From haraken:

Maybe we should add a check to the GC plugin to check that DECLARE_TRACE is not written on a non-heap object or a DISALLOW_ALLOCATION object.

#1: IIUC the suggestion correctly, a variation of that was added recently for the stack allocated case (issue 689864). (I can no longer access the issue, for some reason.)

[ i.e., just to be clear, the bug here afaict is that WebInputMethodControllerImpl is allowed to declare a WeakMember<> + a Trace() method despite not being on the heap. That's kind of a bad loophole. ]

Correction,  issue 689874  it was (some CL had the wrong BUG= number.)

Yes, that's correct. In theory, I think that's not a problem if it's traced, but it seems like we probably just shouldn't allow it.

I can take a look (% other stuff); this should be disallowed by the field checks already, I suspect we're missing an override for WeakMember<> somewhere. 

Will WebInputMethodControllerImpl be moved onto the heap (either on its own or as a part object) via https://chromium-review.googlesource.com/c/509149/ ? Unsafe as it is.

(why is a WeakMember<> needed for that back pointer, btw?)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/661549ee2476754868691a897e3752365e204ffd

commit 661549ee2476754868691a897e3752365e204ffd
Author: Daniel Cheng <dcheng@chromium.org>
Date: Tue May 23 00:35:28 2017

Make sure to trace WebInputMethodController.

This class contains GC pointers and should be traced. Due to
a bug in the GC plugin, this wasn't being enforced. This also
changes the class to be a part object to clarify lifetimes.

Bug:  724418 
Change-Id: I46d037d7f5040bc942b6bdf54d8d8a134914134b
Reviewed-on: https://chromium-review.googlesource.com/509149
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/master@{#473763}
[modify] https://crrev.com/661549ee2476754868691a897e3752365e204ffd/third_party/WebKit/Source/web/WebInputMethodControllerImpl.cpp
[modify] https://crrev.com/661549ee2476754868691a897e3752365e204ffd/third_party/WebKit/Source/web/WebInputMethodControllerImpl.h
[modify] https://crrev.com/661549ee2476754868691a897e3752365e204ffd/third_party/WebKit/Source/web/WebLocalFrameImpl.cpp
[modify] https://crrev.com/661549ee2476754868691a897e3752365e204ffd/third_party/WebKit/Source/web/WebLocalFrameImpl.h
[modify] https://crrev.com/661549ee2476754868691a897e3752365e204ffd/third_party/WebKit/public/web/WebLocalFrame.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/55a04e9c19f6754fad6f509cf6854dd35c896071

commit 55a04e9c19f6754fad6f509cf6854dd35c896071
Author: sigbjornf <sigbjornf@opera.com>
Date: Wed May 24 18:37:23 2017

blink_gc_plugin: disallow WeakMember<> fields in off-heap objects.

Add missing check for WeakMember<> fields in non-managed classes;
not permitted just like Member<>.

R=dcheng,haraken
BUG= 724418 

Review-Url: https://codereview.chromium.org/2902563002
Cr-Commit-Position: refs/heads/master@{#474368}

[modify] https://crrev.com/55a04e9c19f6754fad6f509cf6854dd35c896071/tools/clang/blink_gc_plugin/BlinkGCPlugin.cpp
[modify] https://crrev.com/55a04e9c19f6754fad6f509cf6854dd35c896071/tools/clang/blink_gc_plugin/BlinkGCPluginConsumer.cpp
[modify] https://crrev.com/55a04e9c19f6754fad6f509cf6854dd35c896071/tools/clang/blink_gc_plugin/BlinkGCPluginOptions.h
[modify] https://crrev.com/55a04e9c19f6754fad6f509cf6854dd35c896071/tools/clang/blink_gc_plugin/CheckFieldsVisitor.cpp
[modify] https://crrev.com/55a04e9c19f6754fad6f509cf6854dd35c896071/tools/clang/blink_gc_plugin/CheckFieldsVisitor.h
[modify] https://crrev.com/55a04e9c19f6754fad6f509cf6854dd35c896071/tools/clang/blink_gc_plugin/tests/member_in_offheap_class.cpp
[modify] https://crrev.com/55a04e9c19f6754fad6f509cf6854dd35c896071/tools/clang/blink_gc_plugin/tests/member_in_offheap_class.h
[modify] https://crrev.com/55a04e9c19f6754fad6f509cf6854dd35c896071/tools/clang/blink_gc_plugin/tests/member_in_offheap_class.txt