Fix MenuController Heap-use-after-free

ui/views/controls/menu/menu_controller.cc

Index: ui/views/controls/menu/menu_controller.cc
diff --git a/ui/views/controls/menu/menu_controller.cc b/ui/views/controls/menu/menu_controller.cc
index 95dd4f9a9de9b687b422ecd8e10584fe9590fc8b..e7c02a01ef8418f8065747aac596e626cb3d436e 100644
--- a/ui/views/controls/menu/menu_controller.cc
+++ b/ui/views/controls/menu/menu_controller.cc
@@ -2576,6 +2576,9 @@ void MenuController::ExitAsyncRun() {
   // ExitMenuRun unwinds nested delegates
   internal::MenuControllerDelegate* delegate = delegate_;
   MenuItemView* result = ExitMenuRun();
+  // MenuController may have been deleted when releasing ViewsDelegate ref.
+  if (!GetActiveInstance())
+    return;
   delegate->OnMenuClosed(internal::MenuControllerDelegate::NOTIFY_DELEGATE,
                          result, accept_event_flags_);
   // MenuController may have been deleted by |delegate|.
@@ -2589,6 +2592,10 @@ MenuItemView* MenuController::ExitMenuRun() {
   if (async_run_ && ViewsDelegate::GetInstance())
     ViewsDelegate::GetInstance()->ReleaseRef();
 
+  // Releasing the lock can result in Chrome shutting down, deleting this.
+  if (!GetActiveInstance())
+    return nullptr;
+
   // Close any open menus.
   SetSelection(nullptr, SELECTION_UPDATE_IMMEDIATELY | SELECTION_EXIT);