Reland Fix MenuController Heap-use-after-free

ui/views/controls/menu/menu_controller.cc

Index: ui/views/controls/menu/menu_controller.cc
diff --git a/ui/views/controls/menu/menu_controller.cc b/ui/views/controls/menu/menu_controller.cc
index 95dd4f9a9de9b687b422ecd8e10584fe9590fc8b..79ff77c75f2c375f07f12cac10116b21a5829cb0 100644
--- a/ui/views/controls/menu/menu_controller.cc
+++ b/ui/views/controls/menu/menu_controller.cc
@@ -2575,9 +2575,13 @@ void MenuController::ExitAsyncRun() {
   bool nested = delegate_stack_.size() > 1;
   // ExitMenuRun unwinds nested delegates
   internal::MenuControllerDelegate* delegate = delegate_;
+  // MenuController may have been deleted when releasing ViewsDelegate ref.
+  // However as |delegate| can outlive this, it must still be notified of the
+  // menu closing so that it can perform teardown.
+  int accept_event_flags = accept_event_flags_;
   MenuItemView* result = ExitMenuRun();
   delegate->OnMenuClosed(internal::MenuControllerDelegate::NOTIFY_DELEGATE,
-                         result, accept_event_flags_);
+                         result, accept_event_flags);
   // MenuController may have been deleted by |delegate|.
   if (GetActiveInstance() && nested && exit_type_ == EXIT_ALL)
     ExitAsyncRun();
@@ -2589,6 +2593,10 @@ MenuItemView* MenuController::ExitMenuRun() {
   if (async_run_ && ViewsDelegate::GetInstance())
     ViewsDelegate::GetInstance()->ReleaseRef();
 
+  // Releasing the lock can result in Chrome shutting down, deleting this.
+  if (!GetActiveInstance())
+    return nullptr;
+
   // Close any open menus.
   SetSelection(nullptr, SELECTION_UPDATE_IMMEDIATELY | SELECTION_EXIT);