New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: avoid contextBridge crash when RenderFrame address is reused #21501
Conversation
Co-Authored-By: Jeremy Apthorp <nornagon@nornagon.net>
context_bridge::RenderFramePersistenceStore* GetOrCreateStore( | ||
content::RenderFrame* render_frame) { | ||
auto it = GetStoreMap().find(render_frame); | ||
if (it == GetStoreMap().end()) { | ||
auto it = context_bridge::GetStoreMap().find(render_frame->GetRoutingID()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will there be a possibility of cross process access to this function ? GetRoutingID
is not unique across processes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@deepak1556 No, the bridge operates across two contexts in the same process
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for confirming.
@@ -58,11 +58,15 @@ class RenderFramePersistenceStore final : public content::RenderFrameObserver { | |||
// proxy maps are weak globals, i.e. these are not retained beyond | |||
// there normal JS lifetime. You must check IsEmpty() | |||
|
|||
int32_t routing_id_; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(nit) This is set in the constructor and never changes, so might as well be const
Release Notes Persisted
|
I have automatically backported this PR to "8-x-y", please check out #21513 |
I have automatically backported this PR to "7-1-x", please check out #21514 |
Description of Change
Fix a crash that was happening because
a) the RenderFramePersistenceStore map was keyed on a pointer, which are not guaranteed to be unique in the process and
b) the RenderFramePersistanceStore was not removing itself from the map when it was released, causing a bad access exception.
h/t @nornagon for help debugging.
Checklist
npm test
passesRelease Notes
Notes: Fixed contextBridge crash when opening and closing many windows.