binding: Changes the association among global-proxy/global/window-instance (2nd attempt).

third_party/WebKit/Source/bindings/core/v8/DOMWrapperWorld.h

 /*
  * Copyright (C) 2009 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 115 matching lines @@
                                                     const String& policy);
   bool IsolatedWorldHasContentSecurityPolicy();
 
   bool IsMainWorld() const { return world_type_ == WorldType::kMain; }
   bool IsWorkerWorld() const { return world_type_ == WorldType::kWorker; }
   bool IsIsolatedWorld() const { return world_type_ == WorldType::kIsolated; }
 
   int GetWorldId() const { return world_id_; }
   DOMDataStore& DomDataStore() const { return *dom_data_store_; }
 
- public:
   template <typename T>
   void RegisterDOMObjectHolder(v8::Isolate*, T*, v8::Local<v8::Value>);
 
  private:
   DOMWrapperWorld(v8::Isolate*, WorldType, int world_id);
 
   static void WeakCallbackForDOMObjectHolder(
       const v8::WeakCallbackInfo<DOMObjectHolderBase>&);
   void RegisterDOMObjectHolderInternal(std::unique_ptr<DOMObjectHolderBase>);
   void UnregisterDOMObjectHolder(DOMObjectHolderBase*);
 
   static unsigned number_of_non_main_worlds_in_main_thread_;
 
   // Returns an identifier for a given world type. This must not be called for
   // WorldType::IsolatedWorld because an identifier for the world is given from
   // out of DOMWrapperWorld.
   static int GenerateWorldIdForType(WorldType);
 
+  // Dissociates all wrappers in all worlds associated with |script_wrappable|.
+  //
+  // Do not use this function except for DOMWindow.  Only DOMWindow needs to
+  // dissociate wrappers from the ScriptWrappable because of the following two
+  // reasons.
+  //
+  // Reason 1) Case of the main world
+  // A DOMWindow may be collected by Blink GC *before* V8 GC collects the
+  // wrapper because the wrapper object associated with a DOMWindow is a global
+  // proxy, which remains after navigations.  We don't want V8 GC to reset the
+  // weak persistent handle to a wrapper within the DOMWindow
+  // (ScriptWrappable::main_world_wrapper_) *after* Blink GC collects the
+  // DOMWindow because it's use-after-free.  Thus, we need to dissociate the
+  // wrapper in advance.
+  //
+  // Reason 2) Case of isolated worlds
+  // As same, a DOMWindow may be collected before the wrapper gets collected.
+  // A DOMWrapperMap supports mapping from ScriptWrappable* to v8::Global<T>,
+  // and we don't want to leave an entry of an already-dead DOMWindow* to the
+  // persistent handle for the global proxy object, especially considering that
+  // the address to the already-dead DOMWindow* may be re-used.
+  friend class DOMWindow;
+  static void DissociateDOMWindowWrappersInAllWorlds(ScriptWrappable*);
+
   const WorldType world_type_;
   const int world_id_;
   std::unique_ptr<DOMDataStore> dom_data_store_;
   HashSet<std::unique_ptr<DOMObjectHolderBase>> dom_object_holders_;
 };
 
 }  // namespace blink
 
 #endif  // DOMWrapperWorld_h