_frameScheduler| to make sure it is cleared.

BUG= 618599 

Review-Url: https://codereview.chromium.org/2053233002
Cr-Commit-Position: refs/heads/master@{#399607}

[modify] https://crrev.com/01c3b106a46f15a7250ce869b294fcc35fe0662f/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/01c3b106a46f15a7250ce869b294fcc35fe0662f/content/renderer/render_frame_impl.h
[modify] https://crrev.com/01c3b106a46f15a7250ce869b294fcc35fe0662f/third_party/WebKit/Source/core/frame/LocalFrame.cpp

The patch seems to stick.