Avoid use-after-free

SetNotWaitingForResponse can trigger a message pump which can then free
the object which |this| points to. This use-after-free can be avoided by
not dereferencing |this| after the call, by ensuring that calling
SetNotWaitingForResponse is the last thing done.

Bug: 1125199
Change-Id: Ie1289c93112151978e6daaa1d24326770028c529
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2407065Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Bruce Dawson <brucedawson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#806839}

content/browser/web_contents/web_contents_impl.cc

@@ -4235,10 +4235,13 @@ void WebContentsImpl::SetNotWaitingForResponse() {
     return;
 
   waiting_for_response_ = false;
-  if (delegate_)
-    delegate_->LoadingStateChanged(this, is_load_to_different_document_);
   observers_.ForEachObserver(
       [&](WebContentsObserver* observer) { observer->DidReceiveResponse(); });
+
+  // LoadingStateChanged must be called last in case it triggers deletion of
+  // |this| due to recursive message pumps.
+  if (delegate_)
+    delegate_->LoadingStateChanged(this, is_load_to_different_document_);
 }
 
 void WebContentsImpl::SendScreenRects() {
@@ -5309,6 +5312,8 @@ void WebContentsImpl::ReadyToCommitNavigation(
             : false);
   }
 
+  // LoadingStateChanged must be called last in case it triggers deletion of
+  // |this| due to recursive message pumps.
   SetNotWaitingForResponse();
 }