| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <stdint.h> | 5 #include <stdint.h> |
| 6 #include <utility> | 6 #include <utility> |
| 7 | 7 |
| 8 #include "base/command_line.h" | 8 #include "base/command_line.h" |
| 9 #include "base/logging.h" | 9 #include "base/logging.h" |
| 10 #include "base/macros.h" | 10 #include "base/macros.h" |
| 11 #include "base/strings/utf_string_conversions.h" | 11 #include "base/strings/utf_string_conversions.h" |
| 12 #include "build/build_config.h" | 12 #include "build/build_config.h" |
| 13 #include "content/browser/frame_host/interstitial_page_impl.h" | 13 #include "content/browser/frame_host/interstitial_page_impl.h" |
| 14 #include "content/browser/frame_host/navigation_entry_impl.h" | 14 #include "content/browser/frame_host/navigation_entry_impl.h" |
| 15 #include "content/browser/frame_host/navigator.h" |
| 15 #include "content/browser/frame_host/render_frame_host_impl.h" | 16 #include "content/browser/frame_host/render_frame_host_impl.h" |
| 16 #include "content/browser/frame_host/render_frame_proxy_host.h" | 17 #include "content/browser/frame_host/render_frame_proxy_host.h" |
| 17 #include "content/browser/media/audio_stream_monitor.h" | 18 #include "content/browser/media/audio_stream_monitor.h" |
| 18 #include "content/browser/media/media_web_contents_observer.h" | 19 #include "content/browser/media/media_web_contents_observer.h" |
| 19 #include "content/browser/renderer_host/render_view_host_impl.h" | 20 #include "content/browser/renderer_host/render_view_host_impl.h" |
| 20 #include "content/browser/site_instance_impl.h" | 21 #include "content/browser/site_instance_impl.h" |
| 21 #include "content/browser/webui/content_web_ui_controller_factory.h" | 22 #include "content/browser/webui/content_web_ui_controller_factory.h" |
| 22 #include "content/browser/webui/web_ui_controller_factory_registry.h" | 23 #include "content/browser/webui/web_ui_controller_factory_registry.h" |
| 23 #include "content/common/frame_messages.h" | 24 #include "content/common/frame_messages.h" |
| 24 #include "content/common/input/synthetic_web_input_event_builders.h" | 25 #include "content/common/input/synthetic_web_input_event_builders.h" |
| (...skipping 2136 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2161 | 2162 |
| 2162 // Before the interstitial has a chance to process its shutdown task, | 2163 // Before the interstitial has a chance to process its shutdown task, |
| 2163 // simulate quitting the browser. This goes through all processes and | 2164 // simulate quitting the browser. This goes through all processes and |
| 2164 // tells them to destruct. | 2165 // tells them to destruct. |
| 2165 rfh->GetProcess()->SimulateCrash(); | 2166 rfh->GetProcess()->SimulateCrash(); |
| 2166 | 2167 |
| 2167 RunAllPendingInMessageLoop(); | 2168 RunAllPendingInMessageLoop(); |
| 2168 EXPECT_TRUE(deleted); | 2169 EXPECT_TRUE(deleted); |
| 2169 } | 2170 } |
| 2170 | 2171 |
| 2172 // Test for https://crbug.com/730592, where deleting a WebContents while its |
| 2173 // interstitial is navigating could lead to a crash. |
| 2174 TEST_F(WebContentsImplTest, CreateInterstitialForClosingTab) { |
| 2175 // Navigate to a page. |
| 2176 GURL url1("http://www.google.com"); |
| 2177 main_test_rfh()->NavigateAndCommitRendererInitiated(true, url1); |
| 2178 EXPECT_EQ(1, controller().GetEntryCount()); |
| 2179 |
| 2180 // Initiate a browser navigation that will trigger an interstitial. |
| 2181 controller().LoadURL(GURL("http://www.evil.com"), Referrer(), |
