Fix a nullptr deref in FontFaceSetDocument::LCPLimitReached()

FontFaceSetDocument::lcp_limit_timer_ can be fired after document shutdown, in which case GetDocument() returns a nullptr. This patch handles that to fix a crash. Bug: 1074714 Change-Id: I9895716b8694b25ec22f93016c349a8bd6018f53 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2168759 Auto-Submit: Xiaocheng Hu <xiaochengh@chromium.org> Reviewed-by: Rune Lillesveen <futhark@chromium.org> Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org> Cr-Commit-Position: refs/heads/master@{#763384}

Fix a nullptr deref in FontFaceSetDocument::LCPLimitReached()
FontFaceSetDocument::lcp_limit_timer_ can be fired after document shutdown, in which case GetDocument() returns a nullptr. This patch handles that to fix a crash. Bug: 1074714 Change-Id: I9895716b8694b25ec22f93016c349a8bd6018f53 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2168759 Auto-Submit: Xiaocheng Hu <xiaochengh@chromium.org> Reviewed-by: Rune Lillesveen <futhark@chromium.org> Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org> Cr-Commit-Position: refs/heads/master@{#763384}
df0eae72 · Xiaocheng Hu · Commit Bot · 75f36e7f · df0eae72 · df0eae72
Commit df0eae72 authored Apr 28, 2020 by Xiaocheng Hu Committed by Commit Bot Apr 28, 2020
2 changed files
--- a/third_party/blink/renderer/core/css/font_display_auto_lcp_align_test.cc
+++ b/third_party/blink/renderer/core/css/font_display_auto_lcp_align_test.cc
@@ -200,6 +200,40 @@ TEST_F(FontDisplayAutoLCPAlignFailureModeTest,
  EXPECT_FALSE(GetTargetFont().ShouldSkipDrawing());
 }

+// https://crbug.com/1065508
+TEST_F(FontDisplayAutoLCPAlignFailureModeTest,
+       TimeoutFiredAfterDocumentShutdown) {
+  SimRequest main_resource("https://example.com/", "text/html");
+  SimRequest font_resource("https://example.com/Ahem.woff2", "font/woff2");
+
+  LoadURL("https://example.com");
+  main_resource.Complete(R"HTML(
+    <!doctype html>
+    <style>
+      @font-face {
+        font-family: custom-font;
+        src: url(https://example.com/Ahem.woff2) format("woff2");
+      }
+      #target {
+        font: 25px/1 custom-font, monospace;
+      }
+    </style>
+    <span id=target style="position:relative">0123456789</span>
+  )HTML");
+
+  font_resource.Finish();
+
+  SimRequest next_page_resource("https://example2.com/", "text/html");
+  LoadURL("https://example2.com/");
+
+  // Wait until we reach the LCP limit, and the timeout for the previous
+  // document fires. Shouldn't crash here.
+  test::RunDelayedTasks(base::TimeDelta::FromMilliseconds(
+      features::kAlignFontDisplayAutoTimeoutWithLCPGoalTimeoutParam.Get()));
+
+  next_page_resource.Finish();
+}
+
 class FontDisplayAutoLCPAlignSwapModeTest
    : public FontDisplayAutoLCPAlignTestBase {
 public:

--- a/third_party/blink/renderer/core/css/font_face_set_document.cc
+++ b/third_party/blink/renderer/core/css/font_face_set_document.cc
@@ -241,7 +241,7 @@ size_t FontFaceSetDocument::ApproximateBlankCharacterCount(Document& document) {
 void FontFaceSetDocument::LCPLimitReached(TimerBase*) {
  DCHECK(base::FeatureList::IsEnabled(
      features::kAlignFontDisplayAutoTimeoutWithLCPGoal));
-  if (!GetDocument()->IsActive())
+  if (!GetDocument() || !GetDocument()->IsActive())
    return;
  has_reached_lcp_limit_ = true;
  for (FontFace* font_face : CSSConnectedFontFaceList())