I don't get a protocol handler bubble with the test case on Linux 14.04, and I'm not sure how it would trigger one?

Did you check if gmail.com is not activated on chrome://settings-frame/handlers?

The key parts of your test case that were missing are:

1. You need to be logged into Gmail
2. You need to click the protocol handler page action in the omnibar when Gmail loads in the new tab
3. Gmail can't already be installed as a service protocol handler

Despite this, I still can't recreate your issue. When I follow your steps, the tab closing closes the bubble (which it should do). The bubble doesn't stay up over the previous tab.

Can you perhaps capture a screen recording of this crash?

Oops! sorry I didn't provide those parts. Anyway I've made this video to see how I repro this crash easily on Windows, but on Windows hits a NULL deref, not like on Linux and OSX crash/989187c400000000.

Deleted: Actual.mp4 699 KB

	Actual.mp4 699 KB View Download

Thanks for the video, that's most informative. Over to benwells@ for the service protocol handler dialog. Ben, can you please see if you can reproduce this crash and confirm if it's a use-after-free?

Tentatively assigning labels

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I can't repro on Chrome/52.0.2743.10  (X11; Linux x86_64). Will update and see what happens...

Can't repro on Chrome/53.0.2774.3  (X11; Linux x86_64) either.

Note for me, once the tab is closed by the test case the bubble is also closed.

The video appears to be from Windows, but the original report says Ubuntu. Was this really observed on Linux?

I've just reproduced this on Windows canary, will take a look.

I have a fix about to go out to review for this, but from my analysis this is just a null pointer deref, not a heap use after free. So, not sure if it needs all the security bits.

OP: can you give more information about your repro on Linux, and why you've labelled it a heap use after free?

Ben, I think on Windows hits a null pointer deref, and that was already reported in issue 470264, but I'm nervous about the Com #19 in issue 470264 seems like there a UaF on Linux.

Looking at the crash report, the UAF is in a different UI, which doesn't handle the WC being destroyed. My guess is some seemingly unrelated changes to WC implementation for before unload handlers (in the regression range) have exposed a race condition, but I'll comment on the other bug about it.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6ca90e6b157c59c0556bff78b9e0ad81bf1e3aae

commit 6ca90e6b157c59c0556bff78b9e0ad81bf1e3aae
Author: benwells <benwells@chromium.org>
Date: Wed Jun 29 00:15:25 2016

Handle WebContents going away in content settings bubbles.

This fixes null dereference crashes when tabs close with open bubbles.

BUG= 622973 

Review-Url: https://codereview.chromium.org/2103733002
Cr-Commit-Position: refs/heads/master@{#402610}

[modify] https://crrev.com/6ca90e6b157c59c0556bff78b9e0ad81bf1e3aae/chrome/browser/ui/content_settings/content_setting_bubble_model.cc

Ben, Thanks for the quick fix! 

Since this is just a null pointer deref, please remove the security flags.