its frame and not iframe

its frame and not iframe as mentioned in URL Parse

Thanks for the report.

Assigning to kouhei - this crashes at the DCHECK you added in https://codereview.chromium.org/1044133002.
Can you take a look at what's going on?


Stack trace on tip of tree:

[1:1:0627/102421:FATAL:Document.cpp(4416)] Check failed: baseURLOverride.isEmpty() || baseURLOverride.isValid(). 
#0 0x7f9a49e3a2de base::debug::StackTrace::StackTrace()
#1 0x7f9a49e9d67f logging::LogMessage::~LogMessage()
#2 0x7f9a30f25421 blink::Document::completeURLWithOverride()
#3 0x7f9a3134694a blink::PreloadRequest::completeURL()
#4 0x7f9a31346a8f blink::PreloadRequest::resourceRequest()
#5 0x7f9a313133db blink::HTMLResourcePreloader::preload()
#6 0x7f9a31346e0e blink::ResourcePreloader::takeAndPreload()
#7 0x7f9a3130cafa blink::HTMLPreloadScanner::scanAndPreload()
#8 0x7f9a312ea822 blink::HTMLDocumentParser::insert()
#9 0x7f9a30f1b22d blink::Document::write()
#10 0x7f9a30f1b2e4 blink::Document::write()
#11 0x7f9a30f1b605 blink::Document::write()
#12 0x7f9a30c66725 blink::DocumentV8Internal::writeMethod()
#13 0x7f9a30c5f3b1 blink::DocumentV8Internal::writeMethodCallback()
#14 0x7f9a3fdf021e v8::internal::FunctionCallbackArguments::Call()
#15 0x7f9a3fe7a440 v8::internal::(anonymous namespace)::HandleApiCallHelper<>()
#16 0x7f9a3feafdf6 v8::internal::Builtin_Impl_HandleApiCall()
#17 0x7f9a3fe868d9 v8::internal::Builtin_HandleApiCall()
#18 0x2eb9c2306147 <unknown>

Received signal 6
#0 0x7f9a49e3a2de base::debug::StackTrace::StackTrace()
#1 0x7f9a49e39e1f base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f9a3768f330 <unknown>
#3 0x7f9a3596ac37 gsignal
#4 0x7f9a3596e028 abort
#5 0x7f9a49e36af6 base::debug::(anonymous namespace)::DebugBreak()
#6 0x7f9a49e36ad8 base::debug::BreakDebugger()
#7 0x7f9a49e9d9cd logging::LogMessage::~LogMessage()
#8 0x7f9a30f25421 blink::Document::completeURLWithOverride()
#9 0x7f9a3134694a blink::PreloadRequest::completeURL()
#10 0x7f9a31346a8f blink::PreloadRequest::resourceRequest()
#11 0x7f9a313133db blink::HTMLResourcePreloader::preload()
#12 0x7f9a31346e0e blink::ResourcePreloader::takeAndPreload()
#13 0x7f9a3130cafa blink::HTMLPreloadScanner::scanAndPreload()
#14 0x7f9a312ea822 blink::HTMLDocumentParser::insert()
#15 0x7f9a30f1b22d blink::Document::write()
#16 0x7f9a30f1b2e4 blink::Document::write()
#17 0x7f9a30f1b605 blink::Document::write()
#18 0x7f9a30c66725 blink::DocumentV8Internal::writeMethod()
#19 0x7f9a30c5f3b1 blink::DocumentV8Internal::writeMethodCallback()
#20 0x7f9a3fdf021e v8::internal::FunctionCallbackArguments::Call()
#21 0x7f9a3fe7a440 v8::internal::(anonymous namespace)::HandleApiCallHelper<>()
#22 0x7f9a3feafdf6 v8::internal::Builtin_Impl_HandleApiCall()
#23 0x7f9a3fe868d9 v8::internal::Builtin_HandleApiCall()
#24 0x2eb9c2306147 <unknown>
  r8: 0000000000000001  r9: 00007f9a35a84a00 r10: 0000000000000008 r11: 0000000000000202
 r12: 00007f9a30c5f390 r13: 00007ffc670ccbf8 r14: 0000000000000000 r15: 0000397c6c7bb020
  di: 0000000000000001  si: 0000000000000001  bp: 00007ffc670cb320  bx: 00007f9a4a2086a7
  dx: 0000000000000006  ax: 0000000000000000  cx: ffffffffffffffff  sp: 00007ffc670cb1e8
  ip: 00007f9a3596ac37 efl: 0000000000000202 cgf: 0000000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000

kouhei: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I couldn't repro heap corruption (only DCHECK hit), so I think we can lower the priority.

CL: https://codereview.chromium.org/2132283002

cc+reviewers

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/51b5da563d004465a203dd40892a13b8543721e1

commit 51b5da563d004465a203dd40892a13b8543721e1
Author: kouhei <kouhei@chromium.org>
Date: Mon Jul 11 03:42:56 2016

Use Document::validBaseElementURL to init preloadscanner

Before this CL, Document::baseElementURL was used to initialize
PreloadScanner. However, this URL can be !isValid().

This CL introduces Document::validBaseElementURL() which returns
baseElementURL only when its valid, end returns empty URL when its invalid.
This can safely be used to initialize preload scanner.

BUG= 623365 

Review-Url: https://codereview.chromium.org/2132283002
Cr-Commit-Position: refs/heads/master@{#404595}

[add] https://crrev.com/51b5da563d004465a203dd40892a13b8543721e1/third_party/WebKit/LayoutTests/fast/parser/preloader-base-invalidurl-expected.txt
[add] https://crrev.com/51b5da563d004465a203dd40892a13b8543721e1/third_party/WebKit/LayoutTests/fast/parser/preloader-base-invalidurl.html
[modify] https://crrev.com/51b5da563d004465a203dd40892a13b8543721e1/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/51b5da563d004465a203dd40892a13b8543721e1/third_party/WebKit/Source/core/dom/Document.h
[modify] https://crrev.com/51b5da563d004465a203dd40892a13b8543721e1/third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp

Before we approve merge to M52, Could you please confirm whether this change is baked/verified in Canary and safe to merge?

The change is in canary for 2days, and no corresponding crash report since then:
https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20stable_signature%20CONTAINS%20%27Document%3A%3AcompleteURLWithOverride%27%20AND%20product.version%20CONTAINS%20%2754%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D

Thank you  kouhei@. Also does this require a merge to M53?

+awhalley@ to decide whether we can take this merge in for M52 as it is only baked in canary for 2 days (not baked in dev/beta yet).

Yes.

Yes, this is good to merge for both M52 and M53.

Approving merge to M52 branch 2743 and M53 branch 2785. Please merge ASAP. Thank you.

Please merge your change to M53 branch 2785 and M52 branch 2743 ASAP (latest by 4:00 PM PST on Monday, 07/18).

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/395d38d485e93362792c23dc79460e971fde9c0a

commit 395d38d485e93362792c23dc79460e971fde9c0a
Author: Kouhei Ueno <kouhei@chromium.org>
Date: Mon Jul 18 02:41:22 2016

Use Document::validBaseElementURL to init preloadscanner

Before this CL, Document::baseElementURL was used to initialize
PreloadScanner. However, this URL can be !isValid().

This CL introduces Document::validBaseElementURL() which returns
baseElementURL only when its valid, end returns empty URL when its invalid.
This can safely be used to initialize preload scanner.

BUG= 623365 

Review-Url: https://codereview.chromium.org/2132283002
Cr-Commit-Position: refs/heads/master@{#404595}
(cherry picked from commit 51b5da563d004465a203dd40892a13b8543721e1)

Review URL: https://codereview.chromium.org/2160503002 .

Cr-Commit-Position: refs/branch-heads/2785@{#174}
Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382}

[add] https://crrev.com/395d38d485e93362792c23dc79460e971fde9c0a/third_party/WebKit/LayoutTests/fast/parser/preloader-base-invalidurl-expected.txt
[add] https://crrev.com/395d38d485e93362792c23dc79460e971fde9c0a/third_party/WebKit/LayoutTests/fast/parser/preloader-base-invalidurl.html
[modify] https://crrev.com/395d38d485e93362792c23dc79460e971fde9c0a/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/395d38d485e93362792c23dc79460e971fde9c0a/third_party/WebKit/Source/core/dom/Document.h
[modify] https://crrev.com/395d38d485e93362792c23dc79460e971fde9c0a/third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bdc5db10243308a0273a46518dc42ecff87fcf54

commit bdc5db10243308a0273a46518dc42ecff87fcf54
Author: Kouhei Ueno <kouhei@chromium.org>
Date: Mon Jul 18 02:44:09 2016

Use Document::validBaseElementURL to init preloadscanner

Before this CL, Document::baseElementURL was used to initialize
PreloadScanner. However, this URL can be !isValid().

This CL introduces Document::validBaseElementURL() which returns
baseElementURL only when its valid, end returns empty URL when its invalid.
This can safely be used to initialize preload scanner.

BUG= 623365 

Review-Url: https://codereview.chromium.org/2132283002
Cr-Commit-Position: refs/heads/master@{#404595}
(cherry picked from commit 51b5da563d004465a203dd40892a13b8543721e1)

Review URL: https://codereview.chromium.org/2157893002 .

Cr-Commit-Position: refs/branch-heads/2743@{#660}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}

[add] https://crrev.com/bdc5db10243308a0273a46518dc42ecff87fcf54/third_party/WebKit/LayoutTests/fast/parser/preloader-base-invalidurl-expected.txt
[add] https://crrev.com/bdc5db10243308a0273a46518dc42ecff87fcf54/third_party/WebKit/LayoutTests/fast/parser/preloader-base-invalidurl.html
[modify] https://crrev.com/bdc5db10243308a0273a46518dc42ecff87fcf54/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/bdc5db10243308a0273a46518dc42ecff87fcf54/third_party/WebKit/Source/core/dom/Document.h
[modify] https://crrev.com/bdc5db10243308a0273a46518dc42ecff87fcf54/third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp

It is patched in M52, any info on reward? 

I'm afraid our panel as this only appears to be hitting a DCHECK :-(

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot