Chrome Version       : master
OS Version: Linux, Cast
URLs (if applicable) : https://storage.googleapis.com/m3u8_lag/v8_crash/index.html

What steps will reproduce the problem?
1. Open the page.
2. Open some other tabs.
3. Wait for some time.

What is the expected result?
Image loads and no crash happened.

What happens instead of that?
The original page crash. (Stacktrace attached). In public build, the image doesn't show on the page.

The web page uses following code for changing the background of <div>.

let image = new Image();
image.src = image_name;
image.decode().then(() => {
// image_element.style.backgroundImage = "url('" + image_name + "')";
image_element.style.backgroundImage = "url('" + image_name + "')";
});

"image" isn't captured by the promise.

This is because ImageLoader is passed to the callback of ChromeClient::RequestDecode as a weak reference. If GC kicks in when callback is pending, ImageLoader will be destroyed.

Stack trace from default desktop build:

#1 0x7f2d9d95b9ac base::debug::StackTrace::StackTrace()
#2 0x7f2d9d9cb2ca logging::LogMessage::~LogMessage()
#3 0x7f2d7f7bf941 blink::ScriptPromiseResolver::~ScriptPromiseResolver()
#4 0x7f2d7f808a44 blink::GarbageCollectedFinalized<>::FinalizeGarbageCollectedObject()
#5 0x7f2d7f808a15 blink::FinalizerTraitImpl<>::Finalize()
#6 0x7f2d7f8089f5 blink::FinalizerTrait<>::Finalize()
#7 0x7f2d7d383f1d blink::HeapObjectHeader::Finalize()
#8 0x7f2d7d38aea8 blink::NormalPage::Sweep()
#9 0x7f2d7d384ff9 blink::BaseArena::SweepUnsweptPage()
#10 0x7f2d7d3855ef blink::BaseArena::CompleteSweep()
#11 0x7f2d7d39f7f8 blink::ThreadState::EagerSweep()
#12 0x7f2d7d39f275 blink::ThreadState::AtomicPauseEpilogue()
#13 0x7f2d7d3a4040 blink::ThreadState::AtomicPauseSweepAndCompact()
#14 0x7f2d7d3a3737 blink::ThreadState::RunAtomicPause()
#15 0x7f2d7d398ba5 blink::ThreadState::CollectGarbage()
#16 0x7f2d7f7fc1c5 blink::V8GCController::GcEpilogue()
#17 0x7f2d8273a364 v8::internal::Heap::PerformGarbageCollection()
#18 0x7f2d82737ef4 v8::internal::Heap::CollectGarbage()
#19 0x7f2d82743a38 v8::internal::Heap::FinalizeIncrementalMarkingIfComplete()
#20 0x7f2d82753a94 v8::internal::IncrementalMarkingJob::Task::RunInternal()
#21 0x7f2d832ac525 _ZN4base8internal13FunctorTraitsIMN2v84TaskEFvvEvE6InvokeIS5_NSt3__110unique_ptrIS3_NS8_14default_deleteIS3_EEEEJEEEvT_OT0_DpOT1_
#22 0x7f2d832ac454 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIMN2v84TaskEFvvEJNSt3__110unique_ptrIS5_NS8_14default_deleteIS5_EEEEEEEvOT_DpOT0_
#23 0x7f2d832ac400 _ZN4base8internal7InvokerINS0_9BindStateIMN2v84TaskEFvvEJNSt3__110unique_ptrIS4_NS7_14default_deleteIS4_EEEEEEEFvvEE7RunImplIS6_NS7_5tupleIJSB_EEEJLm0EEEEvOT_OT0_NS7_16integer_sequenceImJXspT1_EEEE
#24 0x7f2d832ac319 _ZN4base8internal7InvokerINS0_9BindStateIMN2v84TaskEFvvEJNSt3__110unique_ptrIS4_NS7_14default_deleteIS4_EEEEEEEFvvEE7RunOnceEPNS0_13BindStateBaseE
#25 0x7f2d9d90a3ee _ZNO4base12OnceCallbackIFvvEE3RunEv
#26 0x7f2d9d95ce72 base::debug::TaskAnnotator::RunTask()
#27 0x7f2d9db32879 base::sequence_manager::internal::ThreadControllerImpl::DoWork()
#28 0x7f2d9db35301 _ZN4base8internal13FunctorTraitsIMNS_16sequence_manager8internal20ThreadControllerImplEFvNS4_8WorkTypeEEvE6InvokeIS7_RKNS_7WeakPtrIS4_EEJRKS5_EEEvT_OT0_DpOT1_
#29 0x7f2d9db35265 _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMNS_16sequence_manager8internal20ThreadControllerImplEFvNS6_8WorkTypeEERKNS_7WeakPtrIS6_EEJRKS7_EEEvOT_OT0_DpOT1_
#30 0x7f2d9db351dd _ZN4base8internal7InvokerINS0_9BindStateIMNS_16sequence_manager8internal20ThreadControllerImplEFvNS5_8WorkTypeEEJNS_7WeakPtrIS5_EES6_EEEFvvEE7RunImplIRKS8_RKNSt3__15tupleIJSA_S6_EEEJLm0ELm1EEEEvOT_OT0_NSH_16integer_sequenceImJXspT1_EEEE
#31 0x7f2d9db350dc _ZN4base8internal7InvokerINS0_9BindStateIMNS_16sequence_manager8internal20ThreadControllerImplEFvNS5_8WorkTypeEEJNS_7WeakPtrIS5_EES6_EEEFvvEE3RunEPNS0_13BindStateBaseE
#32 0x7f2d9d90a3ee _ZNO4base12OnceCallbackIFvvEE3RunEv
#33 0x7f2d9d95ce72 base::debug::TaskAnnotator::RunTask()
#34 0x7f2d9d9eed26 base::MessageLoop::RunTask()
#35 0x7f2d9d9ef0ae base::MessageLoop::DeferOrRunPendingTask()
#36 0x7f2d9d9ef539 base::MessageLoop::DoWork()
#37 0x7f2d9d9f5d07 base::MessagePumpDefault::Run()
#38 0x7f2d9d9ee41b base::MessageLoop::Run()
#39 0x7f2d9da9692d base::RunLoop::Run()
#40 0x7f2d98a940a5 content::RendererMain()
#41 0x7f2d98cb2523 content::RunZygote()
#42 0x7f2d98cb48b9 content::RunOtherNamedProcessTypeMain()
#43 0x7f2d98cb6e1e content::ContentMainRunnerImpl::Run()
#44 0x7f2d98cabcec content::ContentServiceManagerMainDelegate::RunEmbedderProcess()
#45 0x7f2d9def67fa service_manager::Main()
#46 0x7f2d98cb1f43 content::ContentMain()
#47 0x5599dabb2246 ChromeMain
#48 0x5599dabb2152 main
#49 0x7f2d732252b1 __libc_start_main
#50 0x5599dabb202a _start