OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/files/file_path.h" | 5 #include "base/files/file_path.h" |
6 #include "base/strings/utf_string_conversions.h" | 6 #include "base/strings/utf_string_conversions.h" |
7 #include "chrome/browser/ui/browser.h" | 7 #include "chrome/browser/ui/browser.h" |
8 #include "chrome/browser/ui/tabs/tab_strip_model.h" | 8 #include "chrome/browser/ui/tabs/tab_strip_model.h" |
9 #include "chrome/test/base/in_process_browser_test.h" | 9 #include "chrome/test/base/in_process_browser_test.h" |
10 #include "chrome/test/base/ui_test_utils.h" | 10 #include "chrome/test/base/ui_test_utils.h" |
11 #include "content/public/browser/render_frame_host.h" | |
11 #include "content/public/browser/web_contents.h" | 12 #include "content/public/browser/web_contents.h" |
13 #include "content/public/test/browser_test_utils.h" | |
12 #include "url/gurl.h" | 14 #include "url/gurl.h" |
13 | 15 |
14 class IFrameTest : public InProcessBrowserTest { | 16 class IFrameTest : public InProcessBrowserTest { |
17 public: | |
18 void SetUpOnMainThread() override { | |
19 ASSERT_TRUE(embedded_test_server()->Start()); | |
20 } | |
21 | |
15 protected: | 22 protected: |
16 void NavigateAndVerifyTitle(const char* file, const char* page_title) { | 23 void NavigateAndVerifyTitle(const char* file, const char* page_title) { |
17 GURL url = ui_test_utils::GetTestUrl( | 24 GURL url = ui_test_utils::GetTestUrl( |
18 base::FilePath(), base::FilePath().AppendASCII(file)); | 25 base::FilePath(), base::FilePath().AppendASCII(file)); |
19 | 26 |
20 ui_test_utils::NavigateToURL(browser(), url); | 27 ui_test_utils::NavigateToURL(browser(), url); |
21 EXPECT_EQ(base::ASCIIToUTF16(page_title), | 28 EXPECT_EQ(base::ASCIIToUTF16(page_title), |
22 browser()->tab_strip_model()->GetActiveWebContents()->GetTitle()); | 29 browser()->tab_strip_model()->GetActiveWebContents()->GetTitle()); |
23 } | 30 } |
24 }; | 31 }; |
25 | 32 |
26 IN_PROC_BROWSER_TEST_F(IFrameTest, Crash) { | 33 IN_PROC_BROWSER_TEST_F(IFrameTest, Crash) { |
27 NavigateAndVerifyTitle("iframe.html", "iframe test"); | 34 NavigateAndVerifyTitle("iframe.html", "iframe test"); |
28 } | 35 } |
29 | 36 |
30 IN_PROC_BROWSER_TEST_F(IFrameTest, InEmptyFrame) { | 37 IN_PROC_BROWSER_TEST_F(IFrameTest, InEmptyFrame) { |
31 NavigateAndVerifyTitle("iframe_in_empty_frame.html", "iframe test"); | 38 NavigateAndVerifyTitle("iframe_in_empty_frame.html", "iframe test"); |
32 } | 39 } |
40 | |
41 // Test for https://crbug.com/621076. It ensures that file chooser triggered | |
42 // by an iframe, which is destroyed before the chooser is closed, does not | |
43 // result in a use-after-free condition. | |
44 IN_PROC_BROWSER_TEST_F(IFrameTest, DISABLED_FileChooserInDestroyedSubframe) { | |
Lei Zhang
2016/06/28 22:00:56
Please add a comment to explain why it's disabled.
| |
45 content::WebContents* tab = | |
46 browser()->tab_strip_model()->GetActiveWebContents(); | |
47 GURL file_input_url(embedded_test_server()->GetURL("/file_input.html")); | |
48 | |
49 // Navigate to a page, which contains an iframe, and navigate the iframe | |
50 // to a document containing a file input field. | |
51 // Note: For the bug to occur, the parent and child frame need to be in | |
52 // the same site, otherwise they would each get a RenderWidgetHost and | |
53 // existing code will properly clear the internal state. | |
54 ui_test_utils::NavigateToURL(browser(), | |
55 embedded_test_server()->GetURL("/iframe.html")); | |
56 NavigateIframeToURL(tab, "test", file_input_url); | |
57 | |
58 // Invoke the file chooser and remove the iframe from the main document. | |
59 content::RenderFrameHost* frame = ChildFrameAt(tab->GetMainFrame(), 0); | |
60 EXPECT_TRUE(frame); | |
61 EXPECT_EQ(frame->GetSiteInstance(), tab->GetMainFrame()->GetSiteInstance()); | |
62 EXPECT_TRUE( | |
63 ExecuteScript(frame, "document.getElementById('fileinput').click();")); | |
64 EXPECT_TRUE(ExecuteScript(tab->GetMainFrame(), | |
65 "document.body.removeChild(" | |
66 "document.querySelectorAll('iframe')[0])")); | |
67 ASSERT_EQ(nullptr, ChildFrameAt(tab->GetMainFrame(), 0)); | |
68 | |
69 // On ASan bots, this test should succeed without reporting use-after-free | |
70 // condition. | |
71 } | |
OLD | NEW |