diff options
| author | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-02-18 20:34:46 +0000 |
|---|---|---|
| committer | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-02-18 20:34:46 +0000 |
| commit | 2072f00ba9832d7a3185917a70153415e0866dc1 (patch) | |
| tree | f9ccffa85b26884747cc1b6e0c66e448650d3f03 /chrome/test/automation | |
| parent | f7433d3d9d9d7043d92300364a3789beb6fcc59c (diff) | |
| download | chromium_src-2072f00ba9832d7a3185917a70153415e0866dc1.zip chromium_src-2072f00ba9832d7a3185917a70153415e0866dc1.tar.gz chromium_src-2072f00ba9832d7a3185917a70153415e0866dc1.tar.bz2 | |
The DOM Automation controller object uses the RenderView instance as the message sender, i.e. to send replies to javascript requests issued by the browser.
The DOM automation controller object is bound to the frame in the WindowObjectcleared code path.The current implementation maintains the message sender object as a static pointer, which causes a crash if the RenderView instance goes out of scope.
This can be reproduced with a page which causes a popup window to show up and close. If we attempt to use the Dom Automation controller instance bound to the original Renderview, which is still valid, we crash.
The fix is to maintain the message sender as a member variable. The lifetime of the Dom Automation controller instance depends on the RenderView lifetime anyway as it is a member variable. This mimics the other CppBindings like the external host bindings, etc.
Added an automation test to test this case. I verified that the test crashes without this fix.
This fixes bug http://code.google.com/p/chromium/issues/detail?id=3941
Bug=3941
Review URL: http://codereview.chromium.org/21441
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@9963 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/test/automation')
| -rw-r--r-- | chrome/test/automation/automation_proxy_uitest.cc | 36 |
1 files changed, 35 insertions, 1 deletions
diff --git a/chrome/test/automation/automation_proxy_uitest.cc b/chrome/test/automation/automation_proxy_uitest.cc index acdf819..ee1d4db 100644 --- a/chrome/test/automation/automation_proxy_uitest.cc +++ b/chrome/test/automation/automation_proxy_uitest.cc @@ -907,4 +907,38 @@ TEST_F(AutomationProxyTest, DISABLED_AppModalDialogTest) { EXPECT_TRUE(tab->ExecuteAndExtractInt( L"", L"window.domAutomationController.send(result);", &result)); EXPECT_EQ(1, result); -}
\ No newline at end of file +} + +class AutomationProxyTest5 : public UITest { + protected: + AutomationProxyTest5() { + show_window_ = true; + dom_automation_enabled_ = true; + // We need to disable popup blocking to ensure that the RenderView + // instance for the popup actually closes. + launch_arguments_.AppendSwitch(switches::kDisablePopupBlocking); + } +}; + +TEST_F(AutomationProxyTest5, TestLifetimeOfDomAutomationController) { + scoped_ptr<BrowserProxy> window(automation()->GetBrowserWindow(0)); + ASSERT_TRUE(window.get()); + + scoped_ptr<TabProxy> tab(window->GetTab(0)); + ASSERT_TRUE(tab.get()); + + std::wstring filename(test_data_directory_); + file_util::AppendToPath(&filename, L"dom_automation_test_with_popup.html"); + + tab->NavigateToURL(net::FilePathToFileURL(filename)); + + // Allow some time for the popup to show up and close. + Sleep(2000); + + std::wstring expected(L"string"); + std::wstring jscript = CreateJSString(L"\"" + expected + L"\""); + std::wstring actual; + ASSERT_TRUE(tab->ExecuteAndExtractString(L"", jscript, &actual)); + ASSERT_STREQ(expected.c_str(), actual.c_str()); +} + |