Scroll anchor restore triggers CHECK in WindowProxy::SetGlobalProxy |
|||
Issue descriptionSee https://crash.corp.google.com/browse?q=reportid=%278b669f1ead7b0f9e%27 for an example crash. Currently, in WebFrame::Swap, when going from remote to local, we have a period of time where we expect script not to run. If script does run during this time, it will prematurely cause initialization of the WindowProxy, potentially breaking any existing references to the window object. Scroll anchor restore seems to require a v8 context, which is somewhat surprising: I guess this is due to its use of querySelector(). pnoland, is there a way to avoid having to use v8 in this context? We could likely fix it by simply updating the WindowProxy objects earlier; however, it would be nice to avoid running script in here if possible. In addition, it seems like this would force initialization of the WindowProxy on pages that might not otherwise use JS. For reference, the stack for premature initialization look something like this: [0] 0x5a75dbf0 {chrome_child.dll!base::debug::StackTrace::StackTrace(unsigned int count), Line 286} void * [1] 0x5a75dbbd {chrome_child.dll!base::debug::StackTrace::StackTrace(void), Line 199} void * [2] 0x5a8b5626 {chrome_child.dll!blink::WindowProxy::InitializeIfNeeded(void), Line 156} void * [3] 0x5a8b5498 {chrome_child.dll!blink::Frame::GetWindowProxy(blink::DOMWrapperWorld & world), Line 168} void * [4] 0x5a8b5402 {chrome_child.dll!blink::ToScriptState(blink::LocalFrame * frame, blink::DOMWrapperWorld & world), Line 748} void * [5] 0x5a8b53c3 {chrome_child.dll!blink::ToScriptStateForMainWorld(blink::LocalFrame * frame), Line 753} void * [6] 0x5c715aab {chrome_child.dll!blink::ScrollAnchor::RestoreAnchor(const blink::ScrollAnchor::SerializedAnchor & serialized_anchor), Line 476} void * [7] 0x5a9b23b6 {chrome_child.dll!blink::FrameLoader::RestoreScrollPositionAndViewState(blink::FrameLoadType load_type, blink::HistoryLoadType history_load_type, blink::HistoryItem::ViewState * view_state, blink::HistoryScrollRestorationType scroll_restoration_type), Line 1220} void * [8] 0x5a813c54 {chrome_child.dll!blink::FrameLoader::RestoreScrollPositionAndViewState(void), Line 1170} void * [9] 0x5a814711 {chrome_child.dll!blink::LocalFrameView::SetFrameRect(const blink::IntRect & frame_rect), Line 590} void * [10] 0x5aaa0bd3 {chrome_child.dll!blink::LayoutEmbeddedContent::UpdateGeometry(blink::EmbeddedContentView & embedded_content_view), Line 361} void * [11] 0x5aa95e9f {chrome_child.dll!blink::LayoutEmbeddedContent::UpdateOnEmbeddedContentViewChange(void), Line 325} void * [12] 0x5a9a77b8 {chrome_child.dll!blink::HTMLFrameOwnerElement::SetEmbeddedContentView(blink::EmbeddedContentView * embedded_content_view), Line 265} void * [13] 0x5c5b5511 {chrome_child.dll!blink::WebFrame::Swap(blink::WebFrame * frame), Line 111} void * [14] 0x5c91c2aa {chrome_child.dll!content::RenderFrameImpl::SwapIn(void), Line 5712} void * [15] 0x5c920bf1 {chrome_child.dll!content::RenderFrameImpl::DidCommitProvisionalLoad(const blink::WebHistoryItem & item, blink::WebHistoryCommitType commit_type, blink::WebGlobalObjectReusePolicy global_object_reuse_policy), Line 4182} void * [16] 0x5d15a337 {chrome_child.dll!blink::LocalFrameClientImpl::DispatchDidCommitLoad(blink::HistoryItem * item, blink::HistoryCommitType commit_type, blink::WebGlobalObjectReusePolicy global_object_reuse_policy), Line 447} void * [17] 0x5c76c507 {chrome_child.dll!blink::DocumentLoader::DidCommitNavigation(blink::WebGlobalObjectReusePolicy global_object_reuse_policy), Line 956} void * [18] 0x5c76c2cd {chrome_child.dll!blink::DocumentLoader::InstallNewDocument(const blink::KURL & url, blink::Document * owner_document, blink::WebGlobalObjectReusePolicy global_object_reuse_policy, const WTF::AtomicString & mime_type, const WTF::AtomicString & encoding, blink::DocumentLoader::InstallNewDocumentReason reason, blink::ParserSynchronizationPolicy parsing_policy, const blink::KURL & overriding_url), Line 1088} void * [19] 0x5a7696dd {chrome_child.dll!blink::DocumentLoader::CommitNavigation(const WTF::AtomicString & mime_type, const blink::KURL & overriding_url), Line 693} void * [20] 0x5a892d72 {chrome_child.dll!blink::DocumentLoader::CommitData(const char * bytes, unsigned int length), Line 706} void * [21] 0x5a892cfb {chrome_child.dll!blink::DocumentLoader::ProcessData(const char * data, unsigned int length), Line 761} void * [22] 0x5a892b74 {chrome_child.dll!blink::DocumentLoader::DataReceived(blink::Resource * resource, const char * data, unsigned int length), Line 740} void * [23] 0x5a892a86 {chrome_child.dll!blink::Resource::AppendData(const char * data, unsigned int length), Line 401} void * [24] 0x5a8928c3 {chrome_child.dll!blink::RawResource::AppendData(const char * data, unsigned int length), Line 143} void * [25] 0x5a891e5b {chrome_child.dll!content::WebURLLoaderImpl::Context::OnReceivedData(std::unique_ptr<content::RequestPeer::ReceivedData,std::default_delete<content::RequestPeer::ReceivedData> >), Line 923} void * [26] 0x5c950219 {chrome_child.dll!content::WebURLLoaderImpl::Context::HandleDataURL(void), Line 1076} void * [27] 0x5a69a8d9 {chrome_child.dll!base::debug::TaskAnnotator::RunTask(const char * queue_function, base::PendingTask * pending_task), Line 53} void * [28] 0x5a6bd11f {chrome_child.dll!blink::scheduler::internal::ThreadControllerImpl::DoWork(blink::scheduler::internal::Sequence::WorkType work_type), Line 162} void * [29] 0x5a6bd4d1 {chrome_child.dll!base::internal::Invoker<base::internal::BindState<void (media::AudioRendererImpl::*)(media::BufferingState) __attribute__((thiscall)),base::WeakPtr<media::AudioRendererImpl>,media::BufferingState>,void ()>::Run(base::internal::BindStateBase * base), Line 353} void * [30] 0x5a69a8d9 {chrome_child.dll!base::debug::TaskAnnotator::RunTask(const char * queue_function, base::PendingTask * pending_task), Line 53} void * [31] 0x5a69a833 {chrome_child.dll!base::internal::IncomingTaskQueue::RunTask(base::PendingTask * pending_task), Line 125} void * [32] 0x5a69a386 {chrome_child.dll!base::MessageLoop::RunTask(base::PendingTask * pending_task), Line 395} void * [33] 0x5a69a1a7 {chrome_child.dll!base::MessageLoop::DeferOrRunPendingTask(base::PendingTask pending_task), Line 407} void * [34] 0x5a69202e {chrome_child.dll!base::MessageLoop::DoWork(void), Line 451} void * [35] 0x5a691f37 {chrome_child.dll!base::MessagePumpDefault::Run(base::MessagePump::Delegate * delegate), Line 38} void * [36] 0x5a691e8f {chrome_child.dll!base::MessageLoop::Run(bool), Line 346} void * [37] 0x5a691cee {chrome_child.dll!base::RunLoop::Run(void), Line 139} void * [38] 0x5a682630 {chrome_child.dll!content::RendererMain(const content::MainFunctionParams & parameters), Line 241} void * [39] 0x5a68226b {chrome_child.dll!content::RunNamedProcessTypeMain(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & process_type, const content::MainFunctionParams & main_function_params, content::ContentMainDelegate * delegate), Line 423} void * [40] 0x5a67ca8e {chrome_child.dll!content::ContentMainRunnerImpl::Run(void), Line 713} void * [41] 0x5a6545a6 {chrome_child.dll!service_manager::Main(const service_manager::MainParams & params), Line 