CHECK that CommitNavigation/CommitFailedNavigation IPCs always commit.

Currently, state synchronization between the browser and the renderer process is complicated and buggy for cross-process navigations. The renderer process is responsible for processing the commit IPC and then reporting success back up to the browser process, which then updates its state. However, it's unclear if this can lead to races. Instead, if it is possible to assume that one CommitNavigation() IPC from the browser always maps to one committed navigation in the renderer, the code can be simplified to remove multiphase navigation commits. This means the browser would be able to mark a provisional local frame as committed as soon as it sends a commit IPC to the renderer for that frame. Bug: 999255 Change-Id: I7d58293e6c2ec6ca0d09b614ae5a41340f4afd8e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1775663 Commit-Queue: Daniel Cheng <dcheng@chromium.org> Reviewed-by: danakj <danakj@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Cr-Commit-Position: refs/heads/master@{#705414}

CHECK that CommitNavigation/CommitFailedNavigation IPCs always commit.
Currently, state synchronization between the browser and the renderer process is complicated and buggy for cross-process navigations. The renderer process is responsible for processing the commit IPC and then reporting success back up to the browser process, which then updates its state. However, it's unclear if this can lead to races. Instead, if it is possible to assume that one CommitNavigation() IPC from the browser always maps to one committed navigation in the renderer, the code can be simplified to remove multiphase navigation commits. This means the browser would be able to mark a provisional local frame as committed as soon as it sends a commit IPC to the renderer for that frame. Bug: 999255 Change-Id: I7d58293e6c2ec6ca0d09b614ae5a41340f4afd8e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1775663 Commit-Queue: Daniel Cheng <dcheng@chromium.org> Reviewed-by: danakj <danakj@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Cr-Commit-Position: refs/heads/master@{#705414}
95f797d6 · Daniel Cheng · Commit Bot · f272f6e5 · 95f797d6 · 95f797d6
Commit 95f797d6 authored Oct 12, 2019 by Daniel Cheng Committed by Commit Bot Oct 12, 2019
Expand all Hide whitespace changes
Inline Side-by-side

Showing with 155 additions and 7 deletions

content/renderer/render_frame_impl.cc content/renderer/render_frame_impl.cc +135 -7

content/renderer/render_frame_impl.h content/renderer/render_frame_impl.h +20 -0

No files found.
--- a/content/renderer/render_frame_impl.cc
+++ b/content/renderer/render_frame_impl.cc
--- a/content/renderer/render_frame_impl.h
+++ b/content/renderer/render_frame_impl.h
@@ -1752,6 +1752,26 @@ class CONTENT_EXPORT RenderFrameImpl
  std::unique_ptr<blink::WebURLLoaderFactoryForTest>
      web_url_loader_factory_override_for_test_;
+  // When the browser asks the renderer to commit a navigation, it should always
+  // result in a committed navigation reported via DidCommitProvisionalLoad().
+  // This is important because DidCommitProvisionalLoad() is responsible for
+  // swapping in the provisional local frame during a cross-process navigation.
+  // Since this involves updating state in both the browser process and the
+  // renderer process, this assert ensures that the state remains synchronized
+  // between the two processes.
+  //
+  // Note: there is one exception that can result in no commit happening.
+  // Committing a navigation runs unload handlers, which can detach |this|. In
+  // that case, it doesn't matter that the navigation never commits, since the
+  // logical node for |this| has been removed from the DOM.
+  enum class NavigationCommitState {
+    kNone,
+    kWillCommitFromIPC,
+    kDidCommitFromIPC,
+  };
+  class AssertNavigationCommits;
+  NavigationCommitState navigation_commit_state_ = NavigationCommitState::kNone;
  base::WeakPtrFactory<RenderFrameImpl> weak_factory_{this};
  DISALLOW_COPY_AND_ASSIGN(RenderFrameImpl);