Avoid UAF on ConnectionFilter impls

services/navigation/navigation.cc

Index: services/navigation/navigation.cc
diff --git a/services/navigation/navigation.cc b/services/navigation/navigation.cc
index 46375862e74339ee63aa0f7adfb3c81ddc578a1d..b9db546bf80daeb9388e17b9cfd59c7e66d170b1 100644
--- a/services/navigation/navigation.cc
+++ b/services/navigation/navigation.cc
@@ -29,7 +29,8 @@ void CreateViewOnViewTaskRunner(
 
 Navigation::Navigation()
     : view_task_runner_(base::ThreadTaskRunnerHandle::Get()),
-      ref_factory_(base::MessageLoop::QuitWhenIdleClosure()) {
+      ref_factory_(base::MessageLoop::QuitWhenIdleClosure()),
+      weak_factory_(this) {
   bindings_.set_connection_error_handler(
       base::Bind(&Navigation::ViewFactoryLost, base::Unretained(this)));
 }
@@ -46,16 +47,11 @@ bool Navigation::OnConnect(const shell::Identity& remote_identity,
   }
   client_user_id_ = remote_user_id;
 
-  registry->AddInterface<mojom::ViewFactory>(this);
+  registry->AddInterface(
+      base::Bind(&Navigation::CreateViewFactory, weak_factory_.GetWeakPtr()));
   return true;
 }
 
-void Navigation::Create(const shell::Identity& remote_identity,
-                        mojom::ViewFactoryRequest request) {
-  bindings_.AddBinding(this, std::move(request));
-  refs_.insert(ref_factory_.CreateRef());
-}
-
 void Navigation::CreateView(mojom::ViewClientPtr client,
                             mojom::ViewRequest request) {
   std::unique_ptr<shell::Connector> new_connector = connector_->Clone();
@@ -68,6 +64,11 @@ void Navigation::CreateView(mojom::ViewClientPtr client,
                  base::Passed(&context_ref)));
 }
 
+void Navigation::CreateViewFactory(mojom::ViewFactoryRequest request) {
+  bindings_.AddBinding(this, std::move(request));
+  refs_.insert(ref_factory_.CreateRef());
+}
+
 void Navigation::ViewFactoryLost() {
   refs_.erase(refs_.begin());
 }