Fix infinite recursion in css preload scanning

A self-referencing css stylesheet can attempt to preload itself reentrantly. Ensure a HTMLResourcePreloader doesn't scan the same Resource twice. Bug: 789198, 790940, 790945 Change-Id: I5a5ca56e3c12978c4a8b7fcbba79ae2a772671f8 Reviewed-on: https://chromium-review.googlesource.com/804496Reviewed-by: Charlie Harrison <csharrison@chromium.org> Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Commit-Queue: Nate Chapin <japhet@chromium.org> Cr-Commit-Position: refs/heads/master@{#521911}

Fix infinite recursion in css preload scanning
A self-referencing css stylesheet can attempt to preload itself reentrantly. Ensure a HTMLResourcePreloader doesn't scan the same Resource twice. Bug: 789198, 790940, 790945 Change-Id: I5a5ca56e3c12978c4a8b7fcbba79ae2a772671f8 Reviewed-on: https://chromium-review.googlesource.com/804496Reviewed-by: Charlie Harrison <csharrison@chromium.org> Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Commit-Queue: Nate Chapin <japhet@chromium.org> Cr-Commit-Position: refs/heads/master@{#521911}
785c19f3 · Nate Chapin · Commit Bot · e9d88424 · 785c19f3 · 785c19f3
Commit 785c19f3 authored Dec 06, 2017 by Nate Chapin Committed by Commit Bot Dec 06, 2017
6 changed files
--- a/third_party/WebKit/LayoutTests/http/tests/preload/css-import-scan-recursive-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/preload/css-import-scan-recursive-expected.txt
+PASS if no crash.
--- a/third_party/WebKit/LayoutTests/http/tests/preload/css-import-scan-recursive.html
+++ b/third_party/WebKit/LayoutTests/http/tests/preload/css-import-scan-recursive.html
+<script>
+if (window.testRunner)
+  testRunner.dumpAsText();
+
+if (window.internals)
+  internals.settings.setCSSExternalScannerPreload(true);
+
+var link = "<link rel='stylesheet' type='text/css' href='resources/css-link-recurse.css'><\/link>";
+var slowScript = "<script src='../resources/slow-script.pl?delay=1000'><\/script>";
+document.write(slowScript + link);
+</script>
+PASS if no crash.
--- a/third_party/WebKit/LayoutTests/http/tests/preload/resources/css-link-recurse.css
+++ b/third_party/WebKit/LayoutTests/http/tests/preload/resources/css-link-recurse.css
+@import url('css-link-recurse.css');
+.purple { color: purple; }
--- a/third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp
+++ b/third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp
@@ -932,6 +932,9 @@ void HTMLDocumentParser::end() {
  // deletes this).
  tree_builder_->Finished();

+  // All preloads should be done.
+  preloader_.Clear();
+
  DocumentParser::StopParsing();
 }


--- a/third_party/WebKit/Source/core/html/parser/HTMLResourcePreloader.cpp
+++ b/third_party/WebKit/Source/core/html/parser/HTMLResourcePreloader.cpp
@@ -78,12 +78,16 @@ void HTMLResourcePreloader::Preload(

  Resource* resource = preload->Start(document_);

-  if (resource && !resource->IsLoaded() &&
+  // Don't scan a Resource more than once, to avoid a self-referencing
+  // stlyesheet causing infinite recursion.
+  if (resource && !css_preloaders_.Contains(resource) &&
      preload->ResourceType() == Resource::kCSSStyleSheet) {
    Settings* settings = document_->GetSettings();
    if (settings && (settings->GetCSSExternalScannerNoPreload() ||
-                     settings->GetCSSExternalScannerPreload()))
-      css_preloaders_.insert(new CSSPreloaderResourceClient(resource, this));
+                     settings->GetCSSExternalScannerPreload())) {
+      css_preloaders_.insert(resource,
+                             new CSSPreloaderResourceClient(resource, this));
+    }
  }
 }


--- a/third_party/WebKit/Source/core/html/parser/HTMLResourcePreloader.h
+++ b/third_party/WebKit/Source/core/html/parser/HTMLResourcePreloader.h
@@ -59,7 +59,8 @@ class CORE_EXPORT HTMLResourcePreloader

 private:
  Member<Document> document_;
-  HeapHashSet<Member<CSSPreloaderResourceClient>> css_preloaders_;
+  HeapHashMap<Member<Resource>, Member<CSSPreloaderResourceClient>>
+      css_preloaders_;

  DISALLOW_COPY_AND_ASSIGN(HTMLResourcePreloader);
 };