service worker: Fix double delete in ServiceWorkerProviderHost's destructor.

ServiceWorkerProviderHost destructor destroys ServiceWorkerVersion,
which destroys ServiceWorkerEventDispatcher which some Mojo interfaces
are associated with. Namely, it causes ServiceWorkerObjectHost and maybe
ServiceWorkerRegistrationObjectHost's Mojo connection error handlers
to be invoked during ServiceWorkerProviderHost's destructor. The
error handlers attempt to use the halfway destroyed
ServiceWorkerProviderHost. Fix things by explictly destroying
the hosts in the destructor.

No test because I don't see a good way to test this.

Bug: 854993, 838410
Change-Id: I62f057c641738fa3ed9b780550fd3d4b730ef98a
Reviewed-on: https://chromium-review.googlesource.com/1139850Reviewed-by: Kenichi Ishibashi <bashi@chromium.org>
Reviewed-by: Ken Rockot <rockot@chromium.org>
Commit-Queue: Matt Falkenhagen <falken@chromium.org>
Cr-Commit-Position: refs/heads/master@{#575796}

content/browser/service_worker/service_worker_provider_host.cc

@@ -283,6 +283,16 @@ ServiceWorkerProviderHost::~ServiceWorkerProviderHost() {
   // Remove |this| as an observer of ServiceWorkerRegistrations.
   // TODO(falken): Use ScopedObserver instead of this explicit call.
   RemoveAllMatchingRegistrations();
+
+  // Explicitly destroy the ServiceWorkerObjectHosts and
+  // ServiceWorkerRegistrationObjectHosts owned by |this|. Otherwise, this
+  // destructor can trigger their Mojo connection error handlers, which would
+  // call back into halfway destroyed |this|. This is because they are
+  // associated with the ServiceWorkerEventDispatcher interface, which can
+  // be destroyed while in this destructor (|running_hosted_version_|'s
+  // |event_dispatcher_|). See https://crbug.com/854993.
+  service_worker_object_hosts_.clear();
+  registration_object_hosts_.clear();
 }
 
 int ServiceWorkerProviderHost::frame_id() const {