DanglingPtr: fix dangling ptr in SandboxQuotaObserver

Re-order releasing members in SandboxFileSystemBackendDelegate destructor to avoid holding dangling ptrs.

Bug: 1291138
Change-Id: I16066fe6f415bb5d28e1896f5858bc163703e081
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3816286
Reviewed-by: Austin Sullivan <asully@chromium.org>
Commit-Queue: Ali Hijazi <ahijazi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1032928}

storage/browser/file_system/sandbox_file_system_backend_delegate.cc

@@ -224,8 +224,10 @@ SandboxFileSystemBackendDelegate::~SandboxFileSystemBackendDelegate() {
 
   if (!file_task_runner_->RunsTasksInCurrentSequence()) {
     DeleteSoon(file_task_runner_.get(), quota_reservation_manager_.release());
-    DeleteSoon(file_task_runner_.get(), sandbox_file_util_.release());
+    // `quota_observer_` depends on `sandbox_file_util_` and
+    // `file_system_usage_cache_` so it must be released first.
     DeleteSoon(file_task_runner_.get(), quota_observer_.release());
+    DeleteSoon(file_task_runner_.get(), sandbox_file_util_.release());
     DeleteSoon(file_task_runner_.get(), file_system_usage_cache_.release());
   }
 }

storage/browser/file_system/sandbox_quota_observer.h

@@ -72,11 +72,10 @@ class SandboxQuotaObserver : public FileUpdateObserver,
   const scoped_refptr<base::SequencedTaskRunner> update_notify_runner_;
 
   // Not owned; sandbox_file_util_ should have identical lifetime with this.
-  const raw_ptr<ObfuscatedFileUtil, DanglingUntriaged> sandbox_file_util_;
+  const raw_ptr<ObfuscatedFileUtil> sandbox_file_util_;
 
   // Not owned; file_system_usage_cache_ should have longer lifetime than this.
-  const raw_ptr<FileSystemUsageCache, DanglingUntriaged>
-      file_system_usage_cache_;
+  const raw_ptr<FileSystemUsageCache> file_system_usage_cache_;
 
   std::map<base::FilePath, int64_t> pending_update_notification_;
   base::OneShotTimer delayed_cache_update_helper_;