[M90-LTS] Use scoped_refptr to keep ShadowList alive

Fixes a use-after-free for the ShadowList pointed to by TextPaintStyle
which was owned by a temporary ComputedStyle for inactive ::selection
styles.

(cherry picked from commit 2621def)

Bug: 1217598
Change-Id: I6c7adb657ab9825613ec9ad6f5205f65e703aabf
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2984563
Commit-Queue: Rune Lillesveen <futhark@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#895579}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3041357
Reviewed-by: Jana Grill <janagrill@google.com>
Owners-Override: Jana Grill <janagrill@google.com>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4430@{#1546}
Cr-Branched-From: e5ce7dc-refs/heads/master@{#857950}

third_party/blink/renderer/core/paint/text_paint_style.h

@@ -25,7 +25,7 @@ struct CORE_EXPORT TextPaintStyle {
   Color emphasis_mark_color;
   float stroke_width;
   mojom::blink::ColorScheme color_scheme;
-  const ShadowList* shadow;
+  scoped_refptr<const ShadowList> shadow;
   base::Optional<AppliedTextDecoration> selection_text_decoration;
 
   bool operator==(const TextPaintStyle& other) const {

third_party/blink/renderer/core/paint/text_painter_base.cc

@@ -111,7 +111,7 @@ void TextPainterBase::UpdateGraphicsContext(
     if (text_style.shadow || shadow_mode == kShadowsOnly) {
       state_saver.SaveIfNeeded();
       context.SetDrawLooper(CreateDrawLooper(
-          text_style.shadow, DrawLooperBuilder::kShadowIgnoresAlpha,
+          text_style.shadow.get(), DrawLooperBuilder::kShadowIgnoresAlpha,
           text_style.current_color, text_style.color_scheme, horizontal,
           shadow_mode));
     }