I was looking through the code trying to see what might be going on in the crash in Issue 675854. It seemed like it could be related to notifications firing after an object has been dealloced.

With that thought in mind, I noticed that base_bubble_controller.mm has -registerForNotifications and -unregisterFromNotifications methods, which seems fine. However, its subclasses chooser_bubble_ui_cocoa.mm and permission_bubble_controller.mm use a different pattern to register for and unregister from notifications. Specifically, these classes register for notifications in -initWithBrowser:..., and deregister in windowWillClose:. These subclasses really need to follow the same pattern for notification registration as their base class: they should create their own -registerForNotifications and -unregisterFromNotifications methods in which they manage their notification registrations, and they should call super on those methods. If they don't manage their notifications this way, they can wind up registered for a notification when they should not be.

For example, after a PermissionBubbleController is created it's registered for a NSWindowDidMoveNotification notification. But if someone sends a setParentWindow:nil to it, the BaseBubbleController's -unregisterFromNotifications will unregister it from that notification. PermissionBubbleController will never unregister itself from the NSWindowDidMoveNotifications because its windowWillClose: method will never be called.