mash: Fix ui_devtools shutdown UAF

ash::Shell owned by ChromeBrowserMainExtraPartsAsh is released
before UiDevToolsServer owned by ChromeBrowserMainExtraPartsViews.
This causes a use-after-free in DOMAgentAura dtor when it tries to
RemoveObserver from the already released Env of ash::Shell.

Fix the issue by explicitly releasing |devtools_server_| in
ChromeBrowserMainExtraPartsViews::PostMainMessageLoopRun.

Bug: 896977
Change-Id: I07172d8014dc17c1a91a11e220579a13ad0524b0
Reviewed-on: https://chromium-review.googlesource.com/c/1370832Reviewed-by: Scott Violet <sky@chromium.org>
Reviewed-by: Michael Wasserman <msw@chromium.org>
Commit-Queue: Xiyuan Xia <xiyuan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#615533}

chrome/browser/ui/views/chrome_browser_main_extra_parts_views.cc

@@ -138,4 +138,13 @@ void ChromeBrowserMainExtraPartsViews::PostMainMessageLoopRun() {
   // down explicitly here to avoid a case where such an event arrives during
   // shutdown.
   relaunch_notification_controller_.reset();
+
+#if defined(USE_AURA)
+  // Explicitly release |devtools_server_| to avoid use-after-free under
+  // single process mash, where |devtools_server_| indirectly accesses
+  // the Env of ash::Shell during destruction and ash::Shell as part of
+  // ChromeBrowserMainExtraPartsAsh is released before
+  // ChromeBrowserMainExtraPartsViews.
+  devtools_server_.reset();
+#endif
 }