| Index: chrome/browser/iframe_browsertest.cc
|
| diff --git a/chrome/browser/iframe_browsertest.cc b/chrome/browser/iframe_browsertest.cc
|
| index e0853f61b98991ffd32c7f5303cfadb94269debe..fef94500fdff173c7489039629d5c7f660c4fbca 100644
|
| --- a/chrome/browser/iframe_browsertest.cc
|
| +++ b/chrome/browser/iframe_browsertest.cc
|
| @@ -8,10 +8,17 @@
|
| #include "chrome/browser/ui/tabs/tab_strip_model.h"
|
| #include "chrome/test/base/in_process_browser_test.h"
|
| #include "chrome/test/base/ui_test_utils.h"
|
| +#include "content/public/browser/render_frame_host.h"
|
| #include "content/public/browser/web_contents.h"
|
| +#include "content/public/test/browser_test_utils.h"
|
| #include "url/gurl.h"
|
|
|
| class IFrameTest : public InProcessBrowserTest {
|
| + public:
|
| + void SetUpOnMainThread() override {
|
| + ASSERT_TRUE(embedded_test_server()->Start());
|
| + }
|
| +
|
| protected:
|
| void NavigateAndVerifyTitle(const char* file, const char* page_title) {
|
| GURL url = ui_test_utils::GetTestUrl(
|
| @@ -30,3 +37,37 @@ IN_PROC_BROWSER_TEST_F(IFrameTest, Crash) {
|
| IN_PROC_BROWSER_TEST_F(IFrameTest, InEmptyFrame) {
|
| NavigateAndVerifyTitle("iframe_in_empty_frame.html", "iframe test");
|
| }
|
| +
|
| +// Test for https://crbug.com/621076. It ensures that file chooser triggered
|
| +// by an iframe, which is destroyed before the chooser is closed, does not
|
| +// result in a use-after-free condition.
|
| +// Note: This test is disabled temporarily to track down a memory leak reported
|
| +// by the ASan bots. It will be enabled once the root cause is found.
|
| +IN_PROC_BROWSER_TEST_F(IFrameTest, DISABLED_FileChooserInDestroyedSubframe) {
|
| + content::WebContents* tab =
|
| + browser()->tab_strip_model()->GetActiveWebContents();
|
| + GURL file_input_url(embedded_test_server()->GetURL("/file_input.html"));
|
| +
|
| + // Navigate to a page, which contains an iframe, and navigate the iframe
|
| + // to a document containing a file input field.
|
| + // Note: For the bug to occur, the parent and child frame need to be in
|
| + // the same site, otherwise they would each get a RenderWidgetHost and
|
| + // existing code will properly clear the internal state.
|
| + ui_test_utils::NavigateToURL(browser(),
|
| + embedded_test_server()->GetURL("/iframe.html"));
|
| + NavigateIframeToURL(tab, "test", file_input_url);
|
| +
|
| + // Invoke the file chooser and remove the iframe from the main document.
|
| + content::RenderFrameHost* frame = ChildFrameAt(tab->GetMainFrame(), 0);
|
| + EXPECT_TRUE(frame);
|
| + EXPECT_EQ(frame->GetSiteInstance(), tab->GetMainFrame()->GetSiteInstance());
|
| + EXPECT_TRUE(
|
| + ExecuteScript(frame, "document.getElementById('fileinput').click();"));
|
| + EXPECT_TRUE(ExecuteScript(tab->GetMainFrame(),
|
| + "document.body.removeChild("
|
| + "document.querySelectorAll('iframe')[0])"));
|
| + ASSERT_EQ(nullptr, ChildFrameAt(tab->GetMainFrame(), 0));
|
| +
|
| + // On ASan bots, this test should succeed without reporting use-after-free
|
| + // condition.
|
| +}
|
|
|
Chromium Code Reviews
Issue 2102883002:
Update FileSelectHelper to use RenderFrameHost notifications. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master