HttpBridge: Fix null pointer deref with some timings on abort

In particular, when the fetch actually completes in the window between
Abort() and DestroyURLLoaderOnIOThread()

Bug: 879150
Change-Id: I0331af60d89e6142ed00f255aea391237403c215
Reviewed-on: https://chromium-review.googlesource.com/1196962Reviewed-by: Antonio Gomes <tonikitoo@igalia.com>
Reviewed-by: Marc Treib <treib@chromium.org>
Commit-Queue: Maks Orlovich <morlovich@chromium.org>
Cr-Commit-Position: refs/heads/master@{#587653}

components/sync/engine/net/http_bridge.cc

@@ -389,6 +389,11 @@ void HttpBridge::OnURLLoadComplete(std::unique_ptr<std::string> response_body) {
   base::AutoLock lock(fetch_state_lock_);
 
   network::SimpleURLLoader* url_loader = fetch_state_.url_loader.get();
+  // If the fetch completes in the window between Abort() and
+  // DestroyURLLoaderOnIOThread() this will still run. Abort() has already
+  // reported the result, so no extra work is needed.
+  if (fetch_state_.aborted)
+    return;
 
   int response_code = -1;
   if (url_loader->ResponseInfo() && url_loader->ResponseInfo()->headers) {

components/sync/engine/net/http_bridge_unittest.cc

@@ -373,9 +373,8 @@ TEST_F(MAYBE_SyncHttpBridgeTest, AbortAndReleaseBeforeFetchComplete) {
   // Schedule the fetch completion callback (but don't run it yet). Don't take
   // a reference to the bridge to mimic URLFetcher's handling of the delegate.
   ASSERT_TRUE(io_thread()->task_runner()->PostTask(
-      FROM_HERE, base::BindOnce(&syncer::HttpBridge::OnURLLoadCompleteInternal,
-                                base::Unretained(bridge_for_race_test()), 200,
-                                net::OK, 0, GURL("http://www.google.com"),
+      FROM_HERE, base::BindOnce(&syncer::HttpBridge::OnURLLoadComplete,
+                                base::Unretained(bridge_for_race_test()),
                                 std::make_unique<std::string>("success!"))));
 
   // Abort the fetch. This should be smart enough to handle the case where