New issue
Advanced search Search tips

Issue 842593 link

Starred by 2 users
Status: Fixed
Owner:
yhirano@chromium.org
Closed: May 2018
Cc:
toyoshim@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

OOR-CORS: Renderer crash due to RDH_INVALID_REQUEST_ID

Project Member Reported by yhirano@chromium.org, May 14 2018 
network::cors::PreflightLoader destroys its |loader_| when its HandleResponseHeader is called, but that destruction is not notified to net/ or (in network-service disabled circumstances) content/ synchronously because SimpleURLLoader has a mojom::URLLoaderPtr. This destruction delay cases renderer crash on network-service disabled circumstances because we are using the same request id.

See issue https://crbug.com/614281#c55 .
Project Member

Comment 1 by bugdroid1@chromium.org, May 15 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2d193e588955c85b0326043ca3e0feea8c0c0d10

commit 2d193e588955c85b0326043ca3e0feea8c0c0d10
Author: Yutaka Hirano <yhirano@chromium.org>
Date: Tue May 15 05:11:44 2018

[OOR-CORS] Cancel preflight loader synchronously when needed

When the network service is disabled, we are using the same request ID
for the preflight request and the actual request as we cannot assign
separate IDs. We need to tear down the preflight request first, and
then make the actual request: Otherwise we will see a renderer crash
caused by RDH_INVALID_REQUEST_ID.

Currently we cancel the request by resetting the SimpleURLLoader for
the preflight request: That is not enough because destroying a
SimpleURLLoader asynchronously cancels a request, and we don't know
when it's actually destroyed. This is especially problematic when
a server returns a preflight with a long body.

This CL fixes the problem by adding a function which cancels the
request synchronously. This is a workaround, and we won't need the
logic in the end.


Bug: 838136, 614281,  842593 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo
Change-Id: Ic9d20cfbecc7c5b8749e0dc664d12c6d07e8c673
Reviewed-on: https://chromium-review.googlesource.com/1056941
Commit-Queue: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#558617}
[modify] https://crrev.com/2d193e588955c85b0326043ca3e0feea8c0c0d10/content/browser/loader/resource_message_filter.cc
[modify] https://crrev.com/2d193e588955c85b0326043ca3e0feea8c0c0d10/services/network/cors/cors_url_loader.cc
[modify] https://crrev.com/2d193e588955c85b0326043ca3e0feea8c0c0d10/services/network/cors/cors_url_loader.h
[modify] https://crrev.com/2d193e588955c85b0326043ca3e0feea8c0c0d10/services/network/cors/cors_url_loader_factory.cc
[modify] https://crrev.com/2d193e588955c85b0326043ca3e0feea8c0c0d10/services/network/cors/cors_url_loader_factory.h
[modify] https://crrev.com/2d193e588955c85b0326043ca3e0feea8c0c0d10/services/network/cors/preflight_controller.cc
[modify] https://crrev.com/2d193e588955c85b0326043ca3e0feea8c0c0d10/services/network/cors/preflight_controller.h
[modify] https://crrev.com/2d193e588955c85b0326043ca3e0feea8c0c0d10/services/network/cors/preflight_controller_unittest.cc

Comment 2 by yhirano@chromium.org, May 15 2018

Status: Fixed (was: Assigned)

Sign in to add a comment