Fix the set_render_frame_proxy_created() bookkeeping in SwapOut.

While investigating issue 794625, I noticed that it is possible for RFHI::SwapOut to not actually create the proxy. This happens if (1) the RFHI to be swapped out is already pending deletion, and (2) the RFHI to be swapped out is not live. Nonetheless, the sole caller of RFHI::SwapOut, RenderFrameHostManager::SwapOutOldFrame, assumes that a replacement proxy is always created and unconditionally calls proxy->set_render_frame_proxy_created(true) afterward. This seems wrong - instead, the proxy should be set to be live if the IPC to create it was actually sent, which is what this CL does. I can't pinpoint any specific issues this might lead to, so this is more of a speculative/preventative fix for problems in this area. There's a chance it might be related to issue 794625, though in that issue, I'd expect the problem to be that we send a message to create a proxy to a process where the proxy had already been created, and here, the resulting problems would be from a proxy being marked as live without actually having been created. Bug: 794625 Change-Id: I7e3f53c17b541f9d5796714ef7c530a7955cf143 Reviewed-on: https://chromium-review.googlesource.com/1139215 Commit-Queue: Charlie Reis <creis@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Cr-Commit-Position: refs/heads/master@{#575935}

Fix the set_render_frame_proxy_created() bookkeeping in SwapOut.
While investigating issue 794625, I noticed that it is possible for RFHI::SwapOut to not actually create the proxy. This happens if (1) the RFHI to be swapped out is already pending deletion, and (2) the RFHI to be swapped out is not live. Nonetheless, the sole caller of RFHI::SwapOut, RenderFrameHostManager::SwapOutOldFrame, assumes that a replacement proxy is always created and unconditionally calls proxy->set_render_frame_proxy_created(true) afterward. This seems wrong - instead, the proxy should be set to be live if the IPC to create it was actually sent, which is what this CL does. I can't pinpoint any specific issues this might lead to, so this is more of a speculative/preventative fix for problems in this area. There's a chance it might be related to issue 794625, though in that issue, I'd expect the problem to be that we send a message to create a proxy to a process where the proxy had already been created, and here, the resulting problems would be from a proxy being marked as live without actually having been created. Bug: 794625 Change-Id: I7e3f53c17b541f9d5796714ef7c530a7955cf143 Reviewed-on: https://chromium-review.googlesource.com/1139215 Commit-Queue: Charlie Reis <creis@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Cr-Commit-Position: refs/heads/master@{#575935}
1bbdadd3 · Alex Moshchuk · Commit Bot · d6e55411 · 1bbdadd3 · 1bbdadd3
Commit 1bbdadd3 authored Jul 18, 2018 by Alex Moshchuk Committed by Commit Bot Jul 18, 2018
2 changed files
--- a/content/browser/frame_host/render_frame_host_impl.cc
+++ b/content/browser/frame_host/render_frame_host_impl.cc
@@ -1919,6 +1919,10 @@ void RenderFrameHostImpl::SwapOut(
        proxy->frame_tree_node()->current_replication_state();
    Send(new FrameMsg_SwapOut(routing_id_, proxy->GetRoutingID(), is_loading,
                              replication_state));
+
+    // Remember that a RenderFrameProxy was created as part of processing the
+    // SwapOut message above.
+    proxy->set_render_frame_proxy_created(true);
  }

  if (web_ui())

--- a/content/browser/frame_host/render_frame_host_manager.cc
+++ b/content/browser/frame_host/render_frame_host_manager.cc
@@ -400,9 +400,6 @@ void RenderFrameHostManager::SwapOutOldFrame(
  // Tell the old RenderFrameHost to swap out and be replaced by the proxy.
  old_render_frame_host->SwapOut(proxy, true);

-  // SwapOut creates a RenderFrameProxy, so set the proxy to be initialized.
-  proxy->set_render_frame_proxy_created(true);
-
  // |old_render_frame_host| will be deleted when its SwapOut ACK is received,
  // or when the timer times out, or when the RFHM itself is deleted (whichever
  // comes first).