Add a Prefinalizer to CanvasFontCache and move the current destructor content to the Prefinalizer.

This is necessary to resolve a use-after-free issue: the CanvasFontCache is promptly freed on heap tear down but not unregistered from TaskObserver.


Change-Id: I0a048bfd8dcae79d57a882ec553eb4aa9877a77a
Reviewed-on: https://chromium-review.googlesource.com/893140Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#532873}

third_party/WebKit/Source/core/html/canvas/CanvasFontCache.cpp

@@ -40,10 +40,6 @@ CanvasFontCache::CanvasFontCache(Document& document)
 }
 
 CanvasFontCache::~CanvasFontCache() {
-  main_cache_purge_preventer_.reset();
-  if (pruning_scheduled_) {
-    Platform::Current()->CurrentThread()->RemoveTaskObserver(this);
-  }
 }
 
 unsigned CanvasFontCache::MaxFonts() {
@@ -160,4 +156,11 @@ void CanvasFontCache::Trace(blink::Visitor* visitor) {
   visitor->Trace(document_);
 }
 
+void CanvasFontCache::Dispose() {
+  main_cache_purge_preventer_.reset();
+  if (pruning_scheduled_) {
+    Platform::Current()->CurrentThread()->RemoveTaskObserver(this);
+  }
+}
+
 }  // namespace blink

third_party/WebKit/Source/core/html/canvas/CanvasFontCache.h

@@ -24,6 +24,8 @@ class FontCachePurgePreventer;
 class CORE_EXPORT CanvasFontCache final
     : public GarbageCollectedFinalized<CanvasFontCache>,
       public WebThread::TaskObserver {
+  USING_PRE_FINALIZER(CanvasFontCache, Dispose);
+
  public:
   static CanvasFontCache* Create(Document& document) {
     return new CanvasFontCache(document);
@@ -52,6 +54,7 @@ class CORE_EXPORT CanvasFontCache final
 
  private:
   explicit CanvasFontCache(Document&);
+  void Dispose();
   void SchedulePruningIfNeeded();
   typedef HeapHashMap<String, Member<MutableCSSPropertyValueSet>>
       MutableStylePropertyMap;