Implement StringImpl sharing for StringView::toString().

third_party/WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp

Index: third_party/WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp
diff --git a/third_party/WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp b/third_party/WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp
index 2ae1766171f77bdc9b73668c8f8e54d842cbd2c4..40c27a3953e91fcfd515d9a918da8e1e19689c1b 100644
--- a/third_party/WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp
+++ b/third_party/WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp
@@ -193,7 +193,11 @@ public:
     void handlePictureSourceURL(PictureData& pictureData)
     {
         if (match(m_tagImpl, sourceTag) && m_matched && pictureData.sourceURL.isEmpty()) {
-            pictureData.sourceURL = m_srcsetImageCandidate.toString();
+            // Must create an isolatedCopy() since the srcset attribute value will
+            // get sent back to the main thread between when we set this, and when we
+            // process the closing tag which would clear m_pictureData. Having any
+            // ref to a string we're going to send will fail isSafeToSendToAnotherThread().

[esprehn, 2016/06/03 20:28:29]

This was a bug that already existed, but StringView::toString() used to always
vend a new string, even when the m_length was the same as the full string which
was hiding this bug by creating a new string inside toString(). All the other
stuff that the preload scanner stores already do this, ex. PreloadRequest makes
an isolatedCopy() of any String it might send.

+            pictureData.sourceURL = m_srcsetImageCandidate.toString().isolatedCopy();
             pictureData.sourceSizeSet = m_sourceSizeSet;
             pictureData.sourceSize = m_sourceSize;
             pictureData.picked = true;