diff options
| author | Yufeng Shen <miletus@chromium.org> | 2015-10-05 17:14:25 -0400 |
|---|---|---|
| committer | Yufeng Shen <miletus@chromium.org> | 2015-10-05 21:16:21 +0000 |
| commit | a95922813f1007c6f0d9719649785c191f89e97c (patch) | |
| tree | c6b8c657d538d6332769c81014e516140f786b22 | |
| parent | f29861a9e03c5a1d916255404db649465bffd2f5 (diff) | |
| download | chromium_src-a95922813f1007c6f0d9719649785c191f89e97c.zip chromium_src-a95922813f1007c6f0d9719649785c191f89e97c.tar.gz chromium_src-a95922813f1007c6f0d9719649785c191f89e97c.tar.bz2 | |
Don't early out in OnSwapCompositorFrame() if LatencyInfo::Verify() fails
LatencyInfo::Verify(vector<LatencyInfo>&) checks on the size of the
vector to rule out potential compromised renderer sending large
malicious payload through LatencyInfo IPC. We run into this problem
that extremely slow renderer can also accumulate large number of
LatencyInfo that exceeds our threshold. In this case, lets only
clear that vector<LatencyInfo> but do not early out in browser side
compositor frame processing which might stall the whole rendering
pipeline. Also issue a global scope instant trace event to mark
that something is really going wrong here.
BUG=529820
Review URL: https://codereview.chromium.org/1328403002
Cr-Commit-Position: refs/heads/master@{#348029}
(cherry picked from commit f7e380105d04a24f518885b75e2e13f753c9cbdf)
TBR=jdduke
Review URL: https://codereview.chromium.org/1387943002 .
Cr-Commit-Position: refs/branch-heads/2490@{#489}
Cr-Branched-From: 7790a3535f2a81a03685eca31a32cf69ae0c114f-refs/heads/master@{#344925}
| -rw-r--r-- | content/browser/renderer_host/render_widget_host_impl.cc | 5 | ||||
| -rw-r--r-- | ui/events/latency_info.cc | 3 |
2 files changed, 6 insertions, 2 deletions
diff --git a/content/browser/renderer_host/render_widget_host_impl.cc b/content/browser/renderer_host/render_widget_host_impl.cc index 8ea74c7..837d944 100644 --- a/content/browser/renderer_host/render_widget_host_impl.cc +++ b/content/browser/renderer_host/render_widget_host_impl.cc @@ -1435,8 +1435,9 @@ bool RenderWidgetHostImpl::OnSwapCompositorFrame( messages_to_deliver_with_frame.swap(base::get<2>(param)); if (!ui::LatencyInfo::Verify(frame->metadata.latency_info, - "RenderWidgetHostImpl::OnSwapCompositorFrame")) - return false; + "RenderWidgetHostImpl::OnSwapCompositorFrame")) { + std::vector<ui::LatencyInfo>().swap(frame->metadata.latency_info); + } latency_tracker_.OnSwapCompositorFrame(&frame->metadata.latency_info); diff --git a/ui/events/latency_info.cc b/ui/events/latency_info.cc index 3225001..fb55bc4 100644 --- a/ui/events/latency_info.cc +++ b/ui/events/latency_info.cc @@ -154,6 +154,9 @@ bool LatencyInfo::Verify(const std::vector<LatencyInfo>& latency_info, if (latency_info.size() > kMaxLatencyInfoNumber) { LOG(ERROR) << referring_msg << ", LatencyInfo vector size " << latency_info.size() << " is too big."; + TRACE_EVENT_INSTANT1("input,benchmark", "LatencyInfo::Verify Fails", + TRACE_EVENT_SCOPE_GLOBAL, + "size", latency_info.size()); return false; } return true; |