Chrome Version: 61
OS: Linux

What steps will reproduce the problem?
(1) Edit third_party/WebKit/Source/modules/webshare/NavigatorShare.idl: Add "optional" before ShareData.
(2) Edit third_party/WebKit/Source/modules/webshare/NavigatorShare.cpp: In NavigatorShare::share, remove the ProcessingUserGesture() check.
(3) Build blink_tests target.
(4) out/Default/content_shell --run-layout-test fast/dom/navigator-detached-no-crash.html

What is the expected result?
PASS Accessing a navigator object that just got removed does not crash. 
PASS Accessing a navigator object that got removed some time before does not crash. 

What happens instead?
[1:1:0630/161035.465521:110292422970:FATAL:NavigatorShare.cpp(119)] Check failed: frame. 
#0 0x7f2ce877f9ec base::debug::StackTrace::StackTrace()
#1 0x7f2ce87a6dae logging::LogMessage::~LogMessage()
#2 0x7f2ce3210b09 blink::NavigatorShare::share()
#3 0x7f2ce321156d blink::NavigatorShare::share()
#4 0x7f2ce2ded393 blink::V8NavigatorPartial::shareMethodCallback()
#5 0x7f2ce5af3daa v8::internal::FunctionCallbackArguments::Call()
#6 0x7f2ce5bccb85 v8::internal::(anonymous namespace)::HandleApiCallHelper<>()
#7 0x7f2ce5bcb520 v8::internal::Builtin_Impl_HandleApiCall()
#8 0x1917053044c4 <unknown>

The fact that we have to modify the code to trigger this doesn't mean it's good, it just means the test isn't triggering the required condition (the test is calling navigator.share() with no arguments and no user gesture). The crash can still theoretically be triggered if an argument is supplied and a user gesture is given.

The DCHECK(frame) needs to be a proper runtime check.