I tried to update ChromeSyncClient's retrieval of the HistoryService from EXPLICIT_ACCESS to IMPLICIT_ACCESS in https://codereview.chromium.org/2769113002. This change was ultimately rolled back, but one ramification is when history is forced off by kSavingBrowserHistoryDisabled, the BookmarkDataTypeController's bizarre handling of receiving a nullptr for HistoryService resulted in a crash on ChromeOS, see issue 709610.

It asks for the HistoryService (in addition to BookmarkModel), and if it's null or not loaded, adds an observer. However, if it was null, this adding of an observer is going to crash. The only reason it used to be safe is that with the EXPLICIT_ACCESS, it never received a nullptr. The ProfileSyncServiceFactory depends on HistoryService, so if it is going to be created, it should already have been created.