Fix protocol for aborting and waiting for cancelable tasks.

Since {CancelAndWait} blocks on the tasks that are still present in the internal
hashmap, we are not allowed to remove the task upon trying to cancel it using
{TryAbort}.

The previous implementation suffered from a bug where:
1) The task was created and handed over to the platform.
2) The task was started by the platform, setting it to running state.
3) We called {TryAbort}, effectively removing it from the manager, but failing
   to cancel (as it was already running)
4) All tasks finished running, indicating this with their own semaphore.
5) The platform was stuck (scheduling) before destroying the task.
6) Main thread finished its work, waiting for all the necessary tasks, and the
   isolate terminated.
7) The platform destroyed the task, calling the destructor, calling into an
   already freed isolate.

BUG=chromium:524425
LOG=N

Review URL: https://codereview.chromium.org/1460763004

Cr-Commit-Position: refs/heads/master@{#32118}

src/cancelable-task.cc

@@ -23,7 +23,7 @@ Cancelable::~Cancelable() {
   // manager object. This happens when the manager cancels all pending tasks
   // in {CancelAndWait} only before destroying the manager object.
   if (TryRun() || IsRunning()) {
-    parent_->TryAbort(id_);
+    parent_->RemoveFinishedTask(id_);
   }
 }
 
@@ -50,15 +50,29 @@ uint32_t CancelableTaskManager::Register(Cancelable* task) {
 }
 
 
+void CancelableTaskManager::RemoveFinishedTask(uint32_t id) {
+  base::LockGuard<base::Mutex> guard(&mutex_);
+  void* removed = cancelable_tasks_.Remove(reinterpret_cast<void*>(id), id);
+  USE(removed);
+  DCHECK(removed != nullptr);
+  cancelable_tasks_barrier_.NotifyOne();
+}
+
+
 bool CancelableTaskManager::TryAbort(uint32_t id) {
   base::LockGuard<base::Mutex> guard(&mutex_);
-  Cancelable* value = reinterpret_cast<Cancelable*>(
-      cancelable_tasks_.Remove(reinterpret_cast<void*>(id), id));
-  if (value != nullptr) {
-    bool success = value->Cancel();
-    cancelable_tasks_barrier_.NotifyOne();
-    if (!success) return false;
-    return true;
+  HashMap::Entry* entry =
+      cancelable_tasks_.Lookup(reinterpret_cast<void*>(id), id);
+  if (entry != nullptr) {
+    Cancelable* value = reinterpret_cast<Cancelable*>(entry->value);
+    if (value->Cancel()) {
+      // Cannot call RemoveFinishedTask here because of recursive locking.
+      void* removed = cancelable_tasks_.Remove(reinterpret_cast<void*>(id), id);
+      USE(removed);
+      DCHECK(removed != nullptr);
+      cancelable_tasks_barrier_.NotifyOne();
+      return true;
+    }
   }
   return false;
 }

src/cancelable-task.h

@@ -43,6 +43,10 @@ class CancelableTaskManager {
   void CancelAndWait();
 
  private:
+  // Only called by {Cancelable} destructor. The task is done with executing,
+  // but needs to be removed.
+  void RemoveFinishedTask(uint32_t id);
+
   // To mitigate the ABA problem, the api refers to tasks through an id.
   uint32_t task_id_counter_;
 
@@ -54,6 +58,8 @@ class CancelableTaskManager {
   base::ConditionVariable cancelable_tasks_barrier_;
   base::Mutex mutex_;
 
+  friend class Cancelable;
+
   DISALLOW_COPY_AND_ASSIGN(CancelableTaskManager);
 };