-
Denis Bessonov authored
The crash occurs in the following situation: - Navigation is performing which results in Frame detach from DOMWindow - PerformanceObserver::disconnect is called from PromiseReactionJob micro task In this case, this call graph is executed: blink::(anonymous namespace)::EndOfTaskRunner::DidProcessTask() v8::internal::Isolate::RunMicrotasks() v8::internal::Isolate::RunMicrotasksInternal() v8::internal::Isolate::PromiseReactionJob() ... some V8 magic to call browser API from JS ... blink::PerformanceObserver::disconnect() blink::PerformanceBase::UnregisterPerformanceObserver() blink::Performance::UpdateLongTaskInstrumentation() blink::LocalFrame::GetDocument() const and, given that Frame has been detached, GetDocument() is called with this equal to nullptr, which leads to segfault. Bug: 793720 Change-Id: Id3cd67e3ebb5a197024b8ac269eebfc241cf2fc7 Reviewed-on: https://chromium-review.googlesource.com/825022 Commit-Queue: Steve Kobes <skobes@chromium.org> Reviewed-by:Daniel Cheng <dcheng@chromium.org> Reviewed-by:
Steve Kobes <skobes@chromium.org> Cr-Commit-Position: refs/heads/master@{#526528}
ac2d13bd
