Reset more IPC state on RPHI::ResetIPC()

ResetIPC() is called by both Cleanup() and ProcessDied(), where the latter may be called immediately before the RPHI is reused for a new render process. Some IPC-related cleanup tasks were only being done in Cleanup(). This means it was possible for some tasks scheduled on behalf of the previous process to run after a new process was started by the host. Namely UI-thread interface binding tasks -- limited in lifetime by instance_weak_factory_ WeakPtrs -- could run despite ProcessDied() being invoked after their scheduling. This CL resets instance_weak_factory_ in ResetIPC() rather than only in Cleanup(). It also moves |io_thread_host_| cleanup to ResetIPC() for good measure, since this should prevent some inevitably-cancelled UI thread tasks from being posted on a dead process's behalf. Bug: 1000327 Change-Id: Ib2701e2d99a922c991d57745ad63a6d9b8c294ad Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1810036Reviewed-by: John Abd-El-Malek <jam@chromium.org> Commit-Queue: Ken Rockot <rockot@google.com> Cr-Commit-Position: refs/heads/master@{#697536}

Reset more IPC state on RPHI::ResetIPC()
ResetIPC() is called by both Cleanup() and ProcessDied(), where the latter may be called immediately before the RPHI is reused for a new render process. Some IPC-related cleanup tasks were only being done in Cleanup(). This means it was possible for some tasks scheduled on behalf of the previous process to run after a new process was started by the host. Namely UI-thread interface binding tasks -- limited in lifetime by instance_weak_factory_ WeakPtrs -- could run despite ProcessDied() being invoked after their scheduling. This CL resets instance_weak_factory_ in ResetIPC() rather than only in Cleanup(). It also moves |io_thread_host_| cleanup to ResetIPC() for good measure, since this should prevent some inevitably-cancelled UI thread tasks from being posted on a dead process's behalf. Bug: 1000327 Change-Id: Ib2701e2d99a922c991d57745ad63a6d9b8c294ad Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1810036Reviewed-by: John Abd-El-Malek <jam@chromium.org> Commit-Queue: Ken Rockot <rockot@google.com> Cr-Commit-Position: refs/heads/master@{#697536}
6489b7e5 · Ken Rockot · Commit Bot · 8611fb1b · 6489b7e5
Commit 6489b7e5 authored Sep 18, 2019 by Ken Rockot Committed by Commit Bot Sep 18, 2019
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

content/browser/renderer_host/render_process_host_impl.cc content/browser/renderer_host/render_process_host_impl.cc +3 -3

No files found.
--- a/content/browser/renderer_host/render_process_host_impl.cc
+++ b/content/browser/renderer_host/render_process_host_impl.cc
@@ -3446,7 +3446,6 @@ void RenderProcessHostImpl::Cleanup() {
  base::ThreadTaskRunnerHandle::Get()->DeleteSoon(FROM_HERE, this);
  deleting_soon_ = true;
-  io_thread_host_impl_.reset();
  if (render_frame_message_filter_) {
    // RenderFrameMessageFilter is refcounted and can outlive the
    // ResourceContext. If the BrowserContext is shutting down, after
@@ -3473,8 +3472,6 @@ void RenderProcessHostImpl::Cleanup() {
  // Remove ourself from the list of renderer processes so that we can't be
  // reused in between now and when the Delete task runs.
  UnregisterHost(GetID());
-  instance_weak_factory_.emplace(this);
 }
 void RenderProcessHostImpl::PopulateTerminationInfoRendererFields(
@@ -4163,6 +4160,7 @@ void RenderProcessHostImpl::ResetIPC() {
  if (renderer_host_binding_.is_bound())
    renderer_host_binding_.Unbind();
+  io_thread_host_impl_.reset();
  route_provider_receiver_.reset();
  associated_interface_provider_receivers_.Clear();
  associated_interfaces_.reset();
@@ -4174,6 +4172,8 @@ void RenderProcessHostImpl::ResetIPC() {
    storage_partition_impl_->Unbind(binding_id);
  }
+  instance_weak_factory_.emplace(this);
  // If RenderProcessHostImpl is reused, the next renderer will send a new
  // request for FrameSinkProvider so make sure frame_sink_provider_ is ready
  // for that.