OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/command_line.h" | 5 #include "base/command_line.h" |
6 #include "base/containers/hash_tables.h" | 6 #include "base/containers/hash_tables.h" |
7 #include "content/browser/dom_storage/dom_storage_context_wrapper.h" | 7 #include "content/browser/dom_storage/dom_storage_context_wrapper.h" |
8 #include "content/browser/dom_storage/session_storage_namespace_impl.h" | 8 #include "content/browser/dom_storage/session_storage_namespace_impl.h" |
9 #include "content/browser/frame_host/navigator.h" | 9 #include "content/browser/frame_host/navigator.h" |
10 #include "content/browser/renderer_host/render_view_host_factory.h" | 10 #include "content/browser/renderer_host/render_view_host_factory.h" |
(...skipping 121 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
132 ViewHostMsg_CreateWindow_Params params; | 132 ViewHostMsg_CreateWindow_Params params; |
133 DOMStorageContextWrapper* dom_storage_context = | 133 DOMStorageContextWrapper* dom_storage_context = |
134 static_cast<DOMStorageContextWrapper*>( | 134 static_cast<DOMStorageContextWrapper*>( |
135 BrowserContext::GetStoragePartition( | 135 BrowserContext::GetStoragePartition( |
136 shell()->web_contents()->GetBrowserContext(), | 136 shell()->web_contents()->GetBrowserContext(), |
137 pending_rvh->GetSiteInstance())->GetDOMStorageContext()); | 137 pending_rvh->GetSiteInstance())->GetDOMStorageContext()); |
138 scoped_refptr<SessionStorageNamespaceImpl> session_storage( | 138 scoped_refptr<SessionStorageNamespaceImpl> session_storage( |
139 new SessionStorageNamespaceImpl(dom_storage_context)); | 139 new SessionStorageNamespaceImpl(dom_storage_context)); |
140 // Cause a deliberate collision in routing ids. | 140 // Cause a deliberate collision in routing ids. |
141 int main_frame_routing_id = duplicate_routing_id + 1; | 141 int main_frame_routing_id = duplicate_routing_id + 1; |
142 pending_rvh->CreateNewWindow( | 142 pending_rvh->CreateNewWindow(duplicate_routing_id, |
143 duplicate_routing_id, main_frame_routing_id, params, session_storage); | 143 main_frame_routing_id, |
| 144 params, |
| 145 session_storage.get()); |
144 | 146 |
145 // If the above operation doesn't cause a crash, the test has succeeded! | 147 // If the above operation doesn't cause a crash, the test has succeeded! |
146 } | 148 } |
147 | 149 |
148 // This is a test for crbug.com/312016. It tries to create two RenderWidgetHosts | 150 // This is a test for crbug.com/312016. It tries to create two RenderWidgetHosts |
149 // with the same process and routing ids, which causes a collision. It is almost | 151 // with the same process and routing ids, which causes a collision. It is almost |
150 // identical to the AttemptDuplicateRenderViewHost test case. | 152 // identical to the AttemptDuplicateRenderViewHost test case. |
151 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, | 153 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, |
152 AttemptDuplicateRenderWidgetHost) { | 154 AttemptDuplicateRenderWidgetHost) { |
153 int duplicate_routing_id = MSG_ROUTING_NONE; | 155 int duplicate_routing_id = MSG_ROUTING_NONE; |
154 RenderViewHostImpl* pending_rvh = | 156 RenderViewHostImpl* pending_rvh = |
155 PrepareToDuplicateHosts(shell(), &duplicate_routing_id); | 157 PrepareToDuplicateHosts(shell(), &duplicate_routing_id); |
156 EXPECT_NE(MSG_ROUTING_NONE, duplicate_routing_id); | 158 EXPECT_NE(MSG_ROUTING_NONE, duplicate_routing_id); |
157 | 159 |
158 // Since this test executes on the UI thread and hopping threads might cause | 160 // Since this test executes on the UI thread and hopping threads might cause |
159 // different timing in the test, let's simulate a CreateNewWidget call coming | 161 // different timing in the test, let's simulate a CreateNewWidget call coming |
160 // from the IO thread. Use the existing window routing id to cause a | 162 // from the IO thread. Use the existing window routing id to cause a |
161 // deliberate collision. | 163 // deliberate collision. |
162 pending_rvh->CreateNewWidget(duplicate_routing_id, blink::WebPopupTypeSelect); | 164 pending_rvh->CreateNewWidget(duplicate_routing_id, blink::WebPopupTypeSelect); |
163 | 165 |
164 // If the above operation doesn't crash, the test has succeeded! | 166 // If the above operation doesn't crash, the test has succeeded! |
165 } | 167 } |
166 | 168 |
167 } // namespace content | 169 } // namespace content |
OLD | NEW |