diff options
| author | japhet@chromium.org <japhet@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-06-03 20:44:42 +0000 |
|---|---|---|
| committer | japhet@chromium.org <japhet@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-06-03 20:44:42 +0000 |
| commit | 1084f4d4971a2a620aac25d193b6942ca1faa69a (patch) | |
| tree | 2ec631f0c12bb96a81d41336b5bc1de3a2709703 /content | |
| parent | c360ba00a174539fc8bc297feb2611b2a17b8701 (diff) | |
| download | chromium_src-1084f4d4971a2a620aac25d193b6942ca1faa69a.zip chromium_src-1084f4d4971a2a620aac25d193b6942ca1faa69a.tar.gz chromium_src-1084f4d4971a2a620aac25d193b6942ca1faa69a.tar.bz2 | |
Fix crash in NavigationControllerImpl::RendererDidNavigateToNewPage
It's possible that the renderer does a same-document navigation before
NavigationController has committed an entry, so null-check GetLastCommittedEntry
before using it.
BUG=380127
TEST=NavigationControllerTest.PushStateWithoutPreviousEntry
Review URL: https://codereview.chromium.org/311783005
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@274612 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'content')
| -rw-r--r-- | content/browser/frame_host/navigation_controller_impl.cc | 2 | ||||
| -rw-r--r-- | content/browser/frame_host/navigation_controller_impl_unittest.cc | 13 |
2 files changed, 14 insertions, 1 deletions
diff --git a/content/browser/frame_host/navigation_controller_impl.cc b/content/browser/frame_host/navigation_controller_impl.cc index bc83135..bcb3702 100644 --- a/content/browser/frame_host/navigation_controller_impl.cc +++ b/content/browser/frame_host/navigation_controller_impl.cc @@ -1060,7 +1060,7 @@ void NavigationControllerImpl::RendererDidNavigateToNewPage( // history.pushState() is classified as a navigation to a new page, but // sets was_within_same_page to true. In this case, we already have the // title available, so set it immediately. - if (params.was_within_same_page) + if (params.was_within_same_page && GetLastCommittedEntry()) new_entry->SetTitle(GetLastCommittedEntry()->GetTitle()); DCHECK(!params.history_list_was_cleared || !replace_entry); diff --git a/content/browser/frame_host/navigation_controller_impl_unittest.cc b/content/browser/frame_host/navigation_controller_impl_unittest.cc index 603fac5..9bde501 100644 --- a/content/browser/frame_host/navigation_controller_impl_unittest.cc +++ b/content/browser/frame_host/navigation_controller_impl_unittest.cc @@ -2261,6 +2261,19 @@ TEST_F(NavigationControllerTest, ClientRedirectAfterInPageNavigation) { } } +TEST_F(NavigationControllerTest, PushStateWithoutPreviousEntry) +{ + ASSERT_FALSE(controller_impl().GetLastCommittedEntry()); + FrameHostMsg_DidCommitProvisionalLoad_Params params; + GURL url("http://foo"); + params.page_id = 1; + params.url = url; + params.page_state = PageState::CreateFromURL(url); + params.was_within_same_page = true; + test_rvh()->SendNavigateWithParams(¶ms); + // We pass if we don't crash. +} + // NotificationObserver implementation used in verifying we've received the // NOTIFICATION_NAV_LIST_PRUNED method. class PrunedListener : public NotificationObserver { |