Got this issue from http://crbug.com/695398.

So basically MediaSessionServiceImpl is a mojo service created by RenderFrameHostImpl. However in some situations it can still receive message after the RenderFrameHostImpl is destroyed.

Before the fix of that bug, MediaSessionServiceImpl assumes it will be destroyed when RFH is destroyed, so it's safe to store a raw pointer of RFH. However the assumption was wrong, and MediaSessionServiceImpl can outlive RFH.

I assume RFHImpl::InvalidateMojoConnection() should have done all the tear down for mojo services, but it does not.

dcheng@, can you take a look?