Make Timer and CancellableTaskFactory embeddeable in lazily swept objects.

Source/platform/scheduler/CancellableTaskFactory.h

Index: Source/platform/scheduler/CancellableTaskFactory.h
diff --git a/Source/platform/scheduler/CancellableTaskFactory.h b/Source/platform/scheduler/CancellableTaskFactory.h
index 66fe63ac27b1ba293ec3ff18d4093455ef58a852..5eb9130d8aa58922cefcfc1556c51e58926c4818 100644
--- a/Source/platform/scheduler/CancellableTaskFactory.h
+++ b/Source/platform/scheduler/CancellableTaskFactory.h
@@ -7,6 +7,7 @@
 
 #include "platform/PlatformExport.h"
 #include "public/platform/WebScheduler.h"
+#include "wtf/AddressSanitizer.h"
 #include "wtf/Functional.h"
 #include "wtf/Noncopyable.h"
 #include "wtf/OwnPtr.h"
@@ -23,6 +24,9 @@ class PLATFORM_EXPORT CancellableTaskFactory {
 public:
     explicit CancellableTaskFactory(PassOwnPtr<Closure> closure)
         : m_closure(closure)
+#if defined(ADDRESS_SANITIZER)
+        , m_unpoisonBeforeUpdate(false)
+#endif
         , m_weakPtrFactory(this)
     {
     }
@@ -38,6 +42,15 @@ public:
     // ownership of the task.  Creating a new task cancels any previous ones.
     WebThread::Task* cancelAndCreate();
 
+#if defined(ADDRESS_SANITIZER)
+    // The CancellableTaskFactory part object might be within a poisoned heap
+    // object, hence CancellableTask::run() will access poisoned memory
+    // when reaching into the factory object to update its state.
+    // We will allow such access iff the task factory is marked as requiring
+    // unpoisoning first.
+    void setUnpoisonBeforeUpdate() { m_unpoisonBeforeUpdate = true; }
+#endif
+
 private:
     class CancellableTask : public WebThread::Task {
         WTF_MAKE_NONCOPYABLE(CancellableTask);
@@ -55,6 +68,9 @@ private:
     };
 
     OwnPtr<Closure> m_closure;
+#if defined(ADDRESS_SANITIZER)
+    bool m_unpoisonBeforeUpdate;
+#endif
     WeakPtrFactory<CancellableTaskFactory> m_weakPtrFactory;
 };