[PM] Fix use-after-free in TabLoadingFrameNavigationScheduler.

This was recently found by a manual audit after an ASAN fuzzer found
a similar issue.

BUG=1098226

Change-Id: I4a91ec58ccceadd92719774cf0047cb7a184c5be
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2261392
Commit-Queue: Chris Hamilton <chrisha@chromium.org>
Commit-Queue: Sigurður Ásgeirsson <siggi@chromium.org>
Reviewed-by: Sigurður Ásgeirsson <siggi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#781460}

components/performance_manager/mechanisms/tab_loading_frame_navigation_scheduler.cc

@@ -276,12 +276,16 @@ void TabLoadingFrameNavigationScheduler::DidFinishNavigation(
 void TabLoadingFrameNavigationScheduler::StopThrottlingImpl() {
   DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
 
-  // Release all of the throttles.
-  for (auto& entry : throttles_) {
+  // Release all of the throttles. Note that releasing a throttle will cause
+  // "DidFinishNavigation" to be invoked for the associated NavigationHandle,
+  // which would modify |throttles_|. We instead take the data structure before
+  // iterating.
+  auto throttles = std::move(throttles_);
+  DCHECK(throttles_.empty());
+  for (auto& entry : throttles) {
     auto* throttle = entry.second;
     throttle->Resume();
   }
-  throttles_.clear();
 
   // Tear down this object. This must be called last so as not to UAF ourselves.
   // Note that this is always called from static functions in this translation