From a8504028cffb0c2a2c4221580ddf51c4e6eb6e3d Mon Sep 17 00:00:00 2001 From: "nasko@chromium.org" Date: Wed, 4 Dec 2013 20:23:51 +0000 Subject: Prevent the browser process from creating duplicate RenderWidgetHosts This is a follow up CL for crrev.com/238575. The same problem exists when creating RenderWidgetHosts and this CL address this. BUG=312016 Review URL: https://codereview.chromium.org/105033002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@238750 0039d316-1c4b-4281-b951-d872f2087c98 --- content/browser/security_exploit_browsertest.cc | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'content/browser/security_exploit_browsertest.cc') diff --git a/content/browser/security_exploit_browsertest.cc b/content/browser/security_exploit_browsertest.cc index 4bb84b1..dacc1e6 100644 --- a/content/browser/security_exploit_browsertest.cc +++ b/content/browser/security_exploit_browsertest.cc @@ -146,4 +146,23 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, // If the above operation doesn't cause a crash, the test has succeeded! } +// This is a test for crbug.com/312016. It tries to create two RenderWidgetHosts +// with the same process and routing ids, which causes a collision. It is almost +// identical to the AttemptDuplicateRenderViewHost test case. +IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, + AttemptDuplicateRenderWidgetHost) { + int duplicate_routing_id = MSG_ROUTING_NONE; + RenderViewHostImpl* pending_rvh = + PrepareToDuplicateHosts(shell(), &duplicate_routing_id); + EXPECT_NE(MSG_ROUTING_NONE, duplicate_routing_id); + + // Since this test executes on the UI thread and hopping threads might cause + // different timing in the test, let's simulate a CreateNewWidget call coming + // from the IO thread. Use the existing window routing id to cause a + // deliberate collision. + pending_rvh->CreateNewWidget(duplicate_routing_id, blink::WebPopupTypeSelect); + + // If the above operation doesn't crash, the test has succeeded! +} + } // namespace content -- cgit v1.1