Issue 1756483004: Fix use-after-free when navigating a subframe to about:blank.

Issue 1756483004: Fix use-after-free when navigating a subframe to about:blank. (Closed)

Created:
4 years, 9 months ago by nasko

Modified:
4 years, 9 months ago

Reviewers:
Nate Chapin, dcheng

CC:
chromium-reviews, creis+watch_chromium.org, darin-cc_chromium.org, jam, mkwst+moarreviews-renderer_chromium.org, mlamouri+watch-content_chromium.org, nasko+codewatch_chromium.org, site-isolation-reviews_chromium.org

Base URL:
https://chromium.googlesource.com/chromium/src.git@master

Target Ref:
refs/pending/heads/master

Project:
chromium

Visibility:
Public.

More Reviews

Description

Fix use-after-free when navigating a subframe to about:blank. Navigation to about:blank is a synchronous navigation. If the parent frame has registered load event handler for the frame and removes it from the DOM, it will result in RenderFrame being deleted while still being on the stack. This CL is fixing this by returning immediately if the object is destructed as part of the navigation. BUG=571166, 591341 Committed: https://crrev.com/13b8e77d00895fd3d24aaef7f32eeb4adb68a080 Cr-Commit-Position: refs/heads/master@{#379060}

Patch Set 1 #

Total comments: 6

Patch Set 2 : Fixes based on Daniel's review. #

Total comments: 1

Created: 4 years, 9 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+59 lines, -0 lines)			Patch
M	content/browser/site_per_process_browsertest.cc	View		1 chunk	+31 lines, -0 lines	1 comment	Download
M	content/renderer/render_frame_impl.cc	View	1	1 chunk	+9 lines, -0 lines	0 comments	Download
A	content/test/data/remove_frame_on_load.html	View	1	1 chunk	+19 lines, -0 lines	0 comments	Download

Messages

Total messages: 12 (4 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

nasko

Hey Daniel, Can you review this CL for me? We've discussed the fix on chat, ...

4 years, 9 months ago (2016-03-03 00:05:24 UTC) #2

dcheng

https://codereview.chromium.org/1756483004/diff/1/content/browser/site_per_process_browsertest.cc File content/browser/site_per_process_browsertest.cc (right): https://codereview.chromium.org/1756483004/diff/1/content/browser/site_per_process_browsertest.cc#newcode4762 content/browser/site_per_process_browsertest.cc:4762: base::StringPrintf("f.src = '%s'", url::kAboutBlankURL))); So this navigation is sync? ...

4 years, 9 months ago (2016-03-03 00:46:59 UTC) #3

nasko

4 years, 9 months ago (2016-03-03 16:59:18 UTC) #4

dcheng

I thought I sent this out already but lgtm +japhet, is there anything in the ...

4 years, 9 months ago (2016-03-03 18:24:16 UTC) #6

Nate Chapin

On 2016/03/03 18:24:16, dcheng wrote: > I thought I sent this out already but lgtm ...

4 years, 9 months ago (2016-03-03 19:04:45 UTC) #7

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1756483004/20001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1756483004/20001

4 years, 9 months ago (2016-03-03 19:35:28 UTC) #9

commit-bot: I haz the power

4 years, 9 months ago (2016-03-03 19:45:16 UTC) #12

Message was sent while issue was closed.

Patchset 2 (id:??) landed as
https://crrev.com/13b8e77d00895fd3d24aaef7f32eeb4adb68a080
Cr-Commit-Position: refs/heads/master@{#379060}

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages