Fix use-after-free in ResizeObservation.

The WeakMember element_ could be garbage collected and needs
to be null-checked.

There is no test because it's unclear to me how to do so simply.
The reproducing clusterfuzz bug used a specially instrumented Chrome
with a script-exposed gc() method.

Bug: 1016218

Change-Id: Ibf8da7c8b68dab5cbeeb9f3b12a434944c5fa91a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1892060Reviewed-by: vmpstr <vmpstr@chromium.org>
Commit-Queue: Chris Harrelson <chrishtr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#711279}

third_party/blink/renderer/core/resize_observer/resize_observation.cc

@@ -26,8 +26,8 @@ bool ResizeObservation::ObservationSizeOutOfSync() {
     return false;
 
   // Skip resize observations on locked elements.
-  if (UNLIKELY(
-          DisplayLockUtilities::IsInLockedSubtreeCrossingFrames(*target_))) {
+  if (UNLIKELY(target_ && DisplayLockUtilities::IsInLockedSubtreeCrossingFrames(
+                              *target_))) {
     return false;
   }