FontResource load limit timers may be restarted during loading |
|||||||||
Issue descriptionIn FontResource::startLoadLimitTimersIfNeeded(), the check if (isLoaded() || m_fontLoadLongLimitTimer.isActive()) return; is bypassed if called during loading and after |m_fontLoadLongLimitTimer| fired. This is possible when a RemoteFontFaceSource reuses the same FontResource instance from memory cache, and RemoteFontFaceSource::beginLoadIfNeeded() is called on style recalc. In this case the DCHECK will fail in debug builds, but in release builds the timers are restarted and will corrupt the state of RemoteFontFaceSource, including UMA histograms we are collecting. Running a layout test with the attached HTML will reproduce the crash. Put it under third_party/WebKit/LayoutTests/http/tests/webfont/ to use slow-ahem-loading.cgi. Not sure if there are security implications, restricting view. Stack trace of a crash instance: [1:1:1012/184537:111257118395:FATAL:FontResource.cpp(116)] Check failed: m_loadLimitState == UnderLimit (2 vs. 0) #0 0x7f5a84af2c3e base::debug::StackTrace::StackTrace() #1 0x7f5a84b60b8f logging::LogMessage::~LogMessage() #2 0x7f5a7c6ecd71 blink::FontResource::startLoadLimitTimersIfNeeded() #3 0x7f5a7c1f09e2 blink::RemoteFontFaceSource::beginLoadIfNeeded() #4 0x7f5a7c119365 blink::CSSFontFace::load() #5 0x7f5a7c1191ac blink::CSSFontFace::maybeLoadFont() #6 0x7f5a7c165ceb blink::CSSSegmentedFontFace::willUseFontData() #7 0x7f5a7c124e90 blink::CSSFontSelector::willUseFontData() #8 0x7f5a8094ba21 blink::Font::willUseFontData() #9 0x7f5a7cd78fa2 blink::LayoutText::styleDidChange() #10 0x7f5a7cd2eaf3 blink::LayoutObject::setStyle() #11 0x7f5a7c42bf11 blink::LayoutTreeBuilderForText::createLayoutObject() #12 0x7f5a7c4d92e1 blink::Text::attachLayoutTree() #13 0x7f5a7c322331 blink::ContainerNode::attachLayoutTree() #14 0x7f5a7c3d430a blink::Element::attachLayoutTree() #15 0x7f5a7c45334a blink::Node::reattachLayoutTree() #16 0x7f5a7c3d6ce0 blink::Element::rebuildLayoutTree() #17 0x7f5a7c3d6201 blink::Element::recalcOwnStyle() #18 0x7f5a7c3d5958 blink::Element::recalcStyle() #19 0x7f5a7c324a4e blink::ContainerNode::recalcDescendantStyles() #20 0x7f5a7c3d5a90 blink::Element::recalcStyle() #21 0x7f5a7c324a4e blink::ContainerNode::recalcDescendantStyles() #22 0x7f5a7c3d5a90 blink::Element::recalcStyle() #23 0x7f5a7c324a4e blink::ContainerNode::recalcDescendantStyles() #24 0x7f5a7c3d5a90 blink::Element::recalcStyle() #25 0x7f5a7c35f7b2 blink::Document::updateStyle() #26 0x7f5a7c35b8ad blink::Document::updateStyleAndLayoutTree() #27 0x7f5a7c781d9e blink::FrameView::updateStyleAndLayoutIfNeededRecursiveInternal() #28 0x7f5a7c78060e blink::FrameView::updateStyleAndLayoutIfNeededRecursive() #29 0x7f5a7c77f623 blink::FrameView::updateLifecyclePhasesInternal() #30 0x7f5a7c77f302 blink::FrameView::updateAllLifecyclePhases() #31 0x7f5a7cf44c6a blink::PageAnimator::updateAllLifecyclePhases() #32 0x7f5a7f232a25 blink::PageWidgetDelegate::updateAllLifecyclePhases() #33 0x7f5a7f323b71 blink::WebViewImpl::updateAllLifecyclePhases() #34 0x7f5a7ed84409 test_runner::WebWidgetTestClient::AnimateNow() (truncated)
,
Oct 13 2016
Thanks for filing this bug. DCHECK failure is not considered a security bug, removing Restrict-View-Google tag.