| 2182 ui::PAGE_TRANSITION_TYPED, std::string()); |
| 2183 |
| 2184 // Show an interstitial. |
| 2185 TestInterstitialPage::InterstitialState state = TestInterstitialPage::INVALID; |
| 2186 bool deleted = false; |
| 2187 GURL url2("http://interstitial"); |
| 2188 TestInterstitialPage* interstitial = |
| 2189 new TestInterstitialPage(contents(), true, url2, &state, &deleted); |
| 2190 TestInterstitialPageStateGuard state_guard(interstitial); |
| 2191 interstitial->Show(); |
| 2192 RenderFrameHostImpl* interstitial_rfh = |
| 2193 static_cast<RenderFrameHostImpl*>(interstitial->GetMainFrame()); |
| 2194 // The interstitial should not show until its navigation has committed. |
| 2195 EXPECT_FALSE(interstitial->is_showing()); |
| 2196 EXPECT_FALSE(contents()->ShowingInterstitialPage()); |
| 2197 EXPECT_EQ(nullptr, contents()->GetInterstitialPage()); |
| 2198 |
| 2199 // Close the tab before the interstitial commits. |
| 2200 DeleteContents(); |
| 2201 EXPECT_EQ(TestInterstitialPage::CANCELED, state); |
| 2202 |
| 2203 // The interstitial page triggers a DidStartNavigation after the tab is gone, |
| 2204 // but before the interstitial page itself is deleted. This should not crash. |
| 2205 Navigator* interstitial_navigator = |
| 2206 interstitial_rfh->frame_tree_node()->navigator(); |
| 2207 interstitial_navigator->DidStartProvisionalLoad( |
| 2208 interstitial_rfh, url2, std::vector<GURL>(), base::TimeTicks::Now()); |
| 2209 EXPECT_FALSE(deleted); |
| 2210 |
| 2211 RunAllPendingInMessageLoop(); |
| 2212 EXPECT_TRUE(deleted); |
| 2213 } |
| 2214 |
| 2171 // Test that after Proceed is called and an interstitial is still shown, no more | 2215 // Test that after Proceed is called and an interstitial is still shown, no more |
| 2172 // commands get executed. | 2216 // commands get executed. |
| 2173 TEST_F(WebContentsImplTest, ShowInterstitialProceedMultipleCommands) { | 2217 TEST_F(WebContentsImplTest, ShowInterstitialProceedMultipleCommands) { |
| 2174 // Navigate to a page so we have a navigation entry in the controller. | 2218 // Navigate to a page so we have a navigation entry in the controller. |
| 2175 GURL url1("http://www.google.com"); | 2219 GURL url1("http://www.google.com"); |
| 2176 main_test_rfh()->NavigateAndCommitRendererInitiated(true, url1); | 2220 main_test_rfh()->NavigateAndCommitRendererInitiated(true, url1); |
| 2177 EXPECT_EQ(1, controller().GetEntryCount()); | 2221 EXPECT_EQ(1, controller().GetEntryCount()); |
| 2178 | 2222 |
| 2179 // Show an interstitial. | 2223 // Show an interstitial. |
| 2180 TestInterstitialPage::InterstitialState state = | 2224 TestInterstitialPage::InterstitialState state = |
| (...skipping 1262 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3443 // An automatic navigation. | 3487 // An automatic navigation. |
| 3444 main_test_rfh()->SendNavigateWithModificationCallback( | 3488 main_test_rfh()->SendNavigateWithModificationCallback( |
| 3445 0, true, GURL(url::kAboutBlankURL), base::Bind(SetAsNonUserGesture)); | 3489 0, true, GURL(url::kAboutBlankURL), base::Bind(SetAsNonUserGesture)); |
| 3446 | 3490 |
| 3447 EXPECT_EQ(1u, dialog_manager.reset_count()); | 3491 EXPECT_EQ(1u, dialog_manager.reset_count()); |
| 3448 | 3492 |
| 3449 contents()->SetJavaScriptDialogManagerForTesting(nullptr); | 3493 contents()->SetJavaScriptDialogManagerForTesting(nullptr); |
| 3450 } | 3494 } |
| 3451 | 3495 |
| 3452 } // namespace content | 3496 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2945163002:
Avoid use-after-free when InterstitialPageImpl is being torn down. (Closed)
