UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0

Example URL:

Steps to reproduce the problem:
This problem may be reproduced with the following unit test

TEST_F(NetExportFileWriterTest, DestroyWhileStoppingLog) {
  // requires FRIEND_TEST_ALL_PREFIXES(NetExportFileWriterTest, DestroyWhileStoppingLog);
  // in components/net_log/net_export_file_writer.h
  auto file_writer = base::WrapUnique(new NetExportFileWriter(net_log()));
  file_writer->AddObserver(test_state_observer());

  file_writer->Initialize(net_thread()->task_runner());

  auto state = test_state_observer()->WaitForNewState();
  ASSERT_TRUE(VerifyState(std::move(state), kStateInitializingString));

  state = test_state_observer()->WaitForNewState();
  ASSERT_TRUE(VerifyState(std::move(state), kStateNotLoggingString));

  file_writer->StartNetLog(base::FilePath(), net::NetLogCaptureMode::Default(),
      kMaxLogSizeBytes, base::CommandLine::StringType(),
      kChannelString, URLRequestContextGetterList());

  state = test_state_observer()->WaitForNewState();
  ASSERT_TRUE(VerifyState(std::move(state), kStateStartingLogString));

  state = test_state_observer()->WaitForNewState();
  ASSERT_TRUE(VerifyState(std::move(state), kStateLoggingString));

  // as if ~NetExportMessageHandler called it
  file_writer->StopNetLog(nullptr, nullptr);

  // as if ~ChromeNetLog called it
  file_writer->RemoveObserver(test_state_observer());
  file_writer.reset();
}

What is the expected behavior?

What went wrong?
After chrome://net-export page has initiated net export file writing and browser is closed, NetExportFileWriter::file_net_log_observer_->StopObserving may be called in two ways

* by the net_log::NetExportFileWriter::~NetExportFileWriter with the following stack
        net::FileNetLogObserver::StopObserving
        net_log::NetExportFileWriter::~NetExportFileWriter
        ...
        net_log::ChromeNetLog::~ChromeNetLog
        ...
        BrowserProcessImpl::~BrowserProcessImpl
        ...

* by the net_log::NetExportFileWriter::StopNetLogAfterAddNetInfo with the following stack
        net::FileNetLogObserver::StopObserving
        net_log::NetExportFileWriter::StopNetLogAfterAddNetInfo
        net_log::NetExportFileWriter::StopNetLog
        `anonymous namespace'::NetExportMessageHandler::~NetExportMessageHandler
        ...
        content::WebUIImpl::~WebUIImpl
        ...
        TabStripModel::CloseAllTabs
        Browser::OnWindowClosing
        BrowserView::CanClose
        ...

StopNetLogAfterAddNetInfo passes ResetObserverThenSetStateNotLogging to StopObserving as a closure which is posted to FileNetLogObserver::file_task_runner_. If ResetObserverThenSetStateNotLogging (resetting file_net_log_observer_) executes after ~NetExportFileWriter, file_net_log_observer_->StopObserving is called twice. The second call executes net_log()->RemoveObserver(this) when net_log() == nullptr which causes a crash.

Did this work before? N/A 

Chrome version: master  Channel: dev
OS Version: 
Flash Version: