Crash in InspectorTaskRunner::V8InterruptCallback

InspectorTaskRunner queues itself for a V8 interrupt, but V8 doesn't
automatically increment the task runner's refcount. As a result,
InspectorTaskRunner needs to manually increment and decrement its
own refcount to ensure that it doesn't get deleted, which would
otherwise result in V8 hanging onto a dangling pointer.

Bug: 933128
Change-Id: I715734015bbf810ecbba5f4e509fcc924b3aa1b2
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1993436Reviewed-by: Lorne Mitchell <lomitch@microsoft.com>
Reviewed-by: Andrey Kosyakov <caseq@chromium.org>
Commit-Queue: Robert Paveza <Rob.Paveza@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#729930}

third_party/blink/renderer/core/inspector/inspector_task_runner.cc

@@ -38,8 +38,10 @@ void InspectorTaskRunner::AppendTask(Task task) {
       CrossThreadBindOnce(
           &InspectorTaskRunner::PerformSingleInterruptingTaskDontWait,
           WrapRefCounted(this)));
-  if (isolate_)
+  if (isolate_) {
+    AddRef();
     isolate_->RequestInterrupt(&V8InterruptCallback, this);
+  }
 }
 
 void InspectorTaskRunner::AppendTaskDontInterrupt(Task task) {
@@ -69,6 +71,7 @@ void InspectorTaskRunner::PerformSingleInterruptingTaskDontWait() {
 void InspectorTaskRunner::V8InterruptCallback(v8::Isolate*, void* data) {
   InspectorTaskRunner* runner = static_cast<InspectorTaskRunner*>(data);
   Task task = runner->TakeNextInterruptingTask();
+  runner->Release();
   if (!task) {
     return;
   }