Prevent reentrancy crash in ScrollAnchorAdjustment

CHECKs proved this to be the cause of the crash in the bug. While there are some suggested fixes in the bug that are preferable, this patch patch simply avoids reentering PerformScrollAnchoringAdjustments which will prevent the crash. Bug: 745686 Change-Id: Ic2a156cb344b6b32e5aa4d5c3164421a033c757e Reviewed-on: https://chromium-review.googlesource.com/657600Reviewed-by: Steve Kobes <skobes@chromium.org> Commit-Queue: David Bokan <bokan@chromium.org> Cr-Commit-Position: refs/heads/master@{#501549}

Prevent reentrancy crash in ScrollAnchorAdjustment
CHECKs proved this to be the cause of the crash in the bug. While there are some suggested fixes in the bug that are preferable, this patch patch simply avoids reentering PerformScrollAnchoringAdjustments which will prevent the crash. Bug: 745686 Change-Id: Ic2a156cb344b6b32e5aa4d5c3164421a033c757e Reviewed-on: https://chromium-review.googlesource.com/657600Reviewed-by: Steve Kobes <skobes@chromium.org> Commit-Queue: David Bokan <bokan@chromium.org> Cr-Commit-Position: refs/heads/master@{#501549}
eb6e9c67 · David Bokan · Commit Bot · bc49021b · eb6e9c67 · eb6e9c67
Commit eb6e9c67 authored Sep 13, 2017 by David Bokan Committed by Commit Bot Sep 13, 2017
2 changed files
--- a/third_party/WebKit/Source/core/frame/LocalFrameView.cpp
+++ b/third_party/WebKit/Source/core/frame/LocalFrameView.cpp
@@ -209,7 +209,6 @@ LocalFrameView::LocalFrameView(LocalFrame& frame, IntRect frame_rect)
          DocumentLifecycle::kUninitialized),
      past_layout_lifecycle_update_(false),
      scroll_anchor_(this),
-      in_perform_scroll_anchoring_adjustments_(false),
      scrollbar_manager_(*this),
      needs_scrollbars_update_(false),
      suppress_adjust_view_size_(false),
@@ -3276,20 +3275,18 @@ void LocalFrameView::EnqueueScrollAnchoringAdjustment(
 }
 void LocalFrameView::PerformScrollAnchoringAdjustments() {
-  // TODO(bokan): Temporary to get more information about crash in
+  // Adjust() will cause a scroll which could end up causing a layout and
-  // crbug.com/745686.
+  // reentering this method. Copy and clear the queue so we don't modify it
-  CHECK(!in_perform_scroll_anchoring_adjustments_);
+  // during iteration.
-  in_perform_scroll_anchoring_adjustments_ = true;
+  AnchoringAdjustmentQueue queue_copy = anchoring_adjustment_queue_;
+  anchoring_adjustment_queue_.clear();
-  for (WeakMember<ScrollableArea>& scroller : anchoring_adjustment_queue_) {
+  for (WeakMember<ScrollableArea>& scroller : queue_copy) {
    if (scroller) {
      DCHECK(scroller->GetScrollAnchor());
      scroller->GetScrollAnchor()->Adjust();
    }
  }
-  anchoring_adjustment_queue_.clear();
-  in_perform_scroll_anchoring_adjustments_ = false;
 }
 void LocalFrameView::PrePaint() {

--- a/third_party/WebKit/Source/core/frame/LocalFrameView.h
+++ b/third_party/WebKit/Source/core/frame/LocalFrameView.h
@@ -1219,10 +1219,6 @@ class CORE_EXPORT LocalFrameView final
      HeapLinkedHashSet<WeakMember<ScrollableArea>>;
  AnchoringAdjustmentQueue anchoring_adjustment_queue_;
-  // TODO(bokan): Temporary to get more information about crash in
-  // crbug.com/745686.
-  bool in_perform_scroll_anchoring_adjustments_;
  // ScrollbarManager holds the Scrollbar instances.
  ScrollbarManager scrollbar_manager_;