This might affect all POSIX, not just Linux?

I am traveling and won't be able to take a good look at this until Monday.
I doubt it is related to my change because on Posix side it was just a slight refactoring that didn't touch any core logic: 
https://codereview.chromium.org/2433773005/diff/160001/base/synchronization/waitable_event_posix.cc

sky@, it is possible for bookmark model to be destroyed while history backend is blocked waiting in BookmarkModel::BlockTillLoaded()?

I think the actual issue is in BookmarkModel or HistoryBackend, or ChromeHistoryBackendClient. This looks like a race condition where on the main thread the entire profile including Bookmark model gets destroyed and on another thread HistoryBackend runs history::HistoryBackend::ExpireHistoryBetween task which blocks while it is trying to get bookmark model loaded. Basically the main thread deletes a WaitableEvent instance while the background thread is waiting on that instance.

I don't know who should own this. Any suggestions? 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8f3596ad8588a28907ccfca0f9c9af984e3c5681

commit 8f3596ad8588a28907ccfca0f9c9af984e3c5681
Author: gab <gab@chromium.org>
Date: Fri Jan 20 01:56:12 2017

Revert of Enable BrowserScheduler.RedirectHistoryService experiment on trunk. (patchset #7 id:140001 of https://codereview.chromium.org/2592813002/ )

Reason for revert:
Suspected culprit  http://crbug.com/680698  and  http://crbug.com/682219  per HistoryService tasks no longer being guaranteed to be flushed in ~HistoryService -- which BookmarksModel depends on.

Original issue's description:
> Enable BrowserScheduler.RedirectHistoryService experiment on trunk.
>
> BUG=661143
> Committed: https://crrev.com/4aa30591e0953da7e0c54ffdb91856e496d16b5f
> Cr-Commit-Position: refs/heads/master@{#440418}
>
> Reverted: https://crrev.com/2885403f92c9ab0a8769c2c41e859502da5a7e6f
> Cr-Commit-Position: refs/heads/master@{#440479}
> Cause of revert fixed in https://codereview.chromium.org/2611053003/.
>
> Review-Url: https://codereview.chromium.org/2592813002
> Cr-Commit-Position: refs/heads/master@{#441997}
> Committed: https://chromium.googlesource.com/chromium/src/+/344517411399fc467e5a6938e4793650729b3506

TBR=rkaplow@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=661143, 680698 , 682219 

Review-Url: https://codereview.chromium.org/2642253002
Cr-Commit-Position: refs/heads/master@{#444942}

[modify] https://crrev.com/8f3596ad8588a28907ccfca0f9c9af984e3c5681/testing/variations/fieldtrial_testing_config.json

ClusterFuzz has detected this issue as fixed in range 444912:444973.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5240258263515136

Fuzzer: meacer_extension_apis
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x617000009cf8
Crash State:
  base::WaitableEvent::TimedWaitUntil
  base::WaitableEvent::Wait
  ChromeHistoryBackendClient::GetBookmarks
  
Sanitizer: address (ASAN)

Recommended Security Severity: Critical

Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=444912:444973

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95LM5yINjrWtAk9_CY77WEltgzcbooMv5LZYq-LcJTGEGoOEeUIpa9DUcHqejMGZn8aX27Z3nQeWtMg085n85ZzUX_Nol8FNwcUVo4hkHLVr5OhqGTo8PDNQYjIa9hb-ByyfuSft0ik631hJWY2VW_5cmkui3NYjeg-kNx-HuPp1fOF0n5eDB40liex4j8Nc6lobplGmD-Tqh9geIW-F-tNkqHUyGJxibFOB75wFwdHrD6wLIvGSw4iQVon276YHCX_ClcCGYdROyORGLGPgsy3VZ6FHjaCcpP1CL4pj8B7cUQe6ySGvBS7K90TJGf62cVmGmm0gTLf7MMsOVBMAU0LUx2ml-IbkByUa9kmjolWFYa97Vw?testcase_id=5240258263515136


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5240258263515136 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: Reverts referenced in bugdroid comments after merge request.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Before we approve M58 Merge request, can you please confirm if this is well tested in Canary?

Looks like this is already in M58, no merge needed.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot