ServiceWorker: Avoid ServiceWorkerVersion destruction during stopping the worker

ServiceWorkerVersion::StopWorker() calls EmbeddedWorkerInstance::Stop()
and then checks its running_status(). This is dangerous because
EmbeddedWorkerInstance::Stop() may synchronously call
ServiceWorkerVersion::OnStopped(Internal)() and lead to
ServiceWorkerVersion destruction. This CL avoids it by explicitly
keeping ServiceWorkerVersion instance.

Bug: 931087
Change-Id: I9d5f0c2c892cb2127bd586825ad9e60d69fd784c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1989310Reviewed-by: Matt Falkenhagen <falken@chromium.org>
Commit-Queue: Hiroki Nakagawa <nhiroki@chromium.org>
Cr-Commit-Position: refs/heads/master@{#728824}

content/browser/service_worker/service_worker_version.cc

@@ -458,7 +458,11 @@ void ServiceWorkerVersion::StopWorker(base::OnceClosure callback) {
 
   switch (running_status()) {
     case EmbeddedWorkerStatus::STARTING:
-    case EmbeddedWorkerStatus::RUNNING:
+    case EmbeddedWorkerStatus::RUNNING: {
+      // EmbeddedWorkerInstance::Stop() may synchronously call
+      // ServiceWorkerVersion::OnStopped() and destroy |this|. This protection
+      // avoids it.
+      scoped_refptr<ServiceWorkerVersion> protect = this;
       embedded_worker_->Stop();
       if (running_status() == EmbeddedWorkerStatus::STOPPED) {
         RunSoon(std::move(callback));
@@ -466,6 +470,7 @@ void ServiceWorkerVersion::StopWorker(base::OnceClosure callback) {
       }
       stop_callbacks_.push_back(std::move(callback));
       return;
+    }
     case EmbeddedWorkerStatus::STOPPING:
       stop_callbacks_.push_back(std::move(callback));
       return;