Issue 718570 link

Starred by 3 users

Issue metadata

Status:	Fixed
Merged:	issue 759356
Owner:	----
Closed:	Mar 2018
Cc:	japhet@chromium.org █ nick@chromium.org clamy@chromium.org creis@chromium.org dcheng@chromium.org alex...@chromium.org █ nasko@chromium.org
Components:	UI>Browser>Navigation
EstimatedDays:	----
NextAction:	----
OS:	All
Pri:	1
Type:	Bug

Blocked on:
issue 759356

We pass URLs from the renderer to the browser even though the browser already knows them

Project Member Reported by a...@chromium.org, May 4 2017

Issue description

On ToT:

1. go to https://www.w3schools.com/jsref/tryit.asp?filename=tryjsref_onbeforeunload
2. click reload

[41382:1295:0504/161803.489430:FATAL:render_frame_host_impl.cc(1838)] Check failed: frame_url == last_committed_url_ (https://www.w3schools.com/jsref/tryit.asp?filename=tryjsref_onbeforeunload vs. about:blank)
0   libbase.dylib                       0x0000000123f91f7e base::debug::StackTrace::StackTrace(unsigned long) + 174
1   libbase.dylib                       0x0000000123f9201d base::debug::StackTrace::StackTrace(unsigned long) + 29
2   libbase.dylib                       0x0000000123f904ac base::debug::StackTrace::StackTrace() + 28
3   libbase.dylib                       0x000000012402f15f logging::LogMessage::~LogMessage() + 479
4   libbase.dylib                       0x000000012402cad5 logging::LogMessage::~LogMessage() + 21
5   libcontent.dylib                    0x000000012b80ae2f content::RenderFrameHostImpl::OnRunBeforeUnloadConfirm(GURL const&, bool, IPC::Message*) + 575
6   libcontent.dylib                    0x000000012b845834 void base::DispatchToMethodImpl<content::RenderFrameHostImpl*, void (content::RenderFrameHostImpl::*)(GURL const&, bool, IPC::Message*), std::__1::tuple<GURL, bool>&, std::__1::tuple<IPC::Message&>, 0ul, 1ul, 0ul>(content::RenderFrameHostImpl* const&, void (content::RenderFrameHostImpl::*)(GURL const&, bool, IPC::Message*), std::__1::tuple<GURL, bool>&&&, std::__1::tuple<IPC::Message&>*, base::IndexSequence<0ul, 1ul>, base::IndexSequence<0ul>) + 260
7   libcontent.dylib                    0x000000012b845728 void base::DispatchToMethod<content::RenderFrameHostImpl*, void (content::RenderFrameHostImpl::*)(GURL const&, bool, IPC::Message*), std::__1::tuple<GURL, bool>&, std::__1::tuple<IPC::Message&> >(content::RenderFrameHostImpl* const&, void (content::RenderFrameHostImpl::*)(GURL const&, bool, IPC::Message*), std::__1::tuple<GURL, bool>&&&, std::__1::tuple<IPC::Message&>*) + 104
8   libcontent.dylib                    0x000000012b80aab5 bool IPC::MessageT<FrameHostMsg_RunBeforeUnloadConfirm_Meta, std::__1::tuple<GURL, bool>, std::__1::tuple<bool, std::__1::basic_string<unsigned short, base::string16_char_traits, std::__1::allocator<unsigned short> > > >::DispatchDelayReply<content::RenderFrameHostImpl, void, void (content::RenderFrameHostImpl::*)(GURL const&, bool, IPC::Message*)>(IPC::Message const*, content::RenderFrameHostImpl*, void*, void (content::RenderFrameHostImpl::*)(GURL const&, bool, IPC::Message*)) + 869
9   libcontent.dylib                    0x000000012b7ffbaa content::RenderFrameHostImpl::OnMessageReceived(IPC::Message const&) + 6778
10  libcontent.dylib                    0x000000012bffdd0a content::RenderProcessHostImpl::OnMessageReceived(IPC::Message const&) + 2058
11  libipc.dylib                        0x0000000127617c18 IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) + 152
12  libipc.dylib                        0x000000012761eec7 void base::internal::FunctorTraits<void (IPC::ChannelProxy::Context::*)(IPC::Message const&), void>::Invoke<scoped_refptr<IPC::ChannelProxy::Context> const&, IPC::Message const&>(void (IPC::ChannelProxy::Context::*)(IPC::Message const&), scoped_refptr<IPC::ChannelProxy::Context> const&&&, IPC::Message const&&&) + 151
13  libipc.dylib                        0x000000012761edbf void base::internal::InvokeHelper<false, void>::MakeItSo<void (IPC::ChannelProxy::Context::* const&)(IPC::Message const&), scoped_refptr<IPC::ChannelProxy::Context> const&, IPC::Message const&>(void (IPC::ChannelProxy::Context::* const&&&)(IPC::Message const&), scoped_refptr<IPC::ChannelProxy::Context> const&&&, IPC::Message const&&&) + 95
14  libipc.dylib                        0x000000012761ed4d void base::internal::Invoker<base::internal::BindState<void (IPC::ChannelProxy::Context::*)(IPC::Message const&), scoped_refptr<IPC::ChannelProxy::Context>, IPC::Message>, void ()>::RunImpl<void (IPC::ChannelProxy::Context::* const&)(IPC::Message const&), std::__1::tuple<scoped_refptr<IPC::ChannelProxy::Context>, IPC::Message> const&, 0ul, 1ul>(void (IPC::ChannelProxy::Context::* const&&&)(IPC::Message const&), std::__1::tuple<scoped_refptr<IPC::ChannelProxy::Context>, IPC::Message> const&&&, base::IndexSequence<0ul, 1ul>) + 125
