x11: Fix UAF crash in XWindow's delayed resize task execution

XWindow can be destroyed in the middle of a delayed resize closure
execution. It may happen when that window is snapped into a tab bar.
More specifically when a nested move loop, used to intercept and forward
the mouse events during a tab dragging session, is triggered by a bounds
change event notified from a delayed resize task.

To fix it, this uses a weak pointer to verify whether the window
instance is still alive after notifying the bounds change in the delayed
resize function implementation.

Bug: 1068755, 1021490
Change-Id: I08eff38d5f5f28ec54e489dc183f3f0cfdde2480
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2144996Reviewed-by: Thomas Anderson <thomasanderson@chromium.org>
Commit-Queue: Nick Yamane <nickdiego@igalia.com>
Cr-Commit-Position: refs/heads/master@{#758552}

ui/base/x/x11_window.cc

@@ -146,7 +146,6 @@ XWindow::XWindow()
 }
 
 XWindow::~XWindow() {
-  CHECK(!resize_weak_factory_.HasWeakPtrs());
   DCHECK_EQ(xwindow_, x11::None) << "XWindow destructed without calling "
                                     "Close() to release allocated resources.";
 }
@@ -1418,12 +1417,13 @@ void XWindow::DelayedResize(const gfx::Rect& bounds_in_pixels) {
   }
   NotifyBoundsChanged(bounds_in_pixels);
 
-  // TODO(crbug.com/1021490): Crashes during window re-attaching while dragging
-  // a tab points out to the XWindow instance being destroyed in the middle of
-  // DelayedResize closure execution. This + CHECK'ing weak references in dtor
-  // helps better identify such unexpected scenario.
+  // Bounds change propagation above may spin a window move loop, which might
+  // end up closing and destroying this instance (e.g: when a chrome window is
+  // snapped into a tab strip). So we must handle this possible scenario before
+  // trying to access any class variable/function. See crbug.com/1068755.
   if (!alive)
     return;
+
   CancelResize();
 }