Add more debugging for this bug.

From crashes (https://crbug.com/1146573#c38) we can see that render_frame_created_ is not staying false in RenderProcessExited. This introduces debugging to catch a second call to SetRenderFrameCreated(true) if it occurs during the section of code under suspicion. Bug: 1146573 Change-Id: I32b9a3202080690dc1f7227c8b62e3852f7e8cf4 Cq-Do-Not-Cancel-Tryjobs: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2583584 Commit-Queue: Fergal Daly <fergal@chromium.org> Auto-Submit: Fergal Daly <fergal@chromium.org> Reviewed-by: Matt Falkenhagen <falken@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Cr-Commit-Position: refs/heads/master@{#836119}

Add more debugging for this bug.
From crashes (https://crbug.com/1146573#c38) we can see that render_frame_created_ is not staying false in RenderProcessExited. This introduces debugging to catch a second call to SetRenderFrameCreated(true) if it occurs during the section of code under suspicion. Bug: 1146573 Change-Id: I32b9a3202080690dc1f7227c8b62e3852f7e8cf4 Cq-Do-Not-Cancel-Tryjobs: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2583584 Commit-Queue: Fergal Daly <fergal@chromium.org> Auto-Submit: Fergal Daly <fergal@chromium.org> Reviewed-by: Matt Falkenhagen <falken@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Cr-Commit-Position: refs/heads/master@{#836119}
59e1fc78 · Fergal Daly · Chromium LUCI CQ · f9ea35cc · 59e1fc78 · 59e1fc78
Commit 59e1fc78 authored Dec 11, 2020 by Fergal Daly Committed by Chromium LUCI CQ Dec 11, 2020
2 changed files
--- a/content/browser/renderer_host/render_frame_host_impl.cc
+++ b/content/browser/renderer_host/render_frame_host_impl.cc
@@ -2123,6 +2123,14 @@ void RenderFrameHostImpl::RenderProcessExited(
  // Reset state for the current RenderFrameHost once the FrameTreeNode has been
  // reset.
  RenderFrameDeleted();
+  // In https://crbug.com/1146573 we see render_frame_created_ being true again
+  // by the time we reach `must_be_replaced_ = true` below. This should tell us
+  // how that is happening.
+  ++dump_on_render_frame_created_for_bug_1146573_;
+  if (render_frame_created_) {
+    base::debug::DumpWithoutCrashing();
+    NOTREACHED();
+  }
  InvalidateMojoConnection();
  broker_receiver_.reset();
  SetLastCommittedUrl(GURL());
@@ -2130,6 +2138,7 @@ void RenderFrameHostImpl::RenderProcessExited(

  must_be_replaced_ = true;
  ValidateStateForBug1146573();
+  --dump_on_render_frame_created_for_bug_1146573_;
  has_committed_any_navigation_ = false;

 #if defined(OS_ANDROID)
@@ -2449,6 +2458,16 @@ void RenderFrameHostImpl::RenderFrameCreated() {
  // to have caused crashes in https://crbug.com/717650.
  CHECK(!delegate_->IsBeingDestroyed());

+  // TODO(https://crbug.com/1146573): Remove this when the bug is closed.
+  if (dump_on_render_frame_created_for_bug_1146573_) {
+    SCOPED_CRASH_KEY_NUMBER(Bug1146573, DumpNestCount,
+                            dump_on_render_frame_created_for_bug_1146573_);
+    SCOPED_CRASH_KEY_BOOL(Bug1146573, RenderFrameCreated,
+                          render_frame_created_);
+    base::debug::DumpWithoutCrashing();
+    NOTREACHED();
+  }
+
  bool was_created = render_frame_created_;
  render_frame_created_ = true;
  ValidateStateForBug1146573();

--- a/content/browser/renderer_host/render_frame_host_impl.h
+++ b/content/browser/renderer_host/render_frame_host_impl.h
@@ -3283,6 +3283,11 @@ class CONTENT_EXPORT RenderFrameHostImpl
  mojo::UniqueReceiverSet<blink::mojom::PrerenderProcessor>
      prerender_processor_receivers_;

+  // TODO(https://crbug.com/1146573): Remove this when the bug is closed.
+  // If >0, then we will DWOC if there is an attempt to mark the RenderFrame as
+  // created again.
+  int dump_on_render_frame_created_for_bug_1146573_ = 0;
+
  // NOTE: This must be the last member.
  base::WeakPtrFactory<RenderFrameHostImpl> weak_ptr_factory_{this};