Fix object lifetime bug in ResolverProxyMsgHelper::OnProxyLookupComplete

It needs to hold onto a reference to itself until the end of the method,
instead of just until its HasOneRef() check has completed.

Bug: 907524
Change-Id: I75fab97b07fe55f30a6a7c6def390f5d0bc28c4f
Reviewed-on: https://chromium-review.googlesource.com/c/1352684
Commit-Queue: Matt Menke <mmenke@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: Eric Roman <eroman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#611920}

content/browser/resolve_proxy_msg_helper.cc

@@ -97,14 +97,18 @@ void ResolveProxyMsgHelper::OnProxyLookupComplete(
 
   binding_.Close();
 
-  // If all references except |owned_self_| have been released, just release
-  // the last reference, without doing anything.
-  if (HasOneRef()) {
-    scoped_refptr<ResolveProxyMsgHelper> self = std::move(owned_self_);
+  // Need to keep |this| alive until the end of this method, and then release
+  // this reference. StartPendingRequest(), if called, will grab other
+  // reference, and a reference may be owned by the IO thread or by other
+  // posted tasks, so |this| may or may not be deleted at the end of this
+  // method.
+  scoped_refptr<ResolveProxyMsgHelper> owned_self = std::move(owned_self_);
+
+  // If all references except |owned_self| have been released, then there's
+  // nothing waiting for pending requests to complete. So just exit this method,
+  // which will release the last reference, destroying |this|.
+  if (HasOneRef())
     return;
-  }
-
-  owned_self_ = nullptr;
 
   // Clear the current (completed) request.
   PendingRequest completed_req = std::move(pending_requests_.front());