15  libipc.dylib                        0x000000012761ec5c base::internal::Invoker<base::internal::BindState<void (IPC::ChannelProxy::Context::*)(IPC::Message const&), scoped_refptr<IPC::ChannelProxy::Context>, IPC::Message>, void ()>::Run(base::internal::BindStateBase*) + 44
16  libbase.dylib                       0x0000000123f2faef base::Callback<void (), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>::Run() + 95
17  libbase.dylib                       0x0000000123f944c0 base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) + 1024
18  libbase.dylib                       0x00000001240872be base::MessageLoop::RunTask(base::PendingTask*) + 894
19  libbase.dylib                       0x0000000124087814 base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) + 68
20  libbase.dylib                       0x000000012408826c base::MessageLoop::DoWork() + 668
21  libbase.dylib                       0x000000012409b508 base::MessagePumpCFRunLoopBase::RunWork() + 104
22  libbase.dylib                       0x000000012409b48c ___ZN4base24MessagePumpCFRunLoopBase13RunWorkSourceEPv_block_invoke + 28
23  libbase.dylib                       0x000000012403749a base::mac::CallWithEHFrame(void () block_pointer) + 10
24  libbase.dylib                       0x000000012409aa95 base::MessagePumpCFRunLoopBase::RunWorkSource(void*) + 101
25  CoreFoundation                      0x00007fff99f207e1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
26  CoreFoundation                      0x00007fff99efff1c __CFRunLoopDoSources0 + 556
27  CoreFoundation                      0x00007fff99eff43f __CFRunLoopRun + 927
28  CoreFoundation                      0x00007fff99efee38 CFRunLoopRunSpecific + 296
29  HIToolbox                           0x00007fff9e99f935 RunCurrentEventLoopInMode + 235
30  HIToolbox                           0x00007fff9e99f677 ReceiveNextEventCommon + 184
31  HIToolbox                           0x00007fff9e99f5af _BlockUntilNextEventMatchingListInModeWithFilter + 71
32  AppKit                              0x00007fff9a383df6 _DPSNextEvent + 1067
33  AppKit                              0x00007fff9a383226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454
34  libchrome_dll.dylib                 0x000000010f3eb69a __71-[BrowserCrApplication nextEventMatchingMask:untilDate:inMode:dequeue:]_block_invoke + 106
35  libbase.dylib                       0x000000012403749a base::mac::CallWithEHFrame(void () block_pointer) + 10
36  libchrome_dll.dylib                 0x000000010f3eb538 -[BrowserCrApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 248
37  AppKit                              0x00007fff9a377d80 -[NSApplication run] + 682
38  libbase.dylib                       0x000000012409c268 base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) + 312
39  libbase.dylib                       0x000000012409b24a base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) + 122
40  libbase.dylib                       0x0000000124086d5a base::MessageLoop::RunHandler() + 618
41  libbase.dylib                       0x0000000124171e8b base::RunLoop::Run() + 267
42  libchrome_dll.dylib                 0x000000010f3f873f ChromeBrowserMainParts::MainMessageLoopRun(int*) + 367
43  libcontent.dylib                    0x000000012b2964f7 content::BrowserMainLoop::RunMainMessageLoopParts() + 455
44  libcontent.dylib                    0x000000012b2a1b5c content::BrowserMainRunnerImpl::Run() + 396
45  libcontent.dylib                    0x000000012b289ced content::BrowserMain(content::MainFunctionParams const&) + 397
46  libcontent.dylib                    0x000000012d5e3365 content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) + 581
47  libcontent.dylib                    0x000000012d5e4e32 content::ContentMainRunnerImpl::Run() + 1938
48  libcontent.dylib                    0x000000012d5e19ed content::ContentServiceManagerMainDelegate::RunEmbedderProcess() + 61
49  libembedder.dylib                   0x0000000123999644 service_manager::Main(service_manager::MainParams const&) + 1892
50  libcontent.dylib                    0x000000012d5e30d9 content::ContentMain(content::ContentMainParams const&) + 89
51  libchrome_dll.dylib                 0x000000010d904b20 ChromeMain + 208
52  Chromium                            0x000000010d698dba main + 778
53  libdyld.dylib                       0x00007fff981565ad start + 1