456} void * [42] 0x5a654277 {chrome_child.dll!content::ContentMain(const content::ContentMainParams & params), Line 19} void * [43] 0x5a651910 {chrome_child.dll!ChromeMain(HINSTANCE__ * instance, sandbox::SandboxInterfaceInfo * sandbox_info, __int64 exe_entry_point_ticks), Line 147} void * [44] 0x00022f6e {chrome.exe!MainDllLoader::Launch(HINSTANCE__ * instance, base::TimeTicks), Line 199} void * [45] 0x00021467 {chrome.exe!wWinMain(HINSTANCE__ * instance, HINSTANCE__ * prev, wchar_t *, int), Line 231} void * [46] 0x000e17a8 {chrome.exe!__scrt_common_main_seh(void), Line 283} void * [47] 0x759a1194 {Inside kernel32.dll!@BaseThreadInitThunk@12 ()} void * [48] 0x7738b429 {Inside ntdll.dll!___RtlUserThreadStart@8 ()} void * [49] 0x7738b3fc {Inside ntdll.dll!__RtlUserThreadStart@8 ()} void *
,
Feb 13 2018
,
Feb 26 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4d4df345da7dd17a7143063d0e0f22b4a3a8f652 commit 4d4df345da7dd17a7143063d0e0f22b4a3a8f652 Author: Patrick Noland <pnoland@chromium.org> Date: Mon Feb 26 19:25:56 2018 Fix several scroll anchor serialization bugs 1) Fix crashes caused by premature/forbidden usage of javascript. Given that we don't need or want to produce a real exception, this is accomplished using DummyExceptionStateForTesting. 2) Add checks for layoutBox() truthiness. 3) Save the relative offset in FindAnchor so that it updates properly. 4) Make the implementation work nicely with root layer scrolling by adding RestoreAnchor to ScrollableArea, implementing it on PaintLayerScrollableArea, and calling restore on the view's LayoutViewportScrollableArea. Bug: 810161, 810897 , 810474 Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Change-Id: I820e572cef543ed85156622fd574684109488eec Reviewed-on: https://chromium-review.googlesource.com/922384 Commit-Queue: Patrick Noland <pnoland@google.com> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Jochen Eisinger <jochen@chromium.org> Reviewed-by: Steve Kobes <skobes@chromium.org> Cr-Commit-Position: refs/heads/master@{#539230} [modify] https://crrev.com/4d4df345da7dd17a7143063d0e0f22b4a3a8f652/content/browser/session_history_browsertest.cc [modify] https://crrev.com/4d4df345da7dd17a7143063d0e0f22b4a3a8f652/content/browser/site_per_process_browsertest.cc [add] https://crrev.com/4d4df345da7dd17a7143063d0e0f22b4a3a8f652/content/test/data/page_with_samesite_iframe.html [modify] https://crrev.com/4d4df345da7dd17a7143063d0e0f22b4a3a8f652/third_party/WebKit/Source/core/frame/LocalFrameView.cpp [modify] https://crrev.com/4d4df345da7dd17a7143063d0e0f22b4a3a8f652/third_party/WebKit/Source/core/frame/LocalFrameView.h [modify] https://crrev.com/4d4df345da7dd17a7143063d0e0f22b4a3a8f652/third_party/WebKit/Source/core/layout/ScrollAnchor.cpp [modify] https://crrev.com/4d4df345da7dd17a7143063d0e0f22b4a3a8f652/third_party/WebKit/Source/core/layout/ScrollAnchor.h [modify] https://crrev.com/4d4df345da7dd17a7143063d0e0f22b4a3a8f652/third_party/WebKit/Source/core/layout/ScrollAnchorTest.cpp [modify] https://crrev.com/4d4df345da7dd17a7143063d0e0f22b4a3a8f652/third_party/WebKit/Source/core/loader/FrameLoader.cpp [modify] https://crrev.com/4d4df345da7dd17a7143063d0e0f22b4a3a8f652/third_party/WebKit/Source/core/paint/PaintLayerScrollableArea.cpp [modify] https://crrev.com/4d4df345da7dd17a7143063d0e0f22b4a3a8f652/third_party/WebKit/Source/core/paint/PaintLayerScrollableArea.h [modify] https://crrev.com/4d4df345da7dd17a7143063d0e0f22b4a3a8f652/third_party/WebKit/Source/platform/scroll/ScrollableArea.h
,
Feb 27 2018
|
|||
►
Sign in to add a comment |
|||
Comment 1 by pnoland@chromium.org
, Feb 12 2018