[mac triage]

I'd like the SiteIsolation team to triage this.

spqchan@ - ojan@ assigned a component to this bug. However because we've never confirmed that this component area has a bug triage process, this bug remains in our untriaged queue. erikchen@ has updated our bug triage doc to discuss figuring out if a component area has an active bug triage process (please see the section "Passing the bug to another triage queue").

I've managed to reproduce it (it doesn't always happens, the frame that's stuck is the add below the "Customers Viewing This Page May Be Interested In These Sponsored Links", so depending on which ad loads it may or may not happen.

I reproduced it on windows, but it shouldn't be platform-dependent.

The callstack is:

>	chrome_child.dll!blink::RootScrollerController::isViewportScrollCallback(const blink::ScrollStateCallback * callback) Line 170	C++
 	chrome_child.dll!blink::Element::callDistributeScroll(blink::ScrollState & scrollState) Line 537	C++
 	chrome_child.dll!blink::ScrollState::distributeToScrollChainDescendant() Line 81	C++
 	chrome_child.dll!blink::ScrollManager::customizedScroll(const blink::Node & startNode, blink::ScrollState & scrollState) Line 189	C++
 	chrome_child.dll!blink::ScrollManager::handleGestureScrollBegin(const blink::PlatformGestureEvent & gestureEvent) Line 221	C++
 	chrome_child.dll!blink::ScrollManager::handleGestureScrollEvent(const blink::PlatformGestureEvent & gestureEvent) Line 414	C++
 	chrome_child.dll!blink::EventHandler::handleGestureScrollEvent(const blink::PlatformGestureEvent & gestureEvent) Line 1725	C++
 	chrome_child.dll!blink::EventHandler::handleGestureEvent(const blink::PlatformGestureEvent & gestureEvent) Line 1685	C++
 	chrome_child.dll!blink::WebFrameWidgetImpl::handleGestureEvent(const blink::WebGestureEvent & event) Line 1028	C++
 	chrome_child.dll!blink::PageWidgetDelegate::handleInputEvent(blink::PageWidgetEventHandler & handler, const blink::WebInputEvent & event, blink::LocalFrame * root) Line 180	C++
 	chrome_child.dll!blink::WebFrameWidgetImpl::handleInputEvent(const blink::WebInputEvent & inputEvent) Line 386	C++
 	chrome_child.dll!content::RenderWidgetInputHandler::HandleInputEvent(const blink::WebInputEvent & input_event, const ui::LatencyInfo & latency_info, content::InputEventDispatchType dispatch_type) Line 325	C++
 	chrome_child.dll!content::RenderWidget::OnHandleInputEvent(const blink::WebInputEvent * input_event, const ui::LatencyInfo & latency_info, content::InputEventDispatchType dispatch_type) Line 676	C++
 	chrome_child.dll!IPC::MessageT<InputMsg_HandleInputEvent_Meta,std::tuple<blink::WebInputEvent const * __ptr64,ui::LatencyInfo,enum content::InputEventDispatchType>,void>::Dispatch<content::RenderWidget,content::RenderWidget,void,void (__cdecl content::RenderWidget::*)(blink::WebInputEvent const * __ptr64,ui::LatencyInfo const & __ptr64,enum content::InputEventDispatchType) __ptr64>(const IPC::Message * msg, content::RenderWidget * obj, content::RenderWidget * func, void *) Line 121	C++
 	chrome_child.dll!content::RenderWidget::OnMessageReceived(const IPC::Message & message) Line 478	C++


And the problem happens because m_document->topDocument() returns the same as m_document, which is not the top document. Document::topDocument() calls Document::localOwner(), which calls Frame::deprecatedLocalOwner which returns null, since the top document is remote (see https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/page/scrolling/RootScrollerController.cpp?l=162).

The only reason this goes to 100% cpu instead of crashing is because the call is tail optimized.

+bokan, can you take a look?

#4: s/add below/ad below/.

Actually, it doesn't really matter which ad loads, you just need to scroll any oopif and the renderer dies.

I tried reverting https://codereview.chromium.org/2293903002/, but the revert does not apply cleanly. bokan@, please try to prioritize this.

I'll get this fixed ASAP, looking now.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5e3154ffb1fc384d3a1529a3c5aa91ae83e50473

commit 5e3154ffb1fc384d3a1529a3c5aa91ae83e50473
Author: bokan <bokan@chromium.org>
Date: Tue Aug 30 17:57:59 2016

Fix crash when scrolling in a remote process frame

This is occurring because we try to get the RootScrollerController from the top
level Document by calling topDocument(). Since we're in a remote Frame though,
topDocument returns the current RootScrollerController's Document and so we
infinitely recurse into isViewportScrollCallback.

This is a quick fix to the problem while I come up with a better long term
solution for OOPIFs.

BUG= 641775 

Review-Url: https://codereview.chromium.org/2290353002
Cr-Commit-Position: refs/heads/master@{#415348}

[modify] https://crrev.com/5e3154ffb1fc384d3a1529a3c5aa91ae83e50473/third_party/WebKit/Source/core/page/scrolling/RootScrollerController.cpp
[modify] https://crrev.com/5e3154ffb1fc384d3a1529a3c5aa91ae83e50473/third_party/WebKit/Source/core/page/scrolling/TopDocumentRootScrollerController.h

This should now be fixed in ToT. I'll leave this open while I add some tests for remote frames in the RootScroller code today.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4e2f14c7363fe96556aff4f1e4ab44906ddbcd67

commit 4e2f14c7363fe96556aff4f1e4ab44906ddbcd67
Author: bokan <bokan@chromium.org>
Date: Fri Sep 02 22:11:53 2016

Add some basic sanity tests to RootScroller for cases with remote frames.

Added one test that deals with a remote iframe and another with a remote main
frame. RootScroller doesn't quite work in OOPIF scenarios yet but it's still
behind a flag so that's ok. These are mostly testing that we don't crash in the
normal case and that scrolling works ok.

BUG= 641775 

Review-Url: https://codereview.chromium.org/2290173004
Cr-Commit-Position: refs/heads/master@{#416364}

[modify] https://crrev.com/4e2f14c7363fe96556aff4f1e4ab44906ddbcd67/third_party/WebKit/Source/web/tests/RootScrollerTest.cpp
[modify] https://crrev.com/4e2f14c7363fe96556aff4f1e4ab44906ddbcd67/third_party/WebKit/Source/web/tests/data/root-scroller-child.html

Verified