Add instrumentation for bug 1093943

Patch https://chromium-review.googlesource.com/c/chromium/src/+/2186641 switched from RFH::is_active() toward RFH::IsCurrent(). We can have !is_active() && IsCurrent(), it means a different set of IPC will be able to go through the check. In particular, I suspect a RenderFrameHostImpl pending deletion might have some of its proxies not created and/or destroyed. Then it will cause the crash from bug 1093943 R=alexmos@chromium.org, sreejakshetty@chromium.org Bug: 1093943 Change-Id: Ie293dc8ae3e930677f85233044a29d0097af4b39 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2252803 Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Sreeja Kamishetty <sreejakshetty@chromium.org> Cr-Commit-Position: refs/heads/master@{#780274}

Add instrumentation for bug 1093943
Patch https://chromium-review.googlesource.com/c/chromium/src/+/2186641 switched from RFH::is_active() toward RFH::IsCurrent(). We can have !is_active() && IsCurrent(), it means a different set of IPC will be able to go through the check. In particular, I suspect a RenderFrameHostImpl pending deletion might have some of its proxies not created and/or destroyed. Then it will cause the crash from bug 1093943 R=alexmos@chromium.org, sreejakshetty@chromium.org Bug: 1093943 Change-Id: Ie293dc8ae3e930677f85233044a29d0097af4b39 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2252803 Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Sreeja Kamishetty <sreejakshetty@chromium.org> Cr-Commit-Position: refs/heads/master@{#780274}
19dcdd52 · arthursonzogni · Commit Bot · 9d10067b · 19dcdd52
Commit 19dcdd52 authored Jun 19, 2020 by arthursonzogni Committed by Commit Bot Jun 19, 2020
Show whitespace changes
Inline Side-by-side

Showing with 20 additions and 0 deletions

content/browser/frame_host/render_frame_host_impl.cc content/browser/frame_host/render_frame_host_impl.cc +20 -0

No files found.
--- a/content/browser/frame_host/render_frame_host_impl.cc
+++ b/content/browser/frame_host/render_frame_host_impl.cc
@@ -2678,6 +2678,26 @@ void RenderFrameHostImpl::DidFocusFrame() {
  if (!IsCurrent())
    return;

+  // TODO(https://crbug.com/1093943): Remove this once closed.
+  if (IsPendingDeletion()) {
+    // FrameTree::SetFocusedFrame() is going to be called soon. This function
+    // will access the RenderFrameProxyHost of this frame seen from the
+    // SiteInstance of every active frames. In theory, they must always exist.
+    // However this is not guaranteed if this frame is pending deletion.
+    //
+    // Next block checks whether or not a crash will happen and replace it by a
+    // DumpWithoutCrashing and a return.
+    // https://bugs.chromium.org/p/chromium/issues/detail?id=1093943#c18
+    for (FrameTreeNode* node : frame_tree()->Nodes()) {
+      SiteInstance* instance = node->current_frame_host()->GetSiteInstance();
+      if (instance != site_instance_.get() &&
+          !frame_tree_node()->render_manager()->GetRenderFrameProxyHost(
+              instance)) {
+        base::debug::DumpWithoutCrashing();
+        return;
+      }
+    }
+  }
  // We need to handle receiving this IPC from a frame that is inside a portal
  // despite there being a renderer side check (see Document::IsFocusAllowed).
  // This is because the IPC to notify a page that it is inside a portal (see