Fix possible use-after-free in WGC3D shared context map

Remove WGC3D from the map in Destroy() rather than ~WGC3DCBImpl(),
because removal from the multimap needs |host_|.
Otherwise it's possible that MaybeInitializeGL() and CreateContext()
fail and call Destroy(), which resets |host_|, and we already inserted
ourselves in the map.

BUG=325071

Review URL: https://codereview.chromium.org/102823002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@238546 0039d316-1c4b-4281-b951-d872f2087c98

content/common/gpu/client/webgraphicscontext3d_command_buffer_impl.cc

@@ -239,17 +239,6 @@ WebGraphicsContext3DCommandBufferImpl::
     real_gl_->SetErrorMessageCallback(NULL);
   }
 
-  if (host_.get()) {
-    base::AutoLock lock(g_all_shared_contexts_lock.Get());
-    ContextMap& all_contexts = g_all_shared_contexts.Get();
-    ContextMap::iterator it = std::find(
-        all_contexts.begin(),
-        all_contexts.end(),
-        std::pair<GpuChannelHost* const,
-                  WebGraphicsContext3DCommandBufferImpl*>(host_.get(), this));
-    if (it != all_contexts.end())
-      all_contexts.erase(it);
-  }
   Destroy();
 }
 
@@ -455,6 +444,18 @@ uint32_t WebGraphicsContext3DCommandBufferImpl::lastFlushID() {
 DELEGATE_TO_GL_R(insertSyncPoint, InsertSyncPointCHROMIUM, unsigned int)
 
 void WebGraphicsContext3DCommandBufferImpl::Destroy() {
+  if (host_.get()) {
+    base::AutoLock lock(g_all_shared_contexts_lock.Get());
+    ContextMap& all_contexts = g_all_shared_contexts.Get();
+    ContextMap::iterator it = std::find(
+        all_contexts.begin(),
+        all_contexts.end(),
+        std::pair<GpuChannelHost* const,
+                  WebGraphicsContext3DCommandBufferImpl*>(host_.get(), this));
+    if (it != all_contexts.end())
+      all_contexts.erase(it);
+  }
+
   if (gl_) {
     // First flush the context to ensure that any pending frees of resources
     // are completed. Otherwise, if this context is part of a share group,