[MBI] Introduce AgentSchedulingGroupHost.

This CL introduces the (empty) AgentSchedulingGroupHost class, that is owned by the RenderProcessHost.
For now, a new ASGH is created per RPH.

Bug: 1111231
Change-Id: Ib384fc34e4fa72e6c1c9e709e4599da1f82a6bc8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2294699
Commit-Queue: Tal Pressman <talp@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Cr-Commit-Position: refs/heads/master@{#796741}

content/browser/BUILD.gn

@@ -1377,6 +1377,8 @@ source_set("browser") {
     "quota/quota_manager_host.h",
     "renderer_host/agent_metrics_collector.cc",
     "renderer_host/agent_metrics_collector.h",
+    "renderer_host/agent_scheduling_group_host.cc",
+    "renderer_host/agent_scheduling_group_host.h",
     "renderer_host/code_cache_host_impl.cc",
     "renderer_host/code_cache_host_impl.h",
     "renderer_host/cursor_manager.cc",

content/browser/renderer_host/agent_scheduling_group_host.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include "content/browser/renderer_host/agent_scheduling_group_host.h"
+
+#include <memory>
+
+#include "base/supports_user_data.h"
+#include "content/public/browser/render_process_host.h"
+
+namespace content {
+
+namespace {
+static constexpr char kAgentGroupHostDataKey[] =
+    "AgentSchedulingGroupHostUserDataKey";
+class AgentGroupHostUserData : public base::SupportsUserData::Data {
+ public:
+  explicit AgentGroupHostUserData(
+      std::unique_ptr<AgentSchedulingGroupHost> agent_group)
+      : agent_group_(std::move(agent_group)) {
+    DCHECK(agent_group_);
+  }
+  ~AgentGroupHostUserData() override = default;
+
+  AgentSchedulingGroupHost* agent_group() { return agent_group_.get(); }
+
+ private:
+  std::unique_ptr<AgentSchedulingGroupHost> agent_group_;
+};
+}  // namespace
+
+// static
+AgentSchedulingGroupHost* AgentSchedulingGroupHost::Get(
+    const SiteInstance& instance,
+    RenderProcessHost& process) {
+  AgentGroupHostUserData* data = static_cast<AgentGroupHostUserData*>(
+      process.GetUserData(kAgentGroupHostDataKey));
+  if (data != nullptr)
+    return data->agent_group();
+
+  auto agent_group_data = std::make_unique<AgentGroupHostUserData>(
+      std::make_unique<AgentSchedulingGroupHost>(process));
+  AgentSchedulingGroupHost* agent_group = agent_group_data->agent_group();
+  process.SetUserData(kAgentGroupHostDataKey, std::move(agent_group_data));
+
+  return agent_group;
+}
+
+AgentSchedulingGroupHost::AgentSchedulingGroupHost(RenderProcessHost& process)
+    : process_(process) {}
+
+AgentSchedulingGroupHost::~AgentSchedulingGroupHost() = default;
+
+RenderProcessHost* AgentSchedulingGroupHost::GetProcess() {
+  return &process_;
+}
+
+}  // namespace content

content/browser/renderer_host/agent_scheduling_group_host.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CONTENT_BROWSER_RENDERER_HOST_AGENT_SCHEDULING_GROUP_HOST_H_
+#define CONTENT_BROWSER_RENDERER_HOST_AGENT_SCHEDULING_GROUP_HOST_H_
+
+#include "content/common/content_export.h"
+
+namespace content {
+
+class RenderProcessHost;
+class SiteInstance;
+
+// Browser-side host of an AgentSchedulingGroup, used for
+// AgentSchedulingGroup-bound messaging. AgentSchedulingGroup is Blink's unit of
+// scheduling and performance isolation, which is the only way to obtain
+// ordering guarantees between different Mojo (associated) interfaces and legacy
+// IPC messages.
+//
+// An AgentSchedulingGroupHost is stored as (and owned by) UserData on the
+// RenderProcessHost.
+class CONTENT_EXPORT AgentSchedulingGroupHost {
+ public:
+  // Get the appropriate AgentSchedulingGroupHost for the given |instance| and
+  // |process|. For now, each RenderProcessHost has a single
+  // AgentSchedulingGroupHost, though future policies will allow multiple groups
+  // in a process.
+  static AgentSchedulingGroupHost* Get(const SiteInstance& instance,
+                                       RenderProcessHost& process);
+
+  // Should not be called explicitly. Use Get() instead.
+  explicit AgentSchedulingGroupHost(RenderProcessHost& process);
+  virtual ~AgentSchedulingGroupHost();
+
+  RenderProcessHost* GetProcess();
+
+ private:
+  RenderProcessHost& process_;
+};
+
+}  // namespace content
+
+#endif

