Deal with frame removal by content scripts

Deal with frame removal by content scripts

Blink and the RenderFrame implementations are currently not prepared to deal
with frame detachments in their callbacks. Consequently, extension code
(content scripts, chrome.app.window.create) that run arbitrary code in the
"document element created" and "document loaded" notifications may result in
unexpected invalidation of memory, resulting in a UAF.

This patch fixes the bug by moving all code that runs untrusted code from
observers to dedicated callbacks, which are only run at a safe point.
All document parsers in Blink have been modified to make sure that they still
work even when the document creation is interrupted by frame removal.

An extensive set of tests for all different kinds of documents, frame removal
methods (e.g. synchronously / in mutation events / ...) and injection points
(document start/end) have been added to avoid regressions.

BUG=582008
Review URL: https://codereview.chromium.org/1642283002

Cr-Commit-Position: refs/heads/master@{#382162}
(cherry picked from commit 43ea0649d4b70fdcf3e9fa5c03aee1bbba0b04bb)

Committed: https://chromium.googlesource.com/chromium/src/+/9eaa751c333792682865e0705444eca748899637

[robwu, 2016-03-23 17:04:55]

Description was changed from

==========
Deal with frame removal by content scripts

Blink and the RenderFrame implementations are currently not prepared to deal
with frame detachments in their callbacks. Consequently, extension code
(content scripts, chrome.app.window.create) that run arbitrary code in the
"document element created" and "document loaded" notifications may result in
unexpected invalidation of memory, resulting in a UAF.

This patch fixes the bug by moving all code that runs untrusted code from
observers to dedicated callbacks, which are only run at a safe point.
All document parsers in Blink have been modified to make sure that they still
work even when the document creation is interrupted by frame removal.

An extensive set of tests for all different kinds of documents, frame removal
methods (e.g. synchronously / in mutation events / ...) and injection points
(document start/end) have been added to avoid regressions.

BUG=582008

Review URL: https://codereview.chromium.org/1642283002

Cr-Commit-Position: refs/heads/master@{#382162}
(cherry picked from commit 43ea0649d4b70fdcf3e9fa5c03aee1bbba0b04bb)
==========

to

==========
Deal with frame removal by content scripts

Blink and the RenderFrame implementations are currently not prepared to deal
with frame detachments in their callbacks. Consequently, extension code
(content scripts, chrome.app.window.create) that run arbitrary code in the
"document element created" and "document loaded" notifications may result in
unexpected invalidation of memory, resulting in a UAF.

This patch fixes the bug by moving all code that runs untrusted code from
observers to dedicated callbacks, which are only run at a safe point.
All document parsers in Blink have been modified to make sure that they still
work even when the document creation is interrupted by frame removal.

An extensive set of tests for all different kinds of documents, frame removal
methods (e.g. synchronously / in mutation events / ...) and injection points
(document start/end) have been added to avoid regressions.

BUG=582008

Review URL: https://codereview.chromium.org/1642283002

Cr-Commit-Position: refs/heads/master@{#382162}
(cherry picked from commit 43ea0649d4b70fdcf3e9fa5c03aee1bbba0b04bb)

Committed:
https://chromium.googlesource.com/chromium/src/+/9eaa751c333792682865e0705444...
==========

[robwu, 2016-03-23 17:04:57]

Committed patchset #1 (id:1) manually as
9eaa751c333792682865e0705444eca748899637.