Move FrameLoader completion check timer to loading task runner.

WebFrameScheduler is also no longer lazily created: this avoids
problems with the frame scheduler being unexpectedly recreated
during frame detach, which often leads to use-after-frees.

BUG=624694

Review-Url: https://codereview.chromium.org/2172153002
Cr-Commit-Position: refs/heads/master@{#407767}

third_party/WebKit/Source/core/frame/LocalFrame.cpp

@@ -380,7 +380,6 @@ void LocalFrame::detach(FrameDetachType type)
     SubframeLoadingDisabler disabler(*document());
     m_loader.dispatchUnloadEvent();
     detachChildren();
-    m_frameScheduler.reset();
 
     // All done if detaching the subframes brought about a detach of this frame also.
     if (!client())
@@ -397,8 +396,6 @@ void LocalFrame::detach(FrameDetachType type)
     // - Document::detachLayoutTree()'s deferred widget updates can run script.
     ScriptForbiddenScope forbidScript;
     m_loader.clear();
-    // Clear FrameScheduler again in case it is recreated in scripting.
-    m_frameScheduler.reset();
     if (!client())
         return;
 
@@ -427,6 +424,7 @@ void LocalFrame::detach(FrameDetachType type)
     Frame::detach(type);
 
     m_supplements.clear();
+    m_frameScheduler.reset();
     WeakIdentifierMap<LocalFrame>::notifyObjectDestroyed(this);
 }
 
@@ -806,6 +804,7 @@ bool LocalFrame::shouldThrottleRendering() const
 
 inline LocalFrame::LocalFrame(FrameLoaderClient* client, FrameHost* host, FrameOwner* owner, ServiceRegistry* serviceRegistry)
     : Frame(client, host, owner)
+    , m_frameScheduler(page()->chromeClient().createFrameScheduler(client->frameBlameContext()))
     , m_loader(this)
     , m_navigationScheduler(NavigationScheduler::create(this))
     , m_script(ScriptController::create(this))
@@ -829,10 +828,6 @@ inline LocalFrame::LocalFrame(FrameLoaderClient* client, FrameHost* host, FrameO
 
 WebFrameScheduler* LocalFrame::frameScheduler()
 {
-    if (!m_frameScheduler.get())
-        m_frameScheduler = page()->chromeClient().createFrameScheduler(client()->frameBlameContext());
-
-    ASSERT(m_frameScheduler.get());
     return m_frameScheduler.get();
 }
 

third_party/WebKit/Source/core/frame/LocalFrame.h

@@ -200,6 +200,8 @@ private:
     void enableNavigation() { --m_navigationDisableCount; }
     void disableNavigation() { ++m_navigationDisableCount; }
 
+    std::unique_ptr<WebFrameScheduler> m_frameScheduler;
+
     mutable FrameLoader m_loader;
     Member<NavigationScheduler> m_navigationScheduler;
 
@@ -215,7 +217,6 @@ private:
     const Member<EventHandler> m_eventHandler;
     const Member<FrameConsole> m_console;
     const Member<InputMethodController> m_inputMethodController;
-    std::unique_ptr<WebFrameScheduler> m_frameScheduler;
 
     int m_navigationDisableCount;
 

third_party/WebKit/Source/core/loader/FrameLoader.cpp

@@ -40,6 +40,7 @@
 #include "core/HTMLNames.h"
 #include "core/dom/Document.h"
 #include "core/dom/Element.h"
+#include "core/dom/TaskRunnerHelper.h"
 #include "core/dom/ViewportDescription.h"
 #include "core/editing/Editor.h"
 #include "core/events/GestureEvent.h"
@@ -168,7 +169,7 @@ FrameLoader::FrameLoader(LocalFrame* frame)
     , m_progressTracker(ProgressTracker::create(frame))
     , m_loadType(FrameLoadTypeStandard)
     , m_inStopAllLoaders(false)
-    , m_checkTimer(this, &FrameLoader::checkTimerFired)
+    , m_checkTimer(this, &FrameLoader::checkTimerFired, TaskRunnerHelper::getLoadingTaskRunner(frame))
     , m_didAccessInitialDocument(false)
     , m_forcedSandboxFlags(SandboxNone)
     , m_dispatchingDidClearWindowObjectInMainWorld(false)

third_party/WebKit/Source/platform/Timer.h

@@ -159,11 +159,18 @@ class Timer : public TimerBase {
 public:
     using TimerFiredFunction = void (TimerFiredClass::*)(Timer<TimerFiredClass>*);
 
+    // TODO(dcheng): Consider removing this overload once all timers are using the
+    // appropriate task runner. https://crbug.com/624694
     Timer(TimerFiredClass* o, TimerFiredFunction f)
         : m_object(o), m_function(f)
     {
     }
 
+    Timer(TimerFiredClass* o, TimerFiredFunction f, WebTaskRunner* webTaskRunner)
+        : TimerBase(webTaskRunner), m_object(o), m_function(f)
+    {
+    }
+
     ~Timer() override { }
 
 protected:
@@ -181,11 +188,6 @@ protected:
         return TimerIsObjectAliveTrait<TimerFiredClass>::isHeapObjectAlive(m_object);
     }
 
-    Timer(TimerFiredClass* o, TimerFiredFunction f, WebTaskRunner* webTaskRunner)
-        : TimerBase(webTaskRunner), m_object(o), m_function(f)
-    {
-    }
-
 private:
     // FIXME: Oilpan: TimerBase should be moved to the heap and m_object should be traced.
     // This raw pointer is safe as long as Timer<X> is held by the X itself (That's the case