Fixes use after free caused by delete in RootWindowController (2)

ash/root_window_controller.cc

Index: ash/root_window_controller.cc
diff --git a/ash/root_window_controller.cc b/ash/root_window_controller.cc
index 9327cbd077a5b7b0aa8063d75099723fbf1ad7b9..a1b030eb88c9f86f79a657286ff2af2bf5eb223c 100644
--- a/ash/root_window_controller.cc
+++ b/ash/root_window_controller.cc
@@ -437,7 +437,8 @@ void RootWindowController::CloseChildWindows() {
   workspace_controller_.reset();
   aura::client::SetTooltipClient(root_window_.get(), NULL);
 
-  // Remove all toplevel windows first.
+  // Explicitly destroy top level windows. We do this as during part of
+  // destruction such windows may query the RootWindow for state.
   std::queue<aura::Window*> non_toplevel_windows;
   non_toplevel_windows.push(root_window_.get());
   while (!non_toplevel_windows.empty()) {
@@ -446,6 +447,8 @@ void RootWindowController::CloseChildWindows() {
     aura::WindowTracker toplevel_windows;
     for (size_t i = 0; i < non_toplevel_window->children().size(); ++i) {
       aura::Window* child = non_toplevel_window->children()[i];
+      if (!child->owned_by_parent())
+        continue;
       if (child->delegate())
         toplevel_windows.Add(child);
       else
@@ -455,8 +458,14 @@ void RootWindowController::CloseChildWindows() {
       delete *toplevel_windows.windows().begin();
   }
   // And then remove the containers.
-  while (!root_window_->children().empty())
-    delete root_window_->children()[0];
+  while (!root_window_->children().empty()) {
+    aura::Window* window = root_window_->children()[0];
+    if (window->owned_by_parent()) {
+      delete window;
+    } else {
+      root_window_->RemoveChild(window);
+    }
+  }
 
   shelf_.reset(NULL);
 }