I'm going to revert this DCHECK.

(Repurposing this bug. Originally it was about a DCHECK in dialogs, but it's fundamentally an issue with navigation, and I'm removing the DCHECK.)

When a document uses `document.write` on an about:blank page, it's supposed to alter the URL of the page written to. This correctly happens on the renderer side, but the browser side is never updated to match. It should be.

Comment 1 by creis@chromium.org, May 4 2017

Cc: creis@chromium.org
Components: UI>Browser>Navigation

Thanks for finding this!  Let's understand why the DCHECK is failing before removing it.  It's potentially security relevant.

(Discussion on https://codereview.chromium.org/2862093002/)

Comment 2 by a...@chromium.org, May 5 2017

There are two URLs in the DCHECK.

One is RenderFrameHostImpl's last_committed_url_, the other is passed in from the render side, the blink::WebLocalFrame's Document's URL.

RenderFrameHostImpl's last_committed_url_ is about:blank because the FrameTreeNode's current_url() is about:blank, because Navigator::DidNavigate was called with about:blank, because RenderFrameHostImpl::OnDidCommitProvisionalLoad was called with the url parameter about:blank.

Nothing changed the URL of that frame on the browser side after that initial commit.

I'm working on seeing how the blink::WebLocalFrame's Document's URL ended up being something that wasn't about:blank.

Comment 3 by creis@chromium.org, May 5 2017

Cc: alex...@chromium.org dcheng@chromium.org

Cool.  I'm guessing this is the second of the two subframes on the page?  DevTools says its location.href is "https://www.w3schools.com/jsref/tryit.asp?filename=tryjsref_onbeforeunload".

Looks like document.write is to blame.  :(  That appears to change the location.href for the document in the renderer process, without generating a commit message to the browser.  That's probably how the two URLs diverge.

I wonder if this is going to cause us other pain with last_committed_url_...  I know Nasko and I have hit problems there before.

Comment 4 by a...@chromium.org, May 5 2017

That sounds like it's it. You know about this one?

Comment 5 by a...@chromium.org, May 5 2017

Do we have tests covering the failure of document.write to update the url on the browser side?

