Stop accessing the destroyed aura::Window pointer.

The pointers of aura::Window stored in |task_id_to_arc_app_window_info_|
are expected to be cleaned in OnTaskDestroyed().
However, it's possible to use it after the aura::Window is destroyed,
but before OnTaskDestroyed() is called.
This CL fixes use-after-free by clearing the pointers in
OnWindowDestroying().

Bug: b:168775950
Test: atest --iterations 30 android.server.wm.MultiDisplayActivityLaunchTests
Change-Id: I27526cb92722799f46046a7ccdffbd577e4c9355
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2466013Reviewed-by: Nancy Wang <nancylingwang@chromium.org>
Commit-Queue: Yuichiro Hanada <yhanada@chromium.org>
Cr-Commit-Position: refs/heads/master@{#816419}

chrome/browser/ui/ash/launcher/app_service/app_service_app_window_arc_tracker.cc

@@ -97,6 +97,13 @@ void AppServiceAppWindowArcTracker::OnWindowVisibilityChanged(
 
 void AppServiceAppWindowArcTracker::OnWindowDestroying(aura::Window* window) {
   app_service_controller_->UnregisterWindow(window);
+  // Replace the pointers to the window by nullptr to prevent from using it
+  // before OnTaskDestroyed() is called to remove the entry from
+  // |task_id_to_arc_app_window_info_|;
+  const int task_id = arc::GetWindowTaskId(window);
+  auto it = task_id_to_arc_app_window_info_.find(task_id);
+  if (it != task_id_to_arc_app_window_info_.end())
+    it->second->set_window(nullptr);
 }
 
 void AppServiceAppWindowArcTracker::OnAppStatesChanged(