bindings: Disable V8ContextSnapshot if deserialization fail

While deserializing V8 contexts from snapshot, the process can fail, unfortunately. This CL makes the routine to catch such unexpected cases and disables the feature to avoid crashes. Bug: 881417 Change-Id: I874a16b63fd6b8ae7a3532bc5c662531a895e3ed Reviewed-on: https://chromium-review.googlesource.com/c/1258786 Commit-Queue: Hitoshi Yoshida <peria@chromium.org> Reviewed-by: Yuki Shiino <yukishiino@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Cr-Commit-Position: refs/heads/master@{#596974}

bindings: Disable V8ContextSnapshot if deserialization fail
While deserializing V8 contexts from snapshot, the process can fail, unfortunately. This CL makes the routine to catch such unexpected cases and disables the feature to avoid crashes. Bug: 881417 Change-Id: I874a16b63fd6b8ae7a3532bc5c662531a895e3ed Reviewed-on: https://chromium-review.googlesource.com/c/1258786 Commit-Queue: Hitoshi Yoshida <peria@chromium.org> Reviewed-by: Yuki Shiino <yukishiino@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Cr-Commit-Position: refs/heads/master@{#596974}
98d5e413 · Hitoshi Yoshida · Commit Bot · 76bf417b · 98d5e413 · 98d5e413
Commit 98d5e413 authored Oct 05, 2018 by Hitoshi Yoshida Committed by Commit Bot Oct 05, 2018
2 changed files
--- a/third_party/blink/renderer/bindings/core/v8/v8_context_snapshot.cc
+++ b/third_party/blink/renderer/bindings/core/v8/v8_context_snapshot.cc
@@ -114,9 +114,12 @@ const WrapperTypeInfo* FieldTypeToWrapperTypeInfo(InternalFieldType type) {
 struct DataForDeserializer {
  STACK_ALLOCATED();
 public:
+  DataForDeserializer(Document* document) : document(document) {}
  Member<Document> document;
+  // Figures if we failed the deserialization.
+  bool did_fail = false;
 };
 }  // namespace
@@ -132,13 +135,22 @@ v8::Local<v8::Context> V8ContextSnapshot::CreateContextFromSnapshot(
  }
  const int index = GetSnapshotIndexForWorld(world);
-  DataForDeserializer data{document};
+  DataForDeserializer data(document);
  v8::DeserializeInternalFieldsCallback callback =
      v8::DeserializeInternalFieldsCallback(&DeserializeInternalField, &data);
  v8::Local<v8::Context> context =
      v8::Context::FromSnapshot(isolate, index, callback,
                                extension_configuration, global_proxy)
          .ToLocalChecked();
+  // In case we fail to deserialize v8::Context from snapshot,
+  // disable the snapshot feature and returns an empty handle.
+  // TODO(peria): Drop this fallback routine. crbug.com/881417
+  if (data.did_fail) {
+    V8PerIsolateData::From(isolate)->BailoutAndDisableV8ContextSnapshot();
+    return v8::Local<v8::Context>();
+  }
  VLOG(1) << "A context is created from snapshot for "
          << (world.IsMainWorld() ? "" : "non-") << "main world";
@@ -351,27 +363,45 @@ void V8ContextSnapshot::DeserializeInternalField(v8::Local<v8::Object> object,
      *reinterpret_cast<const InternalFieldType*>(payload.data);
  const WrapperTypeInfo* wrapper_type_info = FieldTypeToWrapperTypeInfo(type);
+  DataForDeserializer* embed_data = static_cast<DataForDeserializer*>(ptr);
  switch (type) {
    case InternalFieldType::kNodeType:
    case InternalFieldType::kDocumentType:
    case InternalFieldType::kHTMLDocumentType: {
-      CHECK_EQ(index, kV8DOMWrapperTypeIndex);
+      // TODO(peria): Make this branch back to CHECK_EQ. crbug.com/881417
+      if (index != kV8DOMWrapperTypeIndex) {
+        LOG(ERROR) << "Invalid index for wrpper type info: " << index;
+        embed_data->did_fail = true;
+        return;
+      }
      object->SetAlignedPointerInInternalField(
          index, const_cast<WrapperTypeInfo*>(wrapper_type_info));
      return;
    }
    case InternalFieldType::kHTMLDocumentObject: {
+      // There seems to be few crash reports with invalid |index|.
+      // In such cases, we fallback to create v8::Context without snapshots.
+      // TODO(peria): Make this branch back to CHECK_EQ. crbug.com/881417
+      if (index != kV8DOMWrapperObjectIndex) {
+        LOG(ERROR) << "Invalid index for HTMLDocument object: " << index;
+        embed_data->did_fail = true;
+        return;
+      }
      // The below code handles window.document on the main world.
-      CHECK_EQ(index, kV8DOMWrapperObjectIndex);
      v8::Isolate* isolate = v8::Isolate::GetCurrent();
-      DataForDeserializer* data = static_cast<DataForDeserializer*>(ptr);
+      ScriptWrappable* document = embed_data->document;
-      ScriptWrappable* document = data->document;
      DCHECK(document);
      // Make reference from wrapper to document
      object->SetAlignedPointerInInternalField(index, document);
      // Make reference from document to wrapper
-      CHECK(document->SetWrapper(isolate, wrapper_type_info, object));
+      // TODO(peria): Make this branch back to CHECK. crbug.com/881417
+      if (!document->SetWrapper(isolate, wrapper_type_info, object)) {
+        LOG(ERROR) << "Failed to set HTMLDocument wrapper on Blink object.";
+        embed_data->did_fail = true;
+        return;
+      }
      WrapperTypeInfo::WrapperCreated();
      return;
    }

--- a/third_party/blink/renderer/platform/bindings/v8_per_isolate_data.h
+++ b/third_party/blink/renderer/platform/bindings/v8_per_isolate_data.h
@@ -157,6 +157,10 @@ class PLATFORM_EXPORT V8PerIsolateData {
  V8ContextSnapshotMode GetV8ContextSnapshotMode() const {
    return v8_context_snapshot_mode_;
  }
+  void BailoutAndDisableV8ContextSnapshot() {
+    DCHECK_EQ(V8ContextSnapshotMode::kUseSnapshot, v8_context_snapshot_mode_);
+    v8_context_snapshot_mode_ = V8ContextSnapshotMode::kDontUseSnapshot;
+  }
  // Accessor to the cache of cross-origin accessible operation's templates.
  // Created templates get automatically cached.