Comment 6 by a...@chromium.org, May 5 2017

BTW, confirmed. The code that sets up the frame on the right of the page is submitTryIt, which is...

function submitTryit(n) {
// ...
    var ifrw = (ifr.contentWindow) ? ifr.contentWindow : (ifr.contentDocument.document) ? ifr.contentDocument.document : ifr.contentDocument;
    ifrw.document.open();
    ifrw.document.write(text);  
    ifrw.document.close();
    // ...
  }
}

Comment 7 by dcheng@chromium.org, May 5 2017

Cc: japhet@chromium.org

Comment 8 by nasko@chromium.org, May 8 2017

Cc: nasko@chromium.org
Owner: ----
Status: Avaiable (was: Assigned)

Unassigning this from myself, as I will not be able to look at it in the next 2-3 days.

Comment 9 by a...@chromium.org, May 25 2017

Status: Available (was: Avaiable)

Comment 10 by alex...@chromium.org, May 25 2017

BTW, we've indirectly hit the problem of document.write altering the renderer-side URL in  https://crbug.com/527367#c11  and verified that this is spec-compliant.  There's a test that davidsac@ added which exercises it, though it doesn't cover the lack of update to the browser side.

Comment 11 by nick@chromium.org, Jun 21 2017

Cc: nick@chromium.org

One hint: in recent debugging sessions, I've noticed that OnRunBeforeUnloadConfirm always seems to arrive twice for each navigation.

Comment 12 by nasko@chromium.org, Jun 21 2017

Cc: clamy@chromium.org

nick@ is the double messaging happening with/without PlzNavigate, or both?

Comment 13 by nick@chromium.org, Jun 21 2017

Seems to be both with and without based on local testing. It's probably a separate bug from this one, which seems to be well-understood. I'll file another issue.

For this bug, is the preferred approach here to update the URL in the browser process FrameTreeNode, when the document.write operation occurs? If so, could someone sketch out what that would look like?

Comment 14 by nasko@chromium.org, Jun 21 2017

I was just chatting with some of the networking folks about the document.write case when it comes to navigations. Some ideas came up and I'm planning to write it up in a doc for people to comment on. It might touch on this area as well, so I think it makes sense to discuss it all in the same doc. I will post a link once I have the basics written up.

Comment 15 by dcheng@chromium.org, Aug 27 2017

Blockedon: 759356

Comment 16 by a...@chromium.org, Mar 8 2018

FYI, I added a similar check to the JS dialog handler, and it's DCHECKing in a similar manner.

Comment 17 by huayinz@chromium.org, Mar 8 2018

This is also happening on Android.

Also noticed that since it uses last_committed_url_ which is different from frame_url in this case, the title of the dialog is not correct.

Some logs that might be helpful:

