OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/files/file_path.h" | 5 #include "base/files/file_path.h" |
6 #include "base/strings/utf_string_conversions.h" | 6 #include "base/strings/utf_string_conversions.h" |
7 #include "chrome/browser/ui/browser.h" | 7 #include "chrome/browser/ui/browser.h" |
8 #include "chrome/browser/ui/tabs/tab_strip_model.h" | 8 #include "chrome/browser/ui/tabs/tab_strip_model.h" |
9 #include "chrome/test/base/in_process_browser_test.h" | 9 #include "chrome/test/base/in_process_browser_test.h" |
10 #include "chrome/test/base/ui_test_utils.h" | 10 #include "chrome/test/base/ui_test_utils.h" |
11 #include "content/public/browser/web_contents.h" | 11 #include "content/public/browser/web_contents.h" |
12 #include "content/public/test/browser_test_utils.h" | |
12 #include "url/gurl.h" | 13 #include "url/gurl.h" |
13 | 14 |
14 class IFrameTest : public InProcessBrowserTest { | 15 class IFrameTest : public InProcessBrowserTest { |
16 public: | |
17 void SetUpOnMainThread() override { | |
18 ASSERT_TRUE(embedded_test_server()->Start()); | |
19 } | |
20 | |
15 protected: | 21 protected: |
16 void NavigateAndVerifyTitle(const char* file, const char* page_title) { | 22 void NavigateAndVerifyTitle(const char* file, const char* page_title) { |
17 GURL url = ui_test_utils::GetTestUrl( | 23 GURL url = ui_test_utils::GetTestUrl( |
18 base::FilePath(), base::FilePath().AppendASCII(file)); | 24 base::FilePath(), base::FilePath().AppendASCII(file)); |
19 | 25 |
20 ui_test_utils::NavigateToURL(browser(), url); | 26 ui_test_utils::NavigateToURL(browser(), url); |
21 EXPECT_EQ(base::ASCIIToUTF16(page_title), | 27 EXPECT_EQ(base::ASCIIToUTF16(page_title), |
22 browser()->tab_strip_model()->GetActiveWebContents()->GetTitle()); | 28 browser()->tab_strip_model()->GetActiveWebContents()->GetTitle()); |
23 } | 29 } |
24 }; | 30 }; |
25 | 31 |
26 IN_PROC_BROWSER_TEST_F(IFrameTest, Crash) { | 32 IN_PROC_BROWSER_TEST_F(IFrameTest, Crash) { |
27 NavigateAndVerifyTitle("iframe.html", "iframe test"); | 33 NavigateAndVerifyTitle("iframe.html", "iframe test"); |
28 } | 34 } |
29 | 35 |
30 IN_PROC_BROWSER_TEST_F(IFrameTest, InEmptyFrame) { | 36 IN_PROC_BROWSER_TEST_F(IFrameTest, InEmptyFrame) { |
31 NavigateAndVerifyTitle("iframe_in_empty_frame.html", "iframe test"); | 37 NavigateAndVerifyTitle("iframe_in_empty_frame.html", "iframe test"); |
32 } | 38 } |
39 | |
40 // Test for https://crbug.com/621076. It ensures that file chooser triggered | |
41 // by an iframe, which is destroyed before the chooser is closed, does not | |
42 // result in a use-after-free condition. | |
43 IN_PROC_BROWSER_TEST_F(IFrameTest, FileChooserInDestroyedSubframe) { | |
44 content::WebContents* tab = | |
45 browser()->tab_strip_model()->GetActiveWebContents(); | |
46 GURL file_input_url(embedded_test_server()->GetURL("/file_input.html")); | |
47 | |
48 // Navigate to a page, which contains an iframe, and navigate the iframe | |
49 // to a document containing a file input field. | |
50 // Note: For the bug to occur, the parent and child frame need to be in | |
Lei Zhang
2016/06/27 23:32:26
Can we verify tab->GetMainFrame() and |frame| are
nasko
2016/06/27 23:48:58
Done.
| |
51 // the same site, otherwise they would each get a RenderWidgetHost and | |
52 // existing code will properly clear the internal state. | |
53 ui_test_utils::NavigateToURL(browser(), | |
54 embedded_test_server()->GetURL("/iframe.html")); | |
55 NavigateIframeToURL(tab, "test", file_input_url); | |
56 | |
57 // Invoke the file chooser and remove the iframe from the main document. | |
58 content::RenderFrameHost* frame = ChildFrameAt(tab->GetMainFrame(), 0); | |
59 EXPECT_TRUE(frame); | |
60 EXPECT_TRUE( | |
61 ExecuteScript(frame, "document.getElementById('fileinput').click();")); | |
62 EXPECT_TRUE(ExecuteScript(tab->GetMainFrame(), | |
63 "document.body.removeChild(" | |
64 "document.querySelectorAll('iframe')[0])")); | |
65 ASSERT_EQ(nullptr, ChildFrameAt(tab->GetMainFrame(), 0)); | |
66 | |
67 // On ASan bots, this test should succeed without reporting use-after-free | |
68 // condition. | |
69 } | |
OLD | NEW |