OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/files/file_path.h" | 5 #include "base/files/file_path.h" |
6 #include "base/strings/utf_string_conversions.h" | 6 #include "base/strings/utf_string_conversions.h" |
7 #include "chrome/browser/ui/browser.h" | 7 #include "chrome/browser/ui/browser.h" |
8 #include "chrome/browser/ui/tabs/tab_strip_model.h" | 8 #include "chrome/browser/ui/tabs/tab_strip_model.h" |
9 #include "chrome/test/base/in_process_browser_test.h" | 9 #include "chrome/test/base/in_process_browser_test.h" |
10 #include "chrome/test/base/ui_test_utils.h" | 10 #include "chrome/test/base/ui_test_utils.h" |
| 11 #include "content/public/browser/render_frame_host.h" |
11 #include "content/public/browser/web_contents.h" | 12 #include "content/public/browser/web_contents.h" |
| 13 #include "content/public/test/browser_test_utils.h" |
12 #include "url/gurl.h" | 14 #include "url/gurl.h" |
13 | 15 |
14 class IFrameTest : public InProcessBrowserTest { | 16 class IFrameTest : public InProcessBrowserTest { |
| 17 public: |
| 18 void SetUpOnMainThread() override { |
| 19 ASSERT_TRUE(embedded_test_server()->Start()); |
| 20 } |
| 21 |
15 protected: | 22 protected: |
16 void NavigateAndVerifyTitle(const char* file, const char* page_title) { | 23 void NavigateAndVerifyTitle(const char* file, const char* page_title) { |
17 GURL url = ui_test_utils::GetTestUrl( | 24 GURL url = ui_test_utils::GetTestUrl( |
18 base::FilePath(), base::FilePath().AppendASCII(file)); | 25 base::FilePath(), base::FilePath().AppendASCII(file)); |
19 | 26 |
20 ui_test_utils::NavigateToURL(browser(), url); | 27 ui_test_utils::NavigateToURL(browser(), url); |
21 EXPECT_EQ(base::ASCIIToUTF16(page_title), | 28 EXPECT_EQ(base::ASCIIToUTF16(page_title), |
22 browser()->tab_strip_model()->GetActiveWebContents()->GetTitle()); | 29 browser()->tab_strip_model()->GetActiveWebContents()->GetTitle()); |
23 } | 30 } |
24 }; | 31 }; |
25 | 32 |
26 IN_PROC_BROWSER_TEST_F(IFrameTest, Crash) { | 33 IN_PROC_BROWSER_TEST_F(IFrameTest, Crash) { |
27 NavigateAndVerifyTitle("iframe.html", "iframe test"); | 34 NavigateAndVerifyTitle("iframe.html", "iframe test"); |
28 } | 35 } |
29 | 36 |
30 IN_PROC_BROWSER_TEST_F(IFrameTest, InEmptyFrame) { | 37 IN_PROC_BROWSER_TEST_F(IFrameTest, InEmptyFrame) { |
31 NavigateAndVerifyTitle("iframe_in_empty_frame.html", "iframe test"); | 38 NavigateAndVerifyTitle("iframe_in_empty_frame.html", "iframe test"); |
32 } | 39 } |
| 40 |
| 41 // Test for https://crbug.com/621076. It ensures that file chooser triggered |
| 42 // by an iframe, which is destroyed before the chooser is closed, does not |
| 43 // result in a use-after-free condition. |
| 44 // Note: This test is disabled temporarily to track down a memory leak reported |
| 45 // by the ASan bots. It will be enabled once the root cause is found. |
| 46 IN_PROC_BROWSER_TEST_F(IFrameTest, DISABLED_FileChooserInDestroyedSubframe) { |
| 47 content::WebContents* tab = |
| 48 browser()->tab_strip_model()->GetActiveWebContents(); |
| 49 GURL file_input_url(embedded_test_server()->GetURL("/file_input.html")); |
| 50 |
| 51 // Navigate to a page, which contains an iframe, and navigate the iframe |
| 52 // to a document containing a file input field. |
| 53 // Note: For the bug to occur, the parent and child frame need to be in |
| 54 // the same site, otherwise they would each get a RenderWidgetHost and |
| 55 // existing code will properly clear the internal state. |
| 56 ui_test_utils::NavigateToURL(browser(), |
| 57 embedded_test_server()->GetURL("/iframe.html")); |
| 58 NavigateIframeToURL(tab, "test", file_input_url); |
| 59 |
| 60 // Invoke the file chooser and remove the iframe from the main document. |
| 61 content::RenderFrameHost* frame = ChildFrameAt(tab->GetMainFrame(), 0); |
| 62 EXPECT_TRUE(frame); |
| 63 EXPECT_EQ(frame->GetSiteInstance(), tab->GetMainFrame()->GetSiteInstance()); |
| 64 EXPECT_TRUE( |
| 65 ExecuteScript(frame, "document.getElementById('fileinput').click();")); |
| 66 EXPECT_TRUE(ExecuteScript(tab->GetMainFrame(), |
| 67 "document.body.removeChild(" |
| 68 "document.querySelectorAll('iframe')[0])")); |
| 69 ASSERT_EQ(nullptr, ChildFrameAt(tab->GetMainFrame(), 0)); |
| 70 |
| 71 // On ASan bots, this test should succeed without reporting use-after-free |
| 72 // condition. |
| 73 } |
OLD | NEW |