03-08 02:21:13.627 13534-13534/org.chromium.chrome E/chromium: [ERROR:render_frame_host_impl.cc(1433)] 0xd0e6c600, SetLastCommittedUrl: https://www.w3schools.com/js/tryit.asp?filename=tryjs_confirm
03-08 02:21:13.903 13534-13534/org.chromium.chrome E/chromium: [ERROR:render_frame_host_impl.cc(1433)] 0xd1228a00, SetLastCommittedUrl: about:blank
03-08 02:21:14.585 13534-13534/org.chromium.chrome E/chromium: [ERROR:render_frame_host_impl.cc(1433)] 0xd122ad00, SetLastCommittedUrl: about:srcdoc
03-08 02:21:14.724 13534-13534/org.chromium.chrome E/chromium: [ERROR:render_frame_host_impl.cc(1433)] 0xd1264200, SetLastCommittedUrl: about:blank
03-08 02:21:15.002 13534-13534/org.chromium.chrome E/chromium: [ERROR:render_frame_host_impl.cc(2073)] 0xd1228a00, OnRunJavaScriptDialog
03-08 02:21:15.040 13534-13534/org.chromium.chrome A/chromium: [FATAL:render_frame_host_impl.cc(2074)] Check failed: frame_url == last_committed_url_ (https://www.w3schools.com/js/tryit.asp?filename=tryjs_confirm vs. about:blank)
                                                               #00 0xd4646785 /data/data/org.chromium.chrome/incremental-install-files/lib/libbase.cr.so+0x000cd785
                                                               #01 0xcb780aa5 /data/data/org.chromium.chrome/incremental-install-files/lib/libcontent.cr.so+0x00be8aa5
                                                               #02 0xcb78b48b /data/data/org.chromium.chrome/incremental-install-files/lib/libcontent.cr.so+0x00bf348b
                                                               #03 0xcb78089b /data/data/org.chromium.chrome/incremental-install-files/lib/libcontent.cr.so+0x00be889b
                                                               #04 0xcb77f18b /data/data/org.chromium.chrome/incremental-install-files/lib/libcontent.cr.so+0x00be718b
                                                               #05 0xd292dd29 /data/data/org.chromium.chrome/incremental-install-files/lib/libipc.cr.so+0x00016d29
                                                               #06 0xd462d735 /data/data/org.chromium.chrome/incremental-install-files/lib/libbase.cr.so+0x000b4735
                                                               #07 0xd4635f4b /data/data/org.chromium.chrome/incremental-install-files/lib/libbase.cr.so+0x000bcf4b
                                                               #08 0xd464a377 /data/data/org.chromium.chrome/incremental-install-files/lib/libbase.cr.so+0x000d1377
                                                               #09 0xd464bec1 /data/data/org.chromium.chrome/incremental-install-files/lib/libbase.cr.so+0x000d2ec1
                                                               #10 0xd464c0cf /data/data/org.chromium.chrome/incremental-install-files/lib/libbase.cr.so+0x000d30cf
                                                               #11 0xd464c19d /data/data/org.chromium.chrome/incremental-install-files/lib/libbase.cr.so+0x000d319d
                                                               #12 0xd464c94f /data/data/org.chromium.chrome/incremental-install-files/lib/libbase.cr.so+0x000d394f
                                                               #13 0xd464c923 /data/data/org.chromium.chrome/incremental-install-files/lib/libbase.cr.so+0x000d3923
03-08 02:21:15.041 13534-13534/org.chromium.chrome A/libc: Fatal signal 6 (SIGABRT), code -6 in tid 13534 (chromium.chrome)
                                                           
                                                           [ 03-08 02:21:15.041   166:  166 W/         ]
                                                           debuggerd: handling request: pid=13534 uid=10053 gid=10053 tid=13534

	alert_wrong_title.png 116 KB View Download

Comment 18 by a...@chromium.org, Mar 8 2018

Description: Show this description

Comment 19 by a...@chromium.org, Mar 8 2018

Summary: document.write to an about:blank page doesn't update the URL/location on the browser side (was: beforeunload dialogs crash with DCHECK)

Comment 20 by a...@chromium.org, Mar 8 2018

Mergedinto: 759356
Status: Duplicate (was: Available)

Comment 21 by a...@chromium.org, Mar 8 2018

Status: Started (was: Duplicate)
Summary: We pass URLs from the renderer to the browser even though the browser already knows them (was: document.write to an about:blank page doesn't update the URL/location on the browser side)

Actually, since there already is a bug for this, bug 759356, let's use that, and reuse this one for pulling out the plumbing we don't need.

Project Member

Comment 22 by bugdroid1@chromium.org, Mar 9 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2060a042c8e7746fea6ec0ae19ffe736e258c208

commit 2060a042c8e7746fea6ec0ae19ffe736e258c208
Author: Avi Drissman <avi@chromium.org>
Date: Fri Mar 09 02:02:47 2018

Drop alert DCHECKs.

These DCHECKs don’t tell us anything other than that we fail to update
the browser-side notion of location when a document writes into an
about:blank document, but we know that.

