Allow for re-entrance in the notification manager.

chrome/browser/notifications/message_center_notification_manager.cc

Index: chrome/browser/notifications/message_center_notification_manager.cc
diff --git a/chrome/browser/notifications/message_center_notification_manager.cc b/chrome/browser/notifications/message_center_notification_manager.cc
index bee7ece94a03e58a84caca7a0e4f6e3fdf94a3b2..043c043823145fde23e53cb78df33d0dc386ab22 100644
--- a/chrome/browser/notifications/message_center_notification_manager.cc
+++ b/chrome/browser/notifications/message_center_notification_manager.cc
@@ -352,7 +352,22 @@ void MessageCenterNotificationManager::AddProfileNotification(
 
 void MessageCenterNotificationManager::RemoveProfileNotification(
     const std::string& notification_id) {
-  profile_notifications_.erase(notification_id);
+  auto it = profile_notifications_.find(notification_id);
+  if (it == profile_notifications_.end())
+    return;
+
+  // Delay destruction of the ProfileNotification until after all the work
+  // removing it from |profile_notifications_| is complete. This must be done
+  // because this ProfileNotification might have the one ScopedKeepAlive object
+  // that was keeping the browser alive, and destroying it would result in a re-
+  // entrant call to this class. Because every method in this class touches
+  // |profile_notifications_|, |profile_notifications_| must always be in a
+  // self-consistent state in moments where re-entrance might happen.
+  // https://crbug.com/649971
+  std::unique_ptr<ProfileNotification> notification = std::move(it->second);
+  profile_notifications_.erase(it);
+  // Now that the map modifications are complete, going out of scope will
+  // destroy the notification.
 }
 
 ProfileNotification* MessageCenterNotificationManager::FindProfileNotification(