Bug: https://bugs.gentoo.org/750038
Upstream bug: https://crbug.com/1135070

--- a/content/browser/service_worker/service_worker_container_host.cc
+++ b/content/browser/service_worker/service_worker_container_host.cc
@@ -626,6 +626,16 @@
     int64_t registration_id) {
   DCHECK_CURRENTLY_ON(ServiceWorkerContext::GetCoreThreadId());
   DCHECK(base::Contains(registration_object_hosts_, registration_id));
+
+  // ServiceWorkerRegistrationObjectHost to be deleted may have the last reference to
+  // ServiceWorkerRegistration that indirectly owns this ServiceWorkerContainerHost.
+  // If we erase the object host directly from the map, |this| could be deleted
+  // during the map operation and may crash. To avoid the case, we take the
+  // ownership of the object host from the map first, and then erase the entry
+  // from the map. See https://crbug.com/1135070 for details.
+  std::unique_ptr<ServiceWorkerRegistrationObjectHost> to_be_deleted =
+      std::move(registration_object_hosts_[registration_id]);
+  DCHECK(to_be_deleted);
   registration_object_hosts_.erase(registration_id);
 }