Fix use after free bug by calling GetTokenService in Core's ctor.

sync/internal_api/attachments/attachment_uploader_impl_unittest.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sync/internal_api/public/attachments/attachment_uploader_impl.h"
 
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/memory/ref_counted.h"
 #include "base/memory/ref_counted_memory.h"
@@ skipping 117 matching lines @@
     const std::string& access_token) {
   ++num_invalidate_token_;
   last_token_invalidated_ = access_token;
 }
 
 class TokenServiceProvider
     : public OAuth2TokenServiceRequest::TokenServiceProvider,
       base::NonThreadSafe {
  public:
   TokenServiceProvider(OAuth2TokenService* token_service);
-  virtual ~TokenServiceProvider();
 
   // OAuth2TokenService::TokenServiceProvider implementation.
   virtual scoped_refptr<base::SingleThreadTaskRunner>
       GetTokenServiceTaskRunner() OVERRIDE;
   virtual OAuth2TokenService* GetTokenService() OVERRIDE;
 
  private:
+  virtual ~TokenServiceProvider();
+
   scoped_refptr<base::SingleThreadTaskRunner> task_runner_;
   OAuth2TokenService* token_service_;
 };
 
 TokenServiceProvider::TokenServiceProvider(OAuth2TokenService* token_service)
     : task_runner_(base::ThreadTaskRunnerHandle::Get()),
       token_service_(token_service) {
   DCHECK(token_service_);
 }
 
@@ skipping 105 matching lines @@
       new net::TestURLRequestContextGetter(message_loop_.message_loop_proxy());
 
   ASSERT_TRUE(server_.InitializeAndWaitUntilReady());
   server_.RegisterRequestHandler(
       base::Bind(&RequestHandler::HandleRequest,
                  base::Unretained(request_handler_.get())));
 
   GURL url(base::StringPrintf("http://localhost:%d/", server_.port()));
 
   token_service_.reset(new MockOAuth2TokenService);
-  scoped_ptr<OAuth2TokenServiceRequest::TokenServiceProvider>
+  scoped_refptr<OAuth2TokenServiceRequest::TokenServiceProvider>
       token_service_provider(new TokenServiceProvider(token_service_.get()));
 
   OAuth2TokenService::ScopeSet scopes;
   scopes.insert(GaiaConstants::kChromeSyncOAuth2Scope);
   uploader().reset(new AttachmentUploaderImpl(url,
                                               url_request_context_getter_,
                                               kAccountId,
                                               scopes,
-                                              token_service_provider.Pass()));
+                                              token_service_provider));
 
   upload_callback_ = base::Bind(&AttachmentUploaderImplTest::UploadDone,
                                 base::Unretained(this));
 }
 
 void AttachmentUploaderImplTest::TearDown() {
   base::RunLoop().RunUntilIdle();
 }
 
 void AttachmentUploaderImplTest::RunAndWaitFor(int num_uploads) {
@@ skipping 297 matching lines @@
               testing::Contains(testing::Pair(header_name, header_value)));
 
   // See that we invalidated the token.
   ASSERT_EQ(1, token_service().num_invalidate_token());
 }
 
 // TODO(maniscalco): Add test case for when we are uploading an attachment that
 // already exists.  409 Conflict? (bug 379825)
 
 }  // namespace syncer