Avoid racing RequestNewLayerTreeFrameSink with DoDeferredClose.

CloseWidgetSoon will post DoDeferredClose, which will stop new frame sinks from being made. However WebPagePopupImpl destroys its Page/MainFrame etc when it calls CloseWidgetSoon, which also detaches the WebFrameWidget. Then if a RequestNewLayerTreeFrameSink was already in the task queue, it would run before DoDeferredClose, and crash when it tries to get the URL from the non-existant WebFrameWidget/MainFrame. R=piman@chromium.org Change-Id: I94ec48915b6dba207f783a9d3b380476e97da9da Bug: 896836 Reviewed-on: https://chromium-review.googlesource.com/c/1342774Reviewed-by: Antoine Labour <piman@chromium.org> Commit-Queue: danakj <danakj@chromium.org> Cr-Commit-Position: refs/heads/master@{#609423}

Avoid racing RequestNewLayerTreeFrameSink with DoDeferredClose.
CloseWidgetSoon will post DoDeferredClose, which will stop new frame sinks from being made. However WebPagePopupImpl destroys its Page/MainFrame etc when it calls CloseWidgetSoon, which also detaches the WebFrameWidget. Then if a RequestNewLayerTreeFrameSink was already in the task queue, it would run before DoDeferredClose, and crash when it tries to get the URL from the non-existant WebFrameWidget/MainFrame. R=piman@chromium.org Change-Id: I94ec48915b6dba207f783a9d3b380476e97da9da Bug: 896836 Reviewed-on: https://chromium-review.googlesource.com/c/1342774Reviewed-by: Antoine Labour <piman@chromium.org> Commit-Queue: danakj <danakj@chromium.org> Cr-Commit-Position: refs/heads/master@{#609423}
292b63e6 · danakj · Commit Bot · f0ccc185 · 292b63e6 · 292b63e6
Commit 292b63e6 authored Nov 19, 2018 by danakj Committed by Commit Bot Nov 19, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 11 deletions

content/renderer/render_widget.cc content/renderer/render_widget.cc +11 -10

content/renderer/render_widget.h content/renderer/render_widget.h +0 -1

No files found.
--- a/content/renderer/render_widget.cc
+++ b/content/renderer/render_widget.cc
@@ -662,7 +662,8 @@ void RenderWidget::OnClose() {
  DCHECK(content::RenderThread::Get());
  if (closing_)
    return;
-  NotifyOnClose();
+  for (auto& observer : render_frames_)
+    observer.WidgetWillClose();
  closing_ = true;
  // Browser correspondence is no longer needed at this point.
@@ -1604,17 +1605,9 @@ void RenderWidget::SetIsFrozen(bool is_frozen) {
 }
 void RenderWidget::DoDeferredClose() {
-  // Prevent compositor from setting up new IPC channels, since we know a
-  // WidgetMsg_Close is coming.
-  host_will_close_this_ = true;
  Send(new WidgetHostMsg_Close(routing_id_));
 }
-void RenderWidget::NotifyOnClose() {
-  for (auto& observer : render_frames_)
-    observer.WidgetWillClose();
-}
 void RenderWidget::CloseWidgetSoon() {
  DCHECK(content::RenderThread::Get());
  if (is_frozen_) {
@@ -1625,9 +1618,17 @@ void RenderWidget::CloseWidgetSoon() {
    return;
  }
+  // Prevent compositor from setting up new IPC channels, since we know a
+  // WidgetMsg_Close is coming. We do this immediately, not in DoDeferredClose,
+  // as the caller (eg WebPagePopupImpl) may start tearing down things after
+  // calling this method, including detaching the frame from this RenderWidget.
+  // Then trying to make a LayerTreeFrameSink would crash.
+  // https://crbug.com/906340
+  host_will_close_this_ = true;
  // If a page calls window.close() twice, we'll end up here twice, but that's
  // OK.  It is safe to send multiple Close messages.
+  //
  // Ask the RenderWidgetHost to initiate close.  We could be called from deep
  // in Javascript.  If we ask the RendwerWidgetHost to close now, the window
  // could be closed before the JS finishes executing.  So instead, post a

--- a/content/renderer/render_widget.h
+++ b/content/renderer/render_widget.h
@@ -584,7 +584,6 @@ class CONTENT_EXPORT RenderWidget
  void StopCompositor();
  void DoDeferredClose();
-  void NotifyOnClose();
  gfx::Size GetSizeForWebWidget() const;
  void ResizeWebWidget();