Prevent the browser process from creating duplicate RenderWidgetHosts

This is a follow up CL for crrev.com/238575. The same problem exists when creating RenderWidgetHosts and this CL address this.

BUG=312016

Review URL: https://codereview.chromium.org/105033002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@238750 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 19 insertions, 0 deletions

diff --git a/content/browser/security_exploit_browsertest.cc b/content/browser/security_exploit_browsertest.cc
index 4bb84b1..dacc1e6 100644
--- a/content/browser/security_exploit_browsertest.cc
+++ b/content/browser/security_exploit_browsertest.cc
@@ -146,4 +146,23 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
   // If the above operation doesn't cause a crash, the test has succeeded!
 }
 
+// This is a test for crbug.com/312016. It tries to create two RenderWidgetHosts
+// with the same process and routing ids, which causes a collision. It is almost
+// identical to the AttemptDuplicateRenderViewHost test case.
+IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
+                       AttemptDuplicateRenderWidgetHost) {
+  int duplicate_routing_id = MSG_ROUTING_NONE;
+  RenderViewHostImpl* pending_rvh =
+      PrepareToDuplicateHosts(shell(), &duplicate_routing_id);
+  EXPECT_NE(MSG_ROUTING_NONE, duplicate_routing_id);
+
+  // Since this test executes on the UI thread and hopping threads might cause
+  // different timing in the test, let's simulate a CreateNewWidget call coming
+  // from the IO thread.  Use the existing window routing id to cause a
+  // deliberate collision.
+  pending_rvh->CreateNewWidget(duplicate_routing_id, blink::WebPopupTypeSelect);
+
+  // If the above operation doesn't crash, the test has succeeded!
+}
+
 }  // namespace content