New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 727790 link

Starred by 2 users
Status: Fixed
Owner:
roc...@chromium.org
please use my google.com address
Closed: Jun 2017
Cc:
bmcquade@chromium.org
l...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug

Blocking:
issue 725776



Sign in to add a comment

WebContentsFrameBindingSet may dispatch messages for a deleted RenderFrameHost

Project Member Reported by l...@chromium.org, May 30 2017 
Recently we tried to do a Finch Trial for Page Load Metrics mojofication, however, users on Windows were experiencing crash on https://cs.chromium.org/chromium/src/chrome/browser/page_load_metrics/metrics_web_contents_observer.cc?l=605, and we suspected that the RenderFrameHost might be deleted after UpdateTiming was dispatched to MetricsWebContentsObserver.

Please see https://bugs.chromium.org/p/chromium/issues/detail?id=725776 for more details about the crash.

According to Ken, it's probably a UAF of RFH, the fix is that WebContentsBindingSet should be a WebContentsObserver and should maintain a reverse mapping from RFH to individual binding IDs, proactively wiping out bindings when an RFH gets deleted.

Comment 1 by roc...@chromium.org, May 31 2017

Summary: WebContentsFrameBindingSet may dispatch messages for a deleted RenderFrameHost (was: RenderFrameHost of WebContentsFrameBindingSet might be deleted after dispatch a message)

Comment 2 by roc...@chromium.org, Jun 1 2017 

Issue 726010 has been merged into this issue.
Project Member

Comment 3 by bugdroid1@chromium.org, Jun 1 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/59f7dd73152443a49cc70c90266aab5521932468

commit 59f7dd73152443a49cc70c90266aab5521932468
Author: Ken Rockot <rockot@chromium.org>
Date: Thu Jun 01 00:41:28 2017

Update WebContentsFrameBindingSet on frame deletion

Ensures that when a RFH is deleted, any relevant bindings registered in
a WebContentsFrameBindingSet are also deleted. This allows users to
assume that no mojom messages will be dispatched to a binding
corresponding to a dead RFH.

BUG= 727790 
R=jam@chromium.org

Change-Id: I47d2f122f4518258ca07c1acb925e7b56781cbe8
Reviewed-on: https://chromium-review.googlesource.com/519524
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Commit-Queue: Ken Rockot <rockot@chromium.org>
Cr-Commit-Position: refs/heads/master@{#476114}
[modify] https://crrev.com/59f7dd73152443a49cc70c90266aab5521932468/content/browser/web_contents_binding_set_browsertest.cc
[modify] https://crrev.com/59f7dd73152443a49cc70c90266aab5521932468/content/public/browser/web_contents_binding_set.h
[modify] https://crrev.com/59f7dd73152443a49cc70c90266aab5521932468/content/test/test_browser_associated_interfaces.mojom

Comment 4 by roc...@chromium.org, Jun 1 2017

Status: Fixed (was: Assigned)
Should be good to go with this now.

Sign in to add a comment