display compositor: Fix a use-after-free when a frame sink is destroyed.

services/ui/surfaces/display_compositor.cc

Index: services/ui/surfaces/display_compositor.cc
diff --git a/services/ui/surfaces/display_compositor.cc b/services/ui/surfaces/display_compositor.cc
index 6c922fdde40d268ade043f6d4cc334a515bed69a..b022b427513302d476642d788cae236145c217c2 100644
--- a/services/ui/surfaces/display_compositor.cc
+++ b/services/ui/surfaces/display_compositor.cc
@@ -55,7 +55,7 @@ void DisplayCompositor::OnClientConnectionLost(
     bool destroy_compositor_frame_sink) {
   DCHECK(thread_checker_.CalledOnValidThread());
   if (destroy_compositor_frame_sink)
-    compositor_frame_sinks_.erase(frame_sink_id);
+    DestroyCompositorFrameSink(frame_sink_id);
   // TODO(fsamuel): Tell the display compositor host that the client connection
   // has been lost so that it can drop its private connection and allow a new
   // client instance to create a new CompositorFrameSink.
@@ -66,7 +66,7 @@ void DisplayCompositor::OnPrivateConnectionLost(
     bool destroy_compositor_frame_sink) {
   DCHECK(thread_checker_.CalledOnValidThread());
   if (destroy_compositor_frame_sink)
-    compositor_frame_sinks_.erase(frame_sink_id);
+    DestroyCompositorFrameSink(frame_sink_id);
 }
 
 void DisplayCompositor::CreateDisplayCompositorFrameSink(
@@ -155,6 +155,10 @@ std::unique_ptr<cc::Display> DisplayCompositor::CreateDisplay(
       base::MakeUnique<cc::TextureMailboxDeleter>(task_runner_.get()));
 }
 
+void DisplayCompositor::DestroyCompositorFrameSink(cc::FrameSinkId sink_id) {
+  compositor_frame_sinks_.erase(sink_id);
+}
+
 void DisplayCompositor::OnSurfaceCreated(const cc::SurfaceInfo& surface_info) {
   DCHECK(thread_checker_.CalledOnValidThread());
   DCHECK_GT(surface_info.device_scale_factor(), 0.0f);