Use RefPtr for MutationObserver in MutationObserverInterestGroup.

Use RefPtr for MutationObserver in MutationObserverInterestGroup.

In MutaionObserverInterestGroup, MutationObservers were held in HashSet
as raw pointers.  In case a MutationObserver is gone while mutation
events are collected (and garbage collector collects the object),
it causes use-after-free while the code tries to enqueue the recorded
mutation events.  Use RefPtr<> to hold the pointer so that the object
will be kept until it goes out of scope.

BUG=557981
TEST=fast/dom/MutationObserver/mutation-and-deletion-race.html

Committed: https://crrev.com/a17c2c87065be2c4dcb586583b1d69a5c85dae20
Cr-Commit-Position: refs/heads/master@{#360541}

[kochi, 2015-11-19 05:26:23]

Description was changed from

==========
Use RefPtr for MutationObserver in MutationObserverInterestGroup.

In MutaionObserverInterestGroup, MutationObservers are held in HashSet
as raw pointers.  In case a MutationObserver is gone while mutation
events are collected (and garbage collector collects the object),
it causes use-after-free while the code tries to enqueue the recorded
mutation events.  Use RefPtr<> to hold the pointer so that the object
will be kept until it goes out of scope.

BUG=557981
TEST=
==========

to

==========
Use RefPtr for MutationObserver in MutationObserverInterestGroup.

In MutaionObserverInterestGroup, MutationObservers are held in HashSet
as raw pointers.  In case a MutationObserver is gone while mutation
events are collected (and garbage collector collects the object),
it causes use-after-free while the code tries to enqueue the recorded
mutation events.  Use RefPtr<> to hold the pointer so that the object
will be kept until it goes out of scope.

BUG=557981
TEST=fast/dom/MutationObserver/mutation-and-deletion-race.html
==========

[kochi, 2015-11-19 05:52:57]

Description was changed from

==========
Use RefPtr for MutationObserver in MutationObserverInterestGroup.

In MutaionObserverInterestGroup, MutationObservers are held in HashSet
as raw pointers.  In case a MutationObserver is gone while mutation
events are collected (and garbage collector collects the object),
it causes use-after-free while the code tries to enqueue the recorded
mutation events.  Use RefPtr<> to hold the pointer so that the object
will be kept until it goes out of scope.

BUG=557981
TEST=fast/dom/MutationObserver/mutation-and-deletion-race.html
==========

to

==========
Use RefPtr for MutationObserver in MutationObserverInterestGroup.

In MutaionObserverInterestGroup, MutationObservers were held in HashSet
as raw pointers.  In case a MutationObserver is gone while mutation
events are collected (and garbage collector collects the object),
it causes use-after-free while the code tries to enqueue the recorded
mutation events.  Use RefPtr<> to hold the pointer so that the object
will be kept until it goes out of scope.

BUG=557981
TEST=fast/dom/MutationObserver/mutation-and-deletion-race.html
==========

[kochi, 2015-11-19 05:53:28]

kochi@chromium.org changed reviewers:
+ tkent@chromium.org

[kochi, 2015-11-19 05:53:37]

tkent-san,

Could you review?

[tkent, 2015-11-19 06:03:16]

lgtm.
It seems this CL won't make reference cycles.

[kochi, 2015-11-19 06:12:05]

The CQ bit was checked by kochi@chromium.org

[commit-bot: I haz the power, 2015-11-19 06:12:13]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1463433002/40001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1463433002/40001

[commit-bot: I haz the power, 2015-11-19 07:17:52]

Committed patchset #3 (id:40001)

[commit-bot: I haz the power, 2015-11-19 07:18:36]

Patchset 3 (id:??) landed as
https://crrev.com/a17c2c87065be2c4dcb586583b1d69a5c85dae20
Cr-Commit-Position: refs/heads/master@{#360541}