Remove null checks and early outs for closing in RenderWidget.

RenderWidget used to start closing and then post a task to self-delete. But now it deletes synchronously inside Close(). So when closing_ becomes true, the RenderWidget will be deleted in the same stack. Thus we do not need to guard against closing_ since blink will not be using the RenderWidget afterward - it would be a UAF. The LayerTreeViewDelegate methods used to check for a null WebWidget which would be the case once closing_ became true, before RenderWidget was destroyed. Now the RenderWidget disconnects itself from the LayerTreeView and deletes immediately, so these methods are never called with a null WebWidget unless they were used while the RenderWidget is undead. But the compositor does not run while the RenderWidget is undead, and the LayerTreeViewDelegate will not be used unless the compositor posted the task and then runs it after the RenderWidget becomes undead. The methods in this CL are all part of the BeginMainFrame step which only runs when the compositor is visible and the RenderWidget is not undead. R=avi@chromium.org Bug: 419087 Change-Id: If0158f2ffeaf0c5d334a80aed3cdb9e686002fb6 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1854878Reviewed-by: Avi Drissman <avi@chromium.org> Commit-Queue: danakj <danakj@chromium.org> Cr-Commit-Position: refs/heads/master@{#705178}

Remove null checks and early outs for closing in RenderWidget.
RenderWidget used to start closing and then post a task to self-delete. But now it deletes synchronously inside Close(). So when closing_ becomes true, the RenderWidget will be deleted in the same stack. Thus we do not need to guard against closing_ since blink will not be using the RenderWidget afterward - it would be a UAF. The LayerTreeViewDelegate methods used to check for a null WebWidget which would be the case once closing_ became true, before RenderWidget was destroyed. Now the RenderWidget disconnects itself from the LayerTreeView and deletes immediately, so these methods are never called with a null WebWidget unless they were used while the RenderWidget is undead. But the compositor does not run while the RenderWidget is undead, and the LayerTreeViewDelegate will not be used unless the compositor posted the task and then runs it after the RenderWidget becomes undead. The methods in this CL are all part of the BeginMainFrame step which only runs when the compositor is visible and the RenderWidget is not undead. R=avi@chromium.org Bug: 419087 Change-Id: If0158f2ffeaf0c5d334a80aed3cdb9e686002fb6 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1854878Reviewed-by: Avi Drissman <avi@chromium.org> Commit-Queue: danakj <danakj@chromium.org> Cr-Commit-Position: refs/heads/master@{#705178}
30cd72d1 · danakj · Commit Bot · 15651c03 · 30cd72d1 · 30cd72d1
Commit 30cd72d1 authored Oct 11, 2019 by danakj Committed by Commit Bot Oct 11, 2019
Expand all Hide whitespace changes
Inline Side-by-side

Showing with 37 additions and 149 deletions

content/renderer/render_widget.cc content/renderer/render_widget.cc +37 -138

content/renderer/render_widget.h content/renderer/render_widget.h +0 -11

No files found.
--- a/content/renderer/render_widget.cc
+++ b/content/renderer/render_widget.cc
--- a/content/renderer/render_widget.h
+++ b/content/renderer/render_widget.h
@@ -654,10 +654,6 @@ class CONTENT_EXPORT RenderWidget
                       int relative_cursor_pos);
  void OnImeFinishComposingText(bool keep_selection);

-  // This does the actual focus change, but is called in more situations than
-  // just as an IPC message.
-  void SetFocus(bool enable);
-
  // Called by the browser process to update text input state.
  void OnRequestTextInputStateUpdate();

@@ -879,13 +875,6 @@ class CONTENT_EXPORT RenderWidget
  // Used to force the size of a window when running web tests.
  void SetWindowRectSynchronously(const gfx::Rect& new_window_rect);

-  // A variant of Send but is fatal if it fails. The browser may
-  // be waiting for this IPC Message and if the send fails the browser will
-  // be left in a state waiting for something that never comes. And if it
-  // never comes then it may later determine this is a hung renderer; so
-  // instead fail right away.
-  void SendOrCrash(IPC::Message* msg);
-
  // Determines whether or not RenderWidget should process IME events from the
  // browser. It always returns true unless there is no WebFrameWidget to
  // handle the event, or there is no page focus.