content/browser/site_per_process_browsertest.cc - Issue 1756483004: Fix use-after-free when navigating a subframe to about:blank.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: content/browser/site_per_process_browsertest.cc

Issue 1756483004: Fix use-after-free when navigating a subframe to about:blank. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Fixes based on Daniel's review. Created 4 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: content/browser/site_per_process_browsertest.cc

diff --git a/content/browser/site_per_process_browsertest.cc b/content/browser/site_per_process_browsertest.cc

index c91e6b1592c5ed9150be7eb3b562882b55a28d60..6f112e56b5c581c31a86a66de9e0342f3ac6a557 100644

--- a/content/browser/site_per_process_browsertest.cc

+++ b/content/browser/site_per_process_browsertest.cc

@@ -4739,6 +4739,37 @@ IN_PROC_BROWSER_TEST_F(SitePerProcessBrowserTest,

EXPECT_EQ(1, child_count);

}

+// Similar to NavigateProxyAndDetachBeforeCommit, but uses a synchronous

+// navigation to about:blank and the parent removes the child frame in a load

+// event handler for the subframe.

+IN_PROC_BROWSER_TEST_F(SitePerProcessBrowserTest, NavigateAboutBlankAndDetach) {

+ GURL main_url(

+ embedded_test_server()->GetURL("a.com", "/remove_frame_on_load.html"));

+ EXPECT_TRUE(NavigateToURL(shell(), main_url));

+ WebContents* contents = shell()->web_contents();

+ FrameTreeNode* root =

+ static_cast<WebContentsImpl*>(contents)->GetFrameTree()->root();

+ EXPECT_EQ(1U, root->child_count());

+ FrameTreeNode* child = root->child_at(0);

+ EXPECT_NE(shell()->web_contents()->GetSiteInstance(),

+ child->current_frame_host()->GetSiteInstance());

+ // Navigate the child frame to "about:blank" from the parent document.

+ TestNavigationObserver observer(shell()->web_contents());

+ EXPECT_TRUE(

+ ExecuteScript(root->current_frame_host(),

dcheng 2016/03/03 18:24:16 I was going to suggest that this test could be wri

+ base::StringPrintf("f.src = '%s'", url::kAboutBlankURL)));

+ observer.Wait();

+ // Make sure the a.com renderer does not crash and the frame is removed.

+ int child_count = 0;

+ EXPECT_TRUE(ExecuteScriptAndExtractInt(

+ root->current_frame_host(), "domAutomationController.send(frames.length)",

+ &child_count));

+ EXPECT_EQ(0, child_count);

// Test for https://crbug.com/568670. In A-embed-B, simultaneously have B

// create a new (local) child frame, and have A detach B's proxy. The child

// frame creation sends an IPC to create a new proxy in A's process, and if

« no previous file with comments | « no previous file | content/renderer/render_frame_impl.cc » ('j') | no next file with comments »