Crash in BodyStreamBuffer constructor

The CHECKs added in https://chromium-review.googlesource.com/c/chromium/src/+/1837445 indicate that |consumer_| is being cleared in the BodyStreamBuffer constructor during the call to ReadableStream::CreateWithCountQueueingStrategy(). There's no apparent way this can happen. Add new temporary CHECKs to the places where |consumer_| is cleared to verify that we are not inside the call to ReadableStream::CreateWithCountQueueingStrategy(). These should result in a stack trace at the point where the problem occurs. BUG=1007162 Change-Id: I571214597ff714f34b2cfb63d2c42f42d53733d3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1928513Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Commit-Queue: Adam Rice <ricea@chromium.org> Cr-Commit-Position: refs/heads/master@{#718539}

Crash in BodyStreamBuffer constructor
The CHECKs added in https://chromium-review.googlesource.com/c/chromium/src/+/1837445 indicate that |consumer_| is being cleared in the BodyStreamBuffer constructor during the call to ReadableStream::CreateWithCountQueueingStrategy(). There's no apparent way this can happen. Add new temporary CHECKs to the places where |consumer_| is cleared to verify that we are not inside the call to ReadableStream::CreateWithCountQueueingStrategy(). These should result in a stack trace at the point where the problem occurs. BUG=1007162 Change-Id: I571214597ff714f34b2cfb63d2c42f42d53733d3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1928513Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Commit-Queue: Adam Rice <ricea@chromium.org> Cr-Commit-Position: refs/heads/master@{#718539}
61486289 · Adam Rice · Commit Bot · 1f0c003f · 61486289 · 61486289
Commit 61486289 authored Nov 25, 2019 by Adam Rice Committed by Commit Bot Nov 25, 2019
2 changed files
--- a/third_party/blink/renderer/core/fetch/body_stream_buffer.cc
+++ b/third_party/blink/renderer/core/fetch/body_stream_buffer.cc
@@ -107,18 +107,19 @@ BodyStreamBuffer::BodyStreamBuffer(ScriptState* script_state,
      consumer_(consumer),
      signal_(signal),
      made_from_readable_stream_(false) {
-  // This CHECK is temporary to track down the cause of
+  // inside_create_stream_ is set to track down the cause of the crash in
  // https://crbug.com/1007162.
-  // TODO(ricea): Remove it once we know whether it crashes or not.
+  // TODO(ricea): Remove it and the CHECK once the cause is found.
+  inside_create_stream_ = true;
  CHECK(consumer_);
  stream_ =
      ReadableStream::CreateWithCountQueueingStrategy(script_state_, this, 0);
  stream_broken_ = !stream_;
-  // This CHECK is temporary to track down the cause of
+  // TODO(ricea): Remove this and the CHECK once https://crbug.com/1007162 is
-  // https://crbug.com/1007162.
+  // fixed.
-  // TODO(ricea): Remove it once we know whether it crashes or not.
+  inside_create_stream_ = false;
  CHECK(consumer_);
  consumer_->SetClient(this);
@@ -426,6 +427,9 @@ void BodyStreamBuffer::GetError() {
 void BodyStreamBuffer::CancelConsumer() {
  if (consumer_) {
+    // TODO(ricea): Remove this CHECK once the cause of
+    // https://crbug.com/1007162 is found.
+    CHECK(!inside_create_stream_);
    consumer_->Cancel();
    consumer_ = nullptr;
  }
@@ -539,6 +543,9 @@ BytesConsumer* BodyStreamBuffer::ReleaseHandle(
  if (exception_state.HadException())
    return nullptr;
+  // TODO(ricea): Remove this CHECK once the cause of https://crbug.com/1007162
+  // is found.
+  CHECK(!inside_create_stream_);
  BytesConsumer* consumer = consumer_.Release();
  CloseAndLockAndDisturb(exception_state);

--- a/third_party/blink/renderer/core/fetch/body_stream_buffer.h
+++ b/third_party/blink/renderer/core/fetch/body_stream_buffer.h
@@ -108,6 +108,11 @@ class CORE_EXPORT BodyStreamBuffer final : public UnderlyingSourceBase,
  bool made_from_readable_stream_;
  bool in_process_data_ = false;
  bool stream_broken_ = false;
+  // TODO(ricea): Remove this once the cause of https://crbug.com/1007162 has
+  // been established.
+  bool inside_create_stream_ = false;
  DISALLOW_COPY_AND_ASSIGN(BodyStreamBuffer);
 };