Fix a crash where the chrome_frame_ gets used after it was released.

See bug description for more details, all we need to do is check the pointer before using it.

BUG=65826
TEST=This is most likely happening when the use closes a tab very quickly after creating it.
Review URL: http://codereview.chromium.org/5611007

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@68584 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 6 insertions, 0 deletions

diff --git a/ceee/ie/plugin/bho/browser_helper_object.cc b/ceee/ie/plugin/bho/browser_helper_object.cc
index 24fbaf8..507cc19 100644
--- a/ceee/ie/plugin/bho/browser_helper_object.cc
+++ b/ceee/ie/plugin/bho/browser_helper_object.cc
@@ -616,6 +616,12 @@ bool BrowserHelperObject::EnsureTabId() {
     return true;
   }
 
+  // We might get here AFTER TearDown if onCreated successfully got deferred
+  // yet we never got a valid tab_id_ before we got torn down, and then
+  // onRemoved is called AFTER TearDown, which releases chrome_frame_host_.
+  if (chrome_frame_host_ == NULL)
+    return false;
+
   HRESULT hr = chrome_frame_host_->GetSessionId(&tab_id_);
   DCHECK(SUCCEEDED(hr));
   if (hr == S_FALSE) {