Update FocusChanged notifiers to operate on a copy

These focus changed calls ultimately trigger javascript events. These
events could potentially run code that would modify the list of items
that the FocusChanged notifiers are notifying, and thus invalidate their
in-use iterators.

Fix this by having these methods iterate over a copy instead of the
member list.

Fixed: 1107815
Change-Id: I03fa08eeadc60736f3a3fae079253dbd3ee26476
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2314158Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Klaus Weidner <klausw@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Auto-Submit: Alexander Cooper <alcooper@chromium.org>
Cr-Commit-Position: refs/heads/master@{#791261}

third_party/blink/renderer/core/page/focus_controller.cc

@@ -1352,7 +1352,12 @@ void FocusController::RegisterFocusChangedObserver(
 }
 
 void FocusController::NotifyFocusChangedObservers() const {
-  for (const auto& it : focus_changed_observers_)
+  // Since this eventually dispatches an event to the page, the page could add
+  // new observer, which would invalidate our iterators; so iterate over a copy
+  // of the observer list.
+  HeapHashSet<WeakMember<FocusChangedObserver>> observers =
+      focus_changed_observers_;
+  for (const auto& it : observers)
     it->FocusedFrameChanged();
 }
 

third_party/blink/renderer/modules/xr/xr_system.cc

@@ -732,7 +732,11 @@ XRSystem::XRSystem(LocalFrame& frame, int64_t ukm_source_id)
 
 void XRSystem::FocusedFrameChanged() {
   // Tell all sessions that focus changed.
-  for (const auto& session : sessions_) {
+  // Since this eventually dispatches an event to the page, the page could
+  // create a new session which would invalidate our iterators; so iterate over
+  // a copy of the session map.
+  HeapHashSet<WeakMember<XRSession>> processing_sessions = sessions_;
+  for (const auto& session : processing_sessions) {
     session->OnFocusChanged();
   }