UaF of delegate_ in WebFrameTestClient::willSendRequest |
||||||||||||
Issue descriptionRepro (with ASAN enabled): DISPLAY=:20 third_party/WebKit/Tools/Scripts/run-webkit-tests -t gn -v --additional-drt-flag=--site-per-process --child-processes=3 --additional-drt-flag=--no-sandbox --iterations=1 http/tests/local/serviceworker/fetch-request-body-file.html The problem is that WebFrameTestClient gets, stores and uses a global delegate (passed from WebTestInterfaces::CreateWebFrameTestClient) rather than using frame/view-specific delegate via this->web_test_proxy_base_->delegate(). Fixing this will be a bit complicated, because which (incorrect) delegate is being used has been "baked in" for a while (i.e. delegate_->PrintMessage calls have no effect if accidentally going through a swapped-out delegate).
,
May 3 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6bd0f3201a2bc6c1d30dfc8a5a23eeeaedf56e2b commit 6bd0f3201a2bc6c1d30dfc8a5a23eeeaedf56e2b Author: lukasza <lukasza@chromium.org> Date: Tue May 03 16:26:14 2016 Triaging some of the remaining site-per-process layout test failures. Most of the changes in this CL just moved test expectations around and added comments with bug pointers. One exception is that http/tests/appcache/remove-cache.html expectation has been removed altogether: - this test passes on the Site Isolation FYI - flakiness is already called out in https://crbug.com/518929 - locally I see a failure with and without --site-per-process, but since the bots are happy we should just remove the exception I think BUG= 582211 , 608015 , 608023 , 606594 , 607991 , 607981 Review-Url: https://codereview.chromium.org/1931143002 Cr-Commit-Position: refs/heads/master@{#391262} [modify] https://crrev.com/6bd0f3201a2bc6c1d30dfc8a5a23eeeaedf56e2b/third_party/WebKit/LayoutTests/FlagExpectations/site-per-process
,
May 18 2016
,
May 18 2016
Deprecating component:Blink>LayoutTests, to use label Test=Layout instead.
,
Sep 16 2016
,
Oct 4 2016
Always going through process-level messages will make us resilient to the trouble pointed out in #c1.
,
Oct 14 2016
UaF fix proposal: https://codereview.chromium.org/2349063002 As pointed out in #c6, the fix above depends on switching to process-level messages - tentative CL is at https://codereview.chromium.org/1814963002
,
Feb 7 2017
+jiameng@ as an FYI in case she runs into the UaF as part of the work to migrate layout tests to use mojo.
,
Feb 14 2018
Issue 766007 has been merged into this issue.
,
Feb 14 2018
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Feb 15 2018
,
Feb 16 2018
,
Mar 21 2018
ClusterFuzz testcase 5639604190576640 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by lukasza@chromium.org
, Apr 26 2016