Clear the pending_and_current_web_ui_ if we reuse it.

R=nasko@chromium.org TBR=estade@chromium.org BUG=330811 TEST=See bug comment 9 for repro steps. Review URL: https://codereview.chromium.org/166033006 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@251420 0039d316-1c4b-4281-b951-d872f2087c98

Clear the pending_and_current_web_ui_ if we reuse it.
R=nasko@chromium.org TBR=estade@chromium.org BUG=330811 TEST=See bug comment 9 for repro steps. Review URL: https://codereview.chromium.org/166033006 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@251420 0039d316-1c4b-4281-b951-d872f2087c98
3d95d176 · creis@chromium.org · 9b0a2840 · 3d95d176 · 3d95d176
Commit 3d95d176 authored Feb 14, 2014 by creis@chromium.org
2 changed files
--- a/content/browser/frame_host/render_frame_host_manager.cc
+++ b/content/browser/frame_host/render_frame_host_manager.cc
@@ -1013,10 +1013,14 @@ void RenderFrameHostManager::CommitPending() {
  // |pending_web_ui_|, or clear |web_ui_| if there is no pending WebUI, or
  // leave |web_ui_| as is if reusing it.
  DCHECK(!(pending_web_ui_.get() && pending_and_current_web_ui_.get()));
-  if (pending_web_ui_)
+  if (pending_web_ui_) {
    web_ui_.reset(pending_web_ui_.release());
-  else if (!pending_and_current_web_ui_.get())
+  } else if (!pending_and_current_web_ui_.get()) {
    web_ui_.reset();
+  } else {
+    DCHECK_EQ(pending_and_current_web_ui_.get(), web_ui_.get());
+    pending_and_current_web_ui_.reset();
+  }

  // It's possible for the pending_render_frame_host_ to be NULL when we aren't
  // crossing process boundaries. If so, we just needed to handle the Web UI

--- a/content/browser/frame_host/render_frame_host_manager_browsertest.cc
+++ b/content/browser/frame_host/render_frame_host_manager_browsertest.cc
@@ -13,6 +13,7 @@
 #include "content/browser/renderer_host/render_view_host_impl.h"
 #include "content/browser/site_instance_impl.h"
 #include "content/browser/web_contents/web_contents_impl.h"
+#include "content/browser/webui/web_ui_impl.h"
 #include "content/common/content_constants_internal.h"
 #include "content/public/browser/navigation_controller.h"
 #include "content/public/browser/navigation_entry.h"
@@ -1420,4 +1421,28 @@ IN_PROC_BROWSER_TEST_F(RenderFrameHostManagerTest,
  crash_observer2.Wait();
 }

+// Ensure that pending_and_current_web_ui_ is cleared when a URL commits.
+// Otherwise it might get picked up by InitRenderView when granting bindings
+// to other RenderViewHosts.  See http://crbug.com/330811.
+IN_PROC_BROWSER_TEST_F(RenderFrameHostManagerTest, ClearPendingWebUIOnCommit) {
+  // Visit a WebUI page with bindings.
+  GURL webui_url(GURL(std::string(kChromeUIScheme) + "://" +
+                      std::string(kChromeUIGpuHost)));
+  NavigateToURL(shell(), webui_url);
+  EXPECT_TRUE(ChildProcessSecurityPolicyImpl::GetInstance()->HasWebUIBindings(
+                  shell()->web_contents()->GetRenderProcessHost()->GetID()));
+  WebContentsImpl* web_contents = static_cast<WebContentsImpl*>(
+      shell()->web_contents());
+  WebUIImpl* webui = web_contents->GetRenderManagerForTesting()->web_ui();
+  EXPECT_TRUE(webui);
+  EXPECT_FALSE(web_contents->GetRenderManagerForTesting()->pending_web_ui());
+
+  // Navigate to another WebUI URL that reuses the WebUI object.  Make sure we
+  // clear pending_web_ui() when it commits.
+  GURL webui_url2(webui_url.spec() + "#foo");
+  NavigateToURL(shell(), webui_url2);
+  EXPECT_EQ(webui, web_contents->GetRenderManagerForTesting()->web_ui());
+  EXPECT_FALSE(web_contents->GetRenderManagerForTesting()->pending_web_ui());
+}
+
 }  // namespace content