Worker: Clear ResourceTimingNotifier on WorkerFetchContext::Detach()

This CL makes WorkerFetchContext::Detach() clear
WorkerFetchContext::resource_timing_notifier_ to cut off the cross-thread
persistent as soon as possible during worker thread termination.

Before this CL, I guess the notifier can outlive worker thread's
termination GC in WorkerBackingThread::ShutdownOnBackingThread(), and that
causes the failure on the parent thread as the issues say.

I tested this using the script in issue 960626, and confirmed the failure
doesn't happen with this CL. I also tried the script in issue 959508 but
couldn't reproduce it regardless of this CL. It will be tested by the fuzzer
instead.

Bug: 959508, 960626
Change-Id: I2663e5acddec0d9f88a78842c093c594fb57acb8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1609024
Commit-Queue: Hiroki Nakagawa <nhiroki@chromium.org>
Reviewed-by: Kenichi Ishibashi <bashi@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Cr-Commit-Position: refs/heads/master@{#658989}

third_party/blink/renderer/core/loader/worker_fetch_context.cc

@@ -220,6 +220,8 @@ void WorkerFetchContext::AddResourceTiming(const ResourceTimingInfo& info) {
   // worklets.
   if (global_scope_->IsWorkletGlobalScope())
     return;
+  if (!resource_timing_notifier_)
+    return;
   const SecurityOrigin* security_origin = GetResourceFetcherProperties()
                                               .GetFetchClientSettingsObject()
                                               .GetSecurityOrigin();
@@ -242,6 +244,11 @@ void WorkerFetchContext::PopulateResourceRequest(
     out_request.SetTopFrameOrigin(GetTopFrameOrigin());
 }
 
+FetchContext* WorkerFetchContext::Detach() {
+  resource_timing_notifier_.Clear();
+  return BaseFetchContext::Detach();
+}
+
 void WorkerFetchContext::SetFirstPartyCookie(ResourceRequest& out_request) {
   if (out_request.SiteForCookies().IsNull())
     out_request.SetSiteForCookies(GetSiteForCookies());

third_party/blink/renderer/core/loader/worker_fetch_context.h

@@ -82,6 +82,7 @@ class WorkerFetchContext final : public BaseFetchContext {
                                const ClientHintsPreferences&,
                                const FetchParameters::ResourceWidth&,
                                ResourceRequest&) override;
+  FetchContext* Detach() override;
 
   WorkerSettings* GetWorkerSettings() const;
   WorkerContentSettingsClient* GetWorkerContentSettingsClient() const;
@@ -109,8 +110,7 @@ class WorkerFetchContext final : public BaseFetchContext {
   // WorkerGlobalScope and owned by this WorkerFetchContext.
   const Member<ContentSecurityPolicy> content_security_policy_;
 
-  const CrossThreadPersistent<WorkerResourceTimingNotifier>
-      resource_timing_notifier_;
+  CrossThreadPersistent<WorkerResourceTimingNotifier> resource_timing_notifier_;
 
   // The value of |save_data_enabled_| is read once per frame from
   // NetworkStateNotifier, which is guarded by a mutex lock, and cached locally