Speculative ContextProvider destruction fix.

ContextProvider notifies observers on context loss that the context is
no longer usable. These observers typically hold a
scoped_refptr<ContextProvider> and could drop their reference
immediately. This could result in the ContextProvider being destroyed
before OnContextLoss() has finished executing and result in a
use-after-free error.

Ensure this use-after-free isn't possible by acquiring a scoped_refptr
before notifying observers.

Bug: 994430
Change-Id: I5e0d6c99b0a42bbfc3dfca28af311df2b0f33831
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1764803Reviewed-by: Saman Sami <samans@chromium.org>
Commit-Queue: kylechar <kylechar@chromium.org>
Cr-Commit-Position: refs/heads/master@{#689474}

services/viz/public/cpp/gpu/context_provider_command_buffer.cc

@@ -457,6 +457,10 @@ const gpu::GpuFeatureInfo& ContextProviderCommandBuffer::GetGpuFeatureInfo()
 void ContextProviderCommandBuffer::OnLostContext() {
   CheckValidThreadOrLockAcquired();
 
+  // Ensure |this| isn't destroyed in the middle of OnLostContext() if observers
+  // drop all references to it.
+  scoped_refptr<ContextProviderCommandBuffer> ref(this);
+
   for (auto& observer : observers_)
     observer.OnContextLost();
   if (gr_context_)