Bug 311060

Null pointer dereference in `RenderLayerBacking::updateAncestorClipping()` when the render tree is torn down during Back/Forward Cache eviction. The `RenderLayerBacking` destructor calls `updateAncestorClipping(false, nullptr)`. When `m_ancestorClippingStack` is non-null, the `else if` branch calls `m_owningLayer.page().scrollingCoordinator()`, which dereferences a null `Page` pointer. The frame's page has already been detached by `CachedFrame::destroy()` before the render tree is torn down. This is the same class of bug as Bug 308230 (307858@main), which fixed the identical pattern in `updateOverflowControlsLayers()`. Crash stack: ``` 0 WebCore: WeakPtrImplBase::get<Page>() 1 WebCore: WeakPtr<Page>::get() 2 WebCore: Frame::page() 3 WebCore: RenderObject::page() 4 WebCore: RenderLayer::page() 5 WebCore: RenderLayerBacking::updateAncestorClipping() 6 WebCore: RenderLayerBacking::~RenderLayerBacking() 7 WebCore: RenderLayer::clearBacking() 8 WebCore: RenderLayer::~RenderLayer() [...] 36 WebCore: Document::destroyRenderTree() 37 WebCore: Document::willBeRemovedFromFrame() 38 WebCore: LocalFrame::setView() 39 WebCore: FrameLoader::detachFromParent() 40 WebCore: FrameLoader::frameDetached() 41 WebCore: HTMLFrameOwnerElement::disconnectContentFrame() 42 WebCore: disconnectSubframes() 43 WebCore: Document::willBeRemovedFromFrame() 46 WebCore: CachedFrame::destroy() [...] 51 WebCore: CachedPage::~CachedPage() [...] 58 WebCore: BackForwardCache::addIfCacheable() 59 WebCore: FrameLoader::commitProvisionalLoad() ``` All 5 crash logs show EXC_BAD_ACCESS (SIGSEGV) at address 0x8 (null + offset) on the main thread. <rdar://150587917>