Fix race in deletion of native message handlers (fixes #28484).

runtime/vm/pages.cc

Index: runtime/vm/pages.cc
diff --git a/runtime/vm/pages.cc b/runtime/vm/pages.cc
index 450af9a63a0551bbb980258503f3c49964e9bac6..c8f24daf5f0bcbf35b30aa2bc6310aff38b504eb 100644
--- a/runtime/vm/pages.cc
+++ b/runtime/vm/pages.cc
@@ -89,8 +89,16 @@ HeapPage* HeapPage::Allocate(intptr_t size_in_words, PageType type) {
 
 
 void HeapPage::Deallocate() {
-  // The memory for this object will become unavailable after the delete below.
+  // For a regular heap pages, the memory for this object will become
+  // unavailable after the delete below.
+  bool is_embedder_allocated = embedder_allocated();
   delete memory_;
+
+  // For a heap page from a snapshot, the HeapPage object lives in the malloc
+  // heap rather than the page itself.
+  if (is_embedder_allocated) {
+    free(this);

[Florian Schneider, 2017/01/24 02:06:07]

Maybe change this to new/delete instead of malloc/free.

[rmacnak, 2017/01/24 03:28:36]

Trying this out, I see the original reason this uses malloc is to avoid removing
DISALLOW_ALLOCATION, etc from HeapPage. Doing so would give a false impression
that the constructor always runs, which it still wouldn't when normal heap pages
are allocated by reinterpret-casting the  mmap'd page.

+  }
 }