It is very possible I'm simply confused and things are actually safe. But my current understanding is that WebHistoryService::QueryHistory() returns an owning unique_ptr<WebHistoryService::Request> to the caller. When the async call across the network finishes, a callback is invoked with this request object.
It almost seems like if WebHistoryService::QueryHistoryCompletionCallback is just careful enough and doesn't touch the request itself, we may be fine. But RequestImpl::OnURLFetchComplete is going to get called when the network call finishes, and it uses member fields.
Two problems here:
* The caller may not still exist, only something that's linked to KeyedService's dependencies would really be able to guarantee they still exist, and this is far too onerous of a thing to require of callers. BrowserHistoryService has this problem.
* It isn't obvious/intuitive to caller that destroying the request early is dangerous. See HistoryCounter for an example of this.
I'm not sure if it's possible to use a weak ptr with content::URLFetcherDelegate interface. Could definitely move ownership of the Request inside of the WebHistoryService and allow callers to bind their callbacks with weak ptrs.