Avoid touching NestedSubscription's ref count before it's fully constructed

NestedSubscription is a ref-counted object, and its first reference used to
be made by base::BindOnce in its constructor. The reference is passed to
another thread, and released when the callback instance is destroyed.

However, if the PostTask failed or the posted task ran soon before the
constructor finished to construct the NestedSubscription instance, the
ref count is decremented to 0, and `new NestedSubscription` may return
a stale pointer.

This CL adds a static constructor to avoid that by splitting the ref-count
related set up out of the constructor.

Bug: 866456
Change-Id: Idf03b31b95b4a7ddee81fdebff78a594e52a62f8
Reviewed-on: https://chromium-review.googlesource.com/1149762Reviewed-by: Richard Coles <torne@chromium.org>
Commit-Queue: Taiju Tsuiki <tzik@chromium.org>
Cr-Commit-Position: refs/heads/master@{#577933}

android_webview/browser/net/aw_cookie_change_dispatcher_wrapper.cc

@@ -49,7 +49,7 @@ class SubscriptionWrapper {
     DCHECK(callback_list_.empty());
 
     nested_subscription_ =
-        new NestedSubscription(url, name, weak_factory_.GetWeakPtr());
+        NestedSubscription::Create(url, name, weak_factory_.GetWeakPtr());
     return std::make_unique<AwCookieChangeSubscription>(
         callback_list_.Add(std::move(callback)));
   }
@@ -61,21 +61,28 @@ class SubscriptionWrapper {
   class NestedSubscription
       : public base::RefCountedDeleteOnSequence<NestedSubscription> {
    public:
-    NestedSubscription(const GURL& url,
-                       const std::string& name,
-                       base::WeakPtr<SubscriptionWrapper> subscription_wrapper)
-        : base::RefCountedDeleteOnSequence<NestedSubscription>(
-              GetCookieStoreTaskRunner()),
-          subscription_wrapper_(subscription_wrapper),
-          client_task_runner_(base::ThreadTaskRunnerHandle::Get()) {
-      PostTaskToCookieStoreTaskRunner(
-          base::BindOnce(&NestedSubscription::Subscribe, this, url, name));
+    static scoped_refptr<NestedSubscription> Create(
+        const GURL& url,
+        const std::string& name,
+        base::WeakPtr<SubscriptionWrapper> subscription_wrapper) {
+      auto subscription = base::WrapRefCounted(
+          new NestedSubscription(std::move(subscription_wrapper)));
+      PostTaskToCookieStoreTaskRunner(base::BindOnce(
+          &NestedSubscription::Subscribe, subscription, url, name));
+      return subscription;
     }
 
    private:
     friend class base::RefCountedDeleteOnSequence<NestedSubscription>;
     friend class base::DeleteHelper<NestedSubscription>;
 
+    explicit NestedSubscription(
+        base::WeakPtr<SubscriptionWrapper> subscription_wrapper)
+        : base::RefCountedDeleteOnSequence<NestedSubscription>(
+              GetCookieStoreTaskRunner()),
+          subscription_wrapper_(subscription_wrapper),
+          client_task_runner_(base::ThreadTaskRunnerHandle::Get()) {}
+
     ~NestedSubscription() {}
 
     void Subscribe(const GURL& url, const std::string& name) {