Bug 119718

Fix the problem https://chromium.googlesource.com/chromium/blink/+/65db79784ecd4a7e744d10a26befe5159638a56c fixed in WebKit if applicable. * Problem Description When NodeIterator/TreeWalker with filter JS callback is created, the following reference chain was created: NodeIterator -(RefPtr)-> NodeFilter -(RefPtr)-> V8NodeFilterCondition -(ScopedPersistent)-> JS callback object -> window This caused the whole document to be leaked when NodeIterator was referenced from window. For example, the following script created a circular reference which could not be collected. <script> window.foobar = document.createNodeIterator(document, NodeFilter.SHOW_ELEMENT, function(node) { return NodeFilter.FILTER_ACCEPT; }); </script> * Proposal This patch modifies the reference chain to avoid leak. The basic idea is to move the callback's whole reference chain to the V8 side. We change the strong reference to the JS callback object held by V8NodeFilterCondition to a weak reference. The JS callback is instead kept alive by a wrapper of NodeFilter, referenced from NodeIterator wrapper. The new reference chain is illustrated as follows: Blink world: NodeIterator -(RefPtr)-> NodeFilter -(RefPtr)-> V8NodeFilterCondition ^^^ ^^^ vvv(weakref)vvv V8 world: NodeIterator wrap -(HiddenProperty)-> NodeFilter wrap -(HiddenProperty)-> JS callback obj. -> window The new reference chain can be collected correctly, as the whole circular reference chain is visible from V8 GC.