Use RefPtr for MutationObserver in MutationObserverInterestGroup.
In MutaionObserverInterestGroup, MutationObservers were held in HashSet
as raw pointers. In case a MutationObserver is gone while mutation
events are collected (and garbage collector collects the object),
it causes use-after-free while the code tries to enqueue the recorded
mutation events. Use RefPtr<> to hold the pointer so that the object
will be kept until it goes out of scope.
BUG=557981
TEST=fast/dom/MutationObserver/mutation-and-deletion-race.html
Review URL: https://codereview.chromium.org/1463433002
Cr-Commit-Position: refs/heads/master@{#360541}
6 files changed