,
Oct 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6b2d64014d739051f120dc38df46ac73a469270d commit 6b2d64014d739051f120dc38df46ac73a469270d Author: shaochuan <shaochuan@chromium.org> Date: Thu Oct 13 13:03:25 2016 Prevent FontResource load limit timers from restarting during loading FontResource::startLoadLimitTimersIfNeeded() was called from RemoteFontFaceSource::beginLoadIfNeeded() on each style recalc, and bypasses checks if called when FontResource is still loading and long limit timer has fired. This may cause RemoteFontFaceSource callbacks to be called more than once and in turn corrupt its internal state. Now we start timers only after actual load of FontResource is started. BUG= 655076 Review-Url: https://codereview.chromium.org/2419753002 Cr-Commit-Position: refs/heads/master@{#425010} [add] https://crrev.com/6b2d64014d739051f120dc38df46ac73a469270d/third_party/WebKit/LayoutTests/http/tests/webfont/crbug-655076-expected.txt [add] https://crrev.com/6b2d64014d739051f120dc38df46ac73a469270d/third_party/WebKit/LayoutTests/http/tests/webfont/crbug-655076.html [modify] https://crrev.com/6b2d64014d739051f120dc38df46ac73a469270d/third_party/WebKit/Source/core/css/RemoteFontFaceSource.cpp [modify] https://crrev.com/6b2d64014d739051f120dc38df46ac73a469270d/third_party/WebKit/Source/core/fetch/FontResource.cpp [modify] https://crrev.com/6b2d64014d739051f120dc38df46ac73a469270d/third_party/WebKit/Source/core/fetch/FontResource.h
,
Oct 17 2016
,
Oct 19 2016
,
Oct 19 2016
Your change meets the bar and is auto-approved for M55 (branch: 2883)
,
Oct 20 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ed25c977e0d9c92aa15824a3722a7627f99fb8d1 commit ed25c977e0d9c92aa15824a3722a7627f99fb8d1 Author: Takashi Toyoshima <toyoshim@chromium.org> Date: Thu Oct 20 04:53:36 2016 Prevent FontResource load limit timers from restarting during loading FontResource::startLoadLimitTimersIfNeeded() was called from RemoteFontFaceSource::beginLoadIfNeeded() on each style recalc, and bypasses checks if called when FontResource is still loading and long limit timer has fired. This may cause RemoteFontFaceSource callbacks to be called more than once and in turn corrupt its internal state. Now we start timers only after actual load of FontResource is started. BUG= 655076 Review-Url: https://codereview.chromium.org/2419753002 Cr-Commit-Position: refs/heads/master@{#425010} (cherry picked from commit 6b2d64014d739051f120dc38df46ac73a469270d) R=shaochuan@chromium.org TBR=toyoshim@chromium.org Review URL: https://codereview.chromium.org/2438003002 . Cr-Commit-Position: refs/branch-heads/2883@{#205} Cr-Branched-From: 614d31daee2f61b0180df403a8ad43f20b9f6dd7-refs/heads/master@{#423768} [add] https://crrev.com/ed25c977e0d9c92aa15824a3722a7627f99fb8d1/third_party/WebKit/LayoutTests/http/tests/webfont/crbug-655076-expected.txt [add] https://crrev.com/ed25c977e0d9c92aa15824a3722a7627f99fb8d1/third_party/WebKit/LayoutTests/http/tests/webfont/crbug-655076.html [modify] https://crrev.com/ed25c977e0d9c92aa15824a3722a7627f99fb8d1/third_party/WebKit/Source/core/css/RemoteFontFaceSource.cpp [modify] https://crrev.com/ed25c977e0d9c92aa15824a3722a7627f99fb8d1/third_party/WebKit/Source/core/fetch/FontResource.cpp [modify] https://crrev.com/ed25c977e0d9c92aa15824a3722a7627f99fb8d1/third_party/WebKit/Source/core/fetch/FontResource.h
,
Oct 21 2016
,
Oct 27 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ed25c977e0d9c92aa15824a3722a7627f99fb8d1 commit ed25c977e0d9c92aa15824a3722a7627f99fb8d1 Author: Takashi Toyoshima <toyoshim@chromium.org> Date: Thu Oct 20 04:53:36 2016 Prevent FontResource load limit timers from restarting during loading FontResource::startLoadLimitTimersIfNeeded() was called from RemoteFontFaceSource::beginLoadIfNeeded() on each style recalc, and bypasses checks if called when FontResource is still loading and long limit timer has fired. This may cause RemoteFontFaceSource callbacks to be called more than once and in turn corrupt its internal state. Now we start timers only after actual load of FontResource is started. BUG= 655076 Review-Url: https://codereview.chromium.org/2419753002 Cr-Commit-Position: refs/heads/master@{#425010} (cherry picked from commit 6b2d64014d739051f120dc38df46ac73a469270d) R=shaochuan@chromium.org TBR=toyoshim@chromium.org Review URL: https://codereview.chromium.org/2438003002 . Cr-Commit-Position: refs/branch-heads/2883@{#205} Cr-Branched-From: 614d31daee2f61b0180df403a8ad43f20b9f6dd7-refs/heads/master@{#423768} [add] https://crrev.com/ed25c977e0d9c92aa15824a3722a7627f99fb8d1/third_party/WebKit/LayoutTests/http/tests/webfont/crbug-655076-expected.txt [add] https://crrev.com/ed25c977e0d9c92aa15824a3722a7627f99fb8d1/third_party/WebKit/LayoutTests/http/tests/webfont/crbug-655076.html [modify] https://crrev.com/ed25c977e0d9c92aa15824a3722a7627f99fb8d1/third_party/WebKit/Source/core/css/RemoteFontFaceSource.cpp [modify] https://crrev.com/ed25c977e0d9c92aa15824a3722a7627f99fb8d1/third_party/WebKit/Source/core/fetch/FontResource.cpp [modify] https://crrev.com/ed25c977e0d9c92aa15824a3722a7627f99fb8d1/third_party/WebKit/Source/core/fetch/FontResource.h
,
Nov 4 2016
[Automated comment] removing mislabelled merge-merged-2840
,
Nov 4 2016
[Automated comment] removing mislabelled merge-merged-2840 |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by shaochuan@chromium.org
, Oct 12 2016Status: Started (was: Untriaged)