Fix crashes in MemoryCache related to successful revalidation

Fix crashes in MemoryCache related to successful revalidation

If the same url is revalidated multiple times, the first revalidation may end
up being incorrectly left in an LRU list after it is deleted. This is because
we have an early exit in removeFromLRUList() when the resource's accessCount()
is zero, even though we unconditionally put the resource in an LRU list when
it is added to the cache. We increment accessCount for the new resources case
in add(), but not the successful revalidation case in replace().

(All of these bugs are most likely the same root cause, but it's not absolutely certain)
BUG=353035, 352538, 352444
TEST=MemoryCacheTest.MultipleReplace

Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=169463

[Nate Chapin, 2014-03-17 18:09:19]

The test causes a use-after-free without the change in MemoryCache.cpp.

[abarth-chromium, 2014-03-17 19:03:41]

lgtm

[Nate Chapin, 2014-03-17 19:04:37]

The CQ bit was checked by japhet@chromium.org

[commit-bot: I haz the power, 2014-03-17 19:04:47]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/japhet@chromium.org/202243003/1

[commit-bot: I haz the power, 2014-03-17 19:13:13]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2014-03-17 19:13:13]

Try jobs failed on following builders:
  tryserver.blink on mac_blink_compile_dbg

[Nate Chapin, 2014-03-17 19:42:44]

The CQ bit was checked by japhet@chromium.org

[commit-bot: I haz the power, 2014-03-17 19:42:48]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/japhet@chromium.org/202243003/20001

[commit-bot: I haz the power, 2014-03-17 19:43:54]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2014-03-17 19:43:55]

Try jobs failed on following builders:
  tryserver.blink on mac_blink_rel

[Nate Chapin, 2014-03-17 19:45:05]

The CQ bit was checked by japhet@chromium.org

[commit-bot: I haz the power, 2014-03-17 19:45:16]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/japhet@chromium.org/202243003/20001

[commit-bot: I haz the power, 2014-03-17 20:00:29]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2014-03-17 20:00:30]

Try jobs failed on following builders:
  tryserver.blink on linux_blink_dbg

[Nate Chapin, 2014-03-17 21:51:32]

On 2014/03/17 19:03:41, abarth wrote:
> lgtm

Mind taking another quick look? I didn't test this under dbg before and there
were issues with the original version.

[abarth-chromium, 2014-03-17 23:43:49]

lgtm

[Nate Chapin, 2014-03-17 23:45:12]

The CQ bit was checked by japhet@chromium.org

[commit-bot: I haz the power, 2014-03-17 23:45:24]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/japhet@chromium.org/202243003/40001

[commit-bot: I haz the power, 2014-03-17 23:48:48]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2014-03-17 23:48:49]

Try jobs failed on following builders:
  tryserver.blink on blink_presubmit

[Nate Chapin, 2014-03-18 16:17:55]

The CQ bit was checked by japhet@chromium.org

[commit-bot: I haz the power, 2014-03-18 16:18:09]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/japhet@chromium.org/202243003/40001

[commit-bot: I haz the power, 2014-03-18 19:12:32]

Change committed as 169463