Don't receive any IPC messages in an undead/provisional RenderWidget*

* Except EnableDeviceEmulation. Emulation on/off were the last messages. These messages should only be sent in sequence with there being a RenderFrameHost present for the RenderViewHost+RenderWidgetHost. The EnableDeviceEmulation message is sent when navigation is ready to commit, which is when the RenderWidget is still for a provisional frame. At that point the widget is not undead, and the WebFrameWidget is valid. So it's not too terrible. Once the RenderWidget is deleted instead of made undead, we can just accept messages while provisional without worry. R=avi@chromium.org Bug: 419087 Change-Id: I9ddfd81bc1ea0c448e86afe13e2b0a1b38dd6121 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1853675 Commit-Queue: danakj <danakj@chromium.org> Reviewed-by: Avi Drissman <avi@chromium.org> Cr-Commit-Position: refs/heads/master@{#704922}

Don't receive any IPC messages in an undead/provisional RenderWidget*
* Except EnableDeviceEmulation. Emulation on/off were the last messages. These messages should only be sent in sequence with there being a RenderFrameHost present for the RenderViewHost+