Prevent promise reject to be sync scheduled during DocumentLoader detach

Bug: 868592 Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel Change-Id: I5cff4653a62c357e8eb9d5a82a11b8018653b712 Reviewed-on: https://chromium-review.googlesource.com/1163235Reviewed-by: Yuki Shiino <yukishiino@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Commit-Queue: Kouhei Ueno <kouhei@chromium.org> Cr-Commit-Position: refs/heads/master@{#580814}

Prevent promise reject to be sync scheduled during DocumentLoader detach
Bug: 868592 Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel Change-Id: I5cff4653a62c357e8eb9d5a82a11b8018653b712 Reviewed-on: https://chromium-review.googlesource.com/1163235Reviewed-by: Yuki Shiino <yukishiino@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Commit-Queue: Kouhei Ueno <kouhei@chromium.org> Cr-Commit-Position: refs/heads/master@{#580814}
c415acc1 · Kouhei Ueno · Commit Bot · 885bca11 · c415acc1 · 885bca11
Commit c415acc1 authored Aug 06, 2018 by Kouhei Ueno Committed by Commit Bot Aug 06, 2018
4 changed files
--- a/third_party/WebKit/LayoutTests/FlagExpectations/enable-blink-gen-property-trees
+++ b/third_party/WebKit/LayoutTests/FlagExpectations/enable-blink-gen-property-trees
@@ -48,7 +48,6 @@ Bug(none) navigator_webdriver/ [ Skip ]
 Bug(none) netinfo/ [ Skip ]
 Bug(none) nfc/ [ Skip ]
 Bug(none) payments/ [ Skip ]
-Bug(none) performance/ [ Skip ]
 Bug(none) permissionclient/ [ Skip ]
 Bug(none) platform/ [ Skip ]
 Bug(none) plugins/ [ Skip ]

--- a/third_party/WebKit/LayoutTests/performance/performance-observer-crash-expected.txt
+++ b/third_party/WebKit/LayoutTests/performance/performance-observer-crash-expected.txt
-
--- a/third_party/WebKit/LayoutTests/performance/performance-observer-crash.html
+++ b/third_party/WebKit/LayoutTests/performance/performance-observer-crash.html
-<html>
-  <head>
-    <title>Crash page</title>
-    <script>
-      var observer = new PerformanceObserver(() => {});
-      function disconnectObserver() {
-        observer.disconnect();
-        testRunner.notifyDone();
-      }
-      function beginFetch() {
-        fetch('http://localhost/not-exists.jpg').catch(disconnectObserver);
-      }
-      function navigate() {
-        window.addEventListener("unload", beginFetch);
-        location.assign("about:blank");
-      };
-      testRunner.dumpAsText();
-      testRunner.setCustomTextOutput("");
-      testRunner.waitUntilDone();
-    </script>
-  </head>
-  <body onload="navigate()">
-    <p>This page will try to crash the renderer</p>
-  </body>
-</html>
--- a/third_party/blink/renderer/core/fetch/fetch_manager.cc
+++ b/third_party/blink/renderer/core/fetch/fetch_manager.cc
@@ -33,6 +33,7 @@
 #include "third_party/blink/renderer/core/probe/core_probes.h"
 #include "third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h"
 #include "third_party/blink/renderer/platform/bindings/exception_state.h"
+#include "third_party/blink/renderer/platform/bindings/script_forbidden_scope.h"
 #include "third_party/blink/renderer/platform/bindings/script_state.h"
 #include "third_party/blink/renderer/platform/bindings/v8_throw_exception.h"
 #include "third_party/blink/renderer/platform/exported/wrapped_resource_response.h"
@@ -900,6 +901,12 @@ void FetchManager::Loader::Failed(const String& message) {
        ConsoleMessage::Create(kJSMessageSource, kErrorMessageLevel, message));
  }
  if (resolver_) {
+    // This ScriptForbiddenScope forcibly punt the reject task to prevent the
+    // promise reject microtask to be queued synchronously during
+    // DocumentLoader detach.
+    // TODO(crbug.com/868592) Fix this properly.
+    ScriptForbiddenScope forbid;
+
    ScriptState* state = resolver_->GetScriptState();
    ScriptState::Scope scope(state);
    resolver_->Reject(V8ThrowException::CreateTypeError(state->GetIsolate(),