Added a javascript layout test to reproduce the 793720 crash.

The crash occurs in the following situation: - Navigation is performing which results in Frame detach from DOMWindow - PerformanceObserver::disconnect is called from PromiseReactionJob micro task In this case, this call graph is executed: blink::(anonymous namespace)::EndOfTaskRunner::DidProcessTask() v8::internal::Isolate::RunMicrotasks() v8::internal::Isolate::RunMicrotasksInternal() v8::internal::Isolate::PromiseReactionJob() ... some V8 magic to call browser API from JS ... blink::PerformanceObserver::disconnect() blink::PerformanceBase::UnregisterPerformanceObserver() blink::Performance::UpdateLongTaskInstrumentation() blink::LocalFrame::GetDocument() const and, given that Frame has been detached, GetDocument() is called with this equal to nullptr, which leads to segfault. Bug: 793720 Change-Id: Id3cd67e3ebb5a197024b8ac269eebfc241cf2fc7 Reviewed-on: https://chromium-review.googlesource.com/825022 Commit-Queue: Steve Kobes <skobes@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Steve Kobes <skobes@chromium.org> Cr-Commit-Position: refs/heads/master@{#526528}

Added a javascript layout test to reproduce the 793720 crash.
The crash occurs in the following situation: - Navigation is performing which results in Frame detach from DOMWindow - PerformanceObserver::disconnect is called from PromiseReactionJob micro task In this case, this call graph is executed: blink::(anonymous namespace)::EndOfTaskRunner::DidProcessTask() v8::internal::Isolate::RunMicrotasks() v8::internal::Isolate::RunMicrotasksInternal() v8::internal::Isolate::PromiseReactionJob() ... some V8 magic to call browser API from JS ... blink::PerformanceObserver::disconnect() blink::PerformanceBase::UnregisterPerformanceObserver() blink::Performance::UpdateLongTaskInstrumentation() blink::LocalFrame::GetDocument() const and, given that Frame has been detached, GetDocument() is called with this equal to nullptr, which leads to segfault. Bug: 793720 Change-Id: Id3cd67e3ebb5a197024b8ac269eebfc241cf2fc7 Reviewed-on: https://chromium-review.googlesource.com/825022 Commit-Queue: Steve Kobes <skobes@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Steve Kobes <skobes@chromium.org> Cr-Commit-Position: refs/heads/master@{#526528}
ac2d13bd · Denis Bessonov · Commit Bot · a9b68160 · ac2d13bd · ac2d13bd
Commit ac2d13bd authored Dec 14, 2017 by Denis Bessonov Committed by Commit Bot Jan 02, 2018
2 changed files
--- a/third_party/WebKit/LayoutTests/performance/performance-observer-crash-expected.txt
+++ b/third_party/WebKit/LayoutTests/performance/performance-observer-crash-expected.txt
--- a/third_party/WebKit/LayoutTests/performance/performance-observer-crash.html
+++ b/third_party/WebKit/LayoutTests/performance/performance-observer-crash.html
+<html>
+  <head>
+    <title>Crash page</title>
+    <script>
+      var observer = new PerformanceObserver(() => {});
+      function disconnectObserver() {
+        observer.disconnect();
+        testRunner.notifyDone();
+      }
+      function beginFetch() {
+        fetch('http://localhost/not-exists.jpg').catch(disconnectObserver);
+      }
+      function navigate() {
+        window.addEventListener("unload", beginFetch);
+        location.assign("about:blank");
+      };
+      testRunner.dumpAsText();
+      testRunner.setCustomTextOutput("");
+      testRunner.waitUntilDone();
+    </script>
+  </head>
+  <body onload="navigate()">
+    <p>This page will try to crash the renderer</p>
+  </body>
+</html>