Prevent synchronous script execution in Profiler::stop

Bug: 1119865 Change-Id: I916173d91453aebaf86e915b5bae85539a578ad1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2373184Reviewed-by: Nicolás Peña Moreno <npm@chromium.org> Commit-Queue: Andrew Comminos <acomminos@fb.com> Cr-Commit-Position: refs/heads/master@{#801394}

Prevent synchronous script execution in Profiler::stop
Bug: 1119865 Change-Id: I916173d91453aebaf86e915b5bae85539a578ad1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2373184Reviewed-by: Nicolás Peña Moreno <npm@chromium.org> Commit-Queue: Andrew Comminos <acomminos@fb.com> Cr-Commit-Position: refs/heads/master@{#801394}
20c2923f · Andrew Comminos · Commit Bot · c88566cc · 20c2923f · 20c2923f
Commit 20c2923f authored Aug 25, 2020 by Andrew Comminos Committed by Commit Bot Aug 25, 2020
2 changed files
--- a/third_party/blink/renderer/core/timing/profiler.cc
+++ b/third_party/blink/renderer/core/timing/profiler.cc
@@ -7,6 +7,7 @@
 #include "third_party/blink/renderer/core/dom/dom_exception.h"
 #include "third_party/blink/renderer/core/execution_context/execution_context.h"
 #include "third_party/blink/renderer/core/timing/profiler_group.h"
+#include "third_party/blink/renderer/platform/bindings/script_forbidden_scope.h"
 namespace blink {
@@ -32,6 +33,9 @@ ScriptPromise Profiler::stop(ScriptState* script_state) {
  ScriptPromise promise = resolver->Promise();
  if (!stopped()) {
+    // Ensure that we don't synchronously invoke script when resolving
+    // (crbug.com/1119865).
+    ScriptForbiddenScope forbid_script;
    DCHECK(profiler_group_);
    profiler_group_->StopProfiler(script_state, this, resolver);
    profiler_group_ = nullptr;

--- a/third_party/blink/renderer/core/timing/profiler_group_test.cc
+++ b/third_party/blink/renderer/core/timing/profiler_group_test.cc
@@ -5,6 +5,7 @@
 #include "third_party/blink/renderer/core/timing/profiler_group.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "third_party/blink/renderer/bindings/core/v8/script_function.h"
 #include "third_party/blink/renderer/bindings/core/v8/v8_binding_for_testing.h"
 #include "third_party/blink/renderer/bindings/core/v8/v8_profiler_init_options.h"
 #include "third_party/blink/renderer/core/timing/profiler.h"
@@ -174,4 +175,36 @@ TEST(ProfilerGroupTest, V8ProfileLimit) {
  }
 }
+TEST(ProfilerGroupTest, Bug1119865) {
+  class ExpectNoCallFunction : public ScriptFunction {
+   public:
+    static v8::Local<v8::Function> Create(ScriptState* state) {
+      return MakeGarbageCollected<ExpectNoCallFunction>(state)
+          ->BindToV8Function();
+    }
+    explicit ExpectNoCallFunction(ScriptState* state) : ScriptFunction(state) {}
+    ScriptValue Call(ScriptValue) override {
+      EXPECT_FALSE(true)
+          << "Promise should not resolve without dispatching a task";
+      return ScriptValue();
+    }
+  };
+  V8TestingScope scope;
+  ProfilerGroup* profiler_group = ProfilerGroup::From(scope.GetIsolate());
+  ProfilerInitOptions* init_options = ProfilerInitOptions::Create();
+  init_options->setSampleInterval(0);
+  auto* profiler = profiler_group->CreateProfiler(
+      scope.GetScriptState(), *init_options, base::TimeTicks(),
+      scope.GetExceptionState());
+  auto function = ExpectNoCallFunction::Create(scope.GetScriptState());
+  profiler->stop(scope.GetScriptState()).Then(function);
+}
 }  // namespace blink