BUG= 820063 , 718570 

Change-Id: I469d75afaafcd87c98529037a1fbbca155ce806c
Reviewed-on: https://chromium-review.googlesource.com/956282
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Commit-Queue: Avi Drissman <avi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#541989}
[modify] https://crrev.com/2060a042c8e7746fea6ec0ae19ffe736e258c208/content/browser/frame_host/render_frame_host_impl.cc

Project Member

Comment 23 by bugdroid1@chromium.org, Mar 9 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/21c0090691e9a7e92ab6f513f4ea312785ab643d

commit 21c0090691e9a7e92ab6f513f4ea312785ab643d
Author: Avi Drissman <avi@chromium.org>
Date: Fri Mar 09 18:28:31 2018

Stop sending frame URLs to the browser process.

It knows them already, and the case where it doesn’t doesn’t matter
for this and we already plan on fixing it.

BUG= 718570 

Change-Id: Ic9cc32a265cff867459ce031699c453fcbe7baf0
Reviewed-on: https://chromium-review.googlesource.com/956283
Reviewed-by: Ken Buchanan <kenrb@chromium.org>
Commit-Queue: Avi Drissman <avi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#542167}
[modify] https://crrev.com/21c0090691e9a7e92ab6f513f4ea312785ab643d/content/browser/frame_host/render_frame_host_impl.cc
[modify] https://crrev.com/21c0090691e9a7e92ab6f513f4ea312785ab643d/content/browser/frame_host/render_frame_host_impl.h
[modify] https://crrev.com/21c0090691e9a7e92ab6f513f4ea312785ab643d/content/common/frame_messages.h
[modify] https://crrev.com/21c0090691e9a7e92ab6f513f4ea312785ab643d/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/21c0090691e9a7e92ab6f513f4ea312785ab643d/content/renderer/render_frame_impl.h

Comment 24 by a...@chromium.org, Mar 9 2018

Status: Fixed (was: Started)

►

Issue 718570 link

Issue metadata

We pass URLs from the renderer to the browser even though the browser already knows them

Issue description

Comment 1 by creis@chromium.org, May 4 2017

Comment 1 Deleted

Comment 2 by a...@chromium.org, May 5 2017

Comment 2 Deleted

Comment 3 by creis@chromium.org, May 5 2017

Comment 3 Deleted

Comment 4 by a...@chromium.org, May 5 2017

Comment 4 Deleted

Comment 5 by a...@chromium.org, May 5 2017

Comment 5 Deleted

Comment 6 by a...@chromium.org, May 5 2017

Comment 6 Deleted

Comment 7 by dcheng@chromium.org, May 5 2017

Comment 7 Deleted

Comment 8 by nasko@chromium.org, May 8 2017

Comment 8 Deleted

Comment 9 by a...@chromium.org, May 25 2017

Comment 9 Deleted

Comment 10 by alex...@chromium.org, May 25 2017

Comment 10 Deleted

Comment 11 by nick@chromium.org, Jun 21 2017

Comment 11 Deleted

Comment 12 by nasko@chromium.org, Jun 21 2017

Comment 12 Deleted

Comment 13 by nick@chromium.org, Jun 21 2017

Comment 13 Deleted

Comment 14 by nasko@chromium.org, Jun 21 2017

Comment 14 Deleted

Comment 15 by dcheng@chromium.org, Aug 27 2017

Comment 15 Deleted

Comment 16 by a...@chromium.org, Mar 8 2018

Comment 16 Deleted

Comment 17 by huayinz@chromium.org, Mar 8 2018

Comment 17 Deleted

Comment 18 by a...@chromium.org, Mar 8 2018

Comment 18 Deleted

Comment 19 by a...@chromium.org, Mar 8 2018

Comment 19 Deleted

Comment 20 by a...@chromium.org, Mar 8 2018

Comment 20 Deleted

Comment 21 by a...@chromium.org, Mar 8 2018

Comment 21 Deleted

Comment 22 by bugdroid1@chromium.org, Mar 9 2018

Comment 22 Deleted

Comment 23 by bugdroid1@chromium.org, Mar 9 2018

Comment 23 Deleted

Comment 24 by a...@chromium.org, Mar 9 2018

Comment 24 Deleted

Sign in to add a comment