[Backport] CVE-2021-30548: Use after free in Loader

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2909934:
Remove container mutation during iteration

On LongTaskDetector, we call OnLongTaskDetected for all registered
observers. Some observers call LongTaskDetector::UnregisterObserver
in the callback, which is problematic because container mutation is
not allowed during iteration.

Copy the observer set to avoid the violation.

Bug: 1210487
Change-Id: Iccea748ac144def6884be8cf542cdc3572bed81a
Reviewed-by: Deep Roy <[email protected]>
Reviewed-by: Nicolás Peña Moreno <[email protected]>
Commit-Queue: Yutaka Hirano <[email protected]>
Cr-Commit-Position: refs/heads/master@{#885033}
Reviewed-by: Michal Klocek <[email protected]>

Author: yutakahirano

chromium/third_party/blink/renderer/core/loader/long_task_detector.cc

@@ -43,7 +43,10 @@ void LongTaskDetector::DidProcessTask(base::TimeTicks start_time,
   if ((end_time - start_time) < LongTaskDetector::kLongTaskThreshold)
     return;
 
-  for (auto& observer : observers_) {
+  // We copy `observers_` because it might be mutated in OnLongTaskDetected,
+  // and container mutation is not allowed during iteration.
+  const HeapHashSet<Member<LongTaskObserver>> observers = observers_;
+  for (auto& observer : observers) {
     observer->OnLongTaskDetected(start_time, end_time);
   }
 }