chore: cherry-pick 9bab573a37 from chromium (#30101)

* chore: cherry-pick 9bab573a37 from chromium

Refs https://chromium-review.googlesource.com/c/chromium/src/+/3010140

* chore: update patches

Co-authored-by: deepak1556 <[email protected]>
Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>

patches/chromium/.patches

@@ -101,3 +101,4 @@ build_do_not_depend_on_packed_resource_integrity.patch
 don_t_run_pcscan_notifythreadcreated_if_pcscan_is_disabled.patch
 refactor_restore_base_adaptcallbackforrepeating.patch
 hack_to_allow_gclient_sync_with_host_os_mac_on_linux_in_ci.patch
+set_svgimage_page_after_document_install.patch

patches/chromium/set_svgimage_page_after_document_install.patch

@@ -0,0 +1,48 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fredrik=20S=C3=B6derqvist?= <[email protected]>
+Date: Fri, 9 Jul 2021 08:44:55 +0000
+Subject: Set SVGImage::page_ after document install
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We can end up having the associated ImageResource call
+SVGImage::ResetAnimation() before the Document has been associated with
+the SVGImage's LocalFrame, but after the link to the initial Document
+was severed, if a GC is triggered within that window and ends up
+collecting the last observer of the ImageResource.
+
+By assigning |SVGImage::page_| after the installing the document, we
+close this hole since SVGImage::RootElement() (called by
+SVGImage::ResetAnimation()) will now observe a null Page and return null
+without attempting to dereference the document.
+
+Bug: 1216190
+Change-Id: I26e08848e5b9bd52e3377841eee35e4acc03d320
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3010140
+Reviewed-by: Stephen Chenney <[email protected]>
+Commit-Queue: Fredrik Söderquist <[email protected]>
+Cr-Commit-Position: refs/heads/master@{#899922}
+
+diff --git a/third_party/blink/renderer/core/svg/graphics/svg_image.cc b/third_party/blink/renderer/core/svg/graphics/svg_image.cc
+index b23ad2192bec4d1cac9d704074d12c9e00d4d2f5..ff2bf69be27f0afcb6a9909e716495e8d4a127ef 100644
+--- a/third_party/blink/renderer/core/svg/graphics/svg_image.cc
++++ b/third_party/blink/renderer/core/svg/graphics/svg_image.cc
+@@ -851,12 +851,15 @@ Image::SizeAvailability SVGImage::DataChanged(bool all_data_received) {
+   // SVG Images are transparent.
+   frame->View()->SetBaseBackgroundColor(Color::kTransparent);
+ 
+-  page_ = page;
+-
+   TRACE_EVENT0("blink", "SVGImage::dataChanged::load");
+ 
+   frame->ForceSynchronousDocumentInstall("image/svg+xml", Data());
+ 
++  // Set up our Page reference after installing our document. This avoids
++  // tripping on a non-existing (null) Document if a GC is triggered during the
++  // set up and ends up collecting the last owner/observer of this image.
++  page_ = page;
++
+   // Intrinsic sizing relies on computed style (e.g. font-size and
+   // writing-mode).
+   frame->GetDocument()->UpdateStyleAndLayoutTree();