content/browser/site_instance_impl.cc

@@ -17,6 +17,7 @@
 #include "content/browser/child_process_security_policy_impl.h"
 #include "content/browser/isolated_origin_util.h"
 #include "content/browser/isolation_context.h"
+#include "content/browser/renderer_host/agent_scheduling_group_host.h"
 #include "content/browser/renderer_host/render_process_host_impl.h"
 #include "content/browser/storage_partition_impl.h"
 #include "content/browser/webui/url_data_manager_backend.h"
@@ -96,6 +97,7 @@ SiteInstanceImpl::SiteInstanceImpl(BrowsingInstance* browsing_instance)
       active_frame_count_(0),
       browsing_instance_(browsing_instance),
       process_(nullptr),
+      agent_scheduling_group_(nullptr),
       can_associate_with_spare_process_(true),
       has_site_(false),
       process_reuse_policy_(ProcessReusePolicy::DEFAULT),
@@ -374,6 +376,8 @@ void SiteInstanceImpl::SetProcessInternal(RenderProcessHost* process) {
   CHECK(process);
   process_ = process;
   process_->AddObserver(this);
+  DCHECK(!agent_scheduling_group_);
+  agent_scheduling_group_ = AgentSchedulingGroupHost::Get(*this, *process_);
 
   MaybeSetBrowsingInstanceDefaultProcess();
 
@@ -1207,6 +1211,7 @@ void SiteInstanceImpl::RenderProcessHostDestroyed(RenderProcessHost* host) {
   DCHECK_EQ(process_, host);
   process_->RemoveObserver(this);
   process_ = nullptr;
+  agent_scheduling_group_ = nullptr;
 }
 
 void SiteInstanceImpl::RenderProcessExited(

content/browser/site_instance_impl.h

@@ -19,6 +19,7 @@
 #include "url/origin.h"
 
 namespace content {
+class AgentSchedulingGroupHost;
 class BrowsingInstance;
 class ProcessLock;
 class RenderProcessHostFactory;
@@ -553,11 +554,16 @@ class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
   // BrowsingInstance to which this SiteInstance belongs.
   scoped_refptr<BrowsingInstance> browsing_instance_;
 
-  // Current RenderProcessHost that is rendering pages for this SiteInstance.
-  // This pointer will only change once the RenderProcessHost is destructed.  It
-  // will still remain the same even if the process crashes, since in that
-  // scenario the RenderProcessHost remains the same.
+  // Current RenderProcessHost that is rendering pages for this SiteInstance,
+  // and AgentSchedulingGroupHost (within the process) this SiteInstance belongs
+  // to. Since AgentSchedulingGroupHost is associated with a specific
+  // RenderProcessHost, these *must be* changed together to avoid UAF!
+  // The |process_| pointer (and hence the |agent_scheduling_group_| pointer as
+  // well) will only change once the RenderProcessHost is destructed. They will
+  // still remain the same even if the process crashes, since in that scenario
+  // the RenderProcessHost remains the same.
   RenderProcessHost* process_;
+  AgentSchedulingGroupHost* agent_scheduling_group_;
 
   // Describes the desired behavior when GetProcess() method needs to find a new
   // process to associate with the current SiteInstanceImpl.  If |false|, then