Issue 1759123002: Ensure RenderFrameHost & NavigationHandle are not destroyed during commit

Issue 1759123002: Ensure RenderFrameHost & NavigationHandle are not destroyed during commit (Closed)

Created:
4 years, 9 months ago by clamy

Modified:
4 years, 9 months ago

Reviewers:
nasko

CC:
chromium-reviews, darin-cc_chromium.org, nasko+codewatch_chromium.org, jam, creis+watch_chromium.org

Base URL:
https://chromium.googlesource.com/chromium/src.git@master

Target Ref:
refs/pending/heads/master

Project:
chromium

Visibility:
Public.

More Reviews

Description

Ensure RenderFrameHost & NavigationHandle are not destroyed during commit This CL adds a boolean to RenderFrameHost and NavigationHandle to check if they are destroyed during a navigation commit, which would lead to a use-after-free bug. BUG=589365 CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation Committed: https://crrev.com/764db137cad662c0b40399de0486b39048aa02b0 Cr-Commit-Position: refs/heads/master@{#381713}

Patch Set 1 #

Patch Set 2 : #

Total comments: 4

Created: 4 years, 9 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+40 lines, -1 line)			Patch
M	content/browser/frame_host/navigation_handle_impl.h	View		2 chunks	+10 lines, -0 lines	0 comments	Download
M	content/browser/frame_host/navigation_handle_impl.cc	View	1	2 chunks	+4 lines, -1 line	0 comments	Download
M	content/browser/frame_host/navigator_impl.cc	View	1	1 chunk	+7 lines, -0 lines	2 comments	Download
M	content/browser/frame_host/render_frame_host_impl.h	View	1	1 chunk	+5 lines, -0 lines	0 comments	Download
M	content/browser/frame_host/render_frame_host_impl.cc	View	1	3 chunks	+14 lines, -0 lines	2 comments	Download

Messages

Total messages: 15 (6 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

clamy

@nasko: PTAL. This is a temporary patch similar to what you did for the ~NavigationParams ...

4 years, 9 months ago (2016-03-15 10:58:29 UTC) #4

nasko

Couple of minor questions. https://codereview.chromium.org/1759123002/diff/20001/content/browser/frame_host/navigator_impl.cc File content/browser/frame_host/navigator_impl.cc (right): https://codereview.chromium.org/1759123002/diff/20001/content/browser/frame_host/navigator_impl.cc#newcode613 content/browser/frame_host/navigator_impl.cc:613: // TODO(clamy): The NavigationHandle should ...

4 years, 9 months ago (2016-03-15 14:10:34 UTC) #5

clamy

https://codereview.chromium.org/1759123002/diff/20001/content/browser/frame_host/navigator_impl.cc File content/browser/frame_host/navigator_impl.cc (right): https://codereview.chromium.org/1759123002/diff/20001/content/browser/frame_host/navigator_impl.cc#newcode613 content/browser/frame_host/navigator_impl.cc:613: // TODO(clamy): The NavigationHandle should always be reset here. ...

4 years, 9 months ago (2016-03-15 14:16:16 UTC) #6

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1759123002/20001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1759123002/20001

4 years, 9 months ago (2016-03-17 14:10:58 UTC) #10

commit-bot: I haz the power

Patchset 2 (id:??) landed as https://crrev.com/764db137cad662c0b40399de0486b39048aa02b0 Cr-Commit-Position: refs/heads/master@{#381713}

4 years, 9 months ago (2016-03-17 15:27:18 UTC) #14

clamy

4 years, 8 months ago (2016-04-04 12:15:48 UTC) #15

Message was sent while issue was closed.

A revert of this CL (patchset #2 id:20001) has been created in
https://codereview.chromium.org/1856693002/ by clamy@chromium.org.

The reason for reverting is: Now that the underlying reason for issue 589365 has
been found and fixed, this investigation code can be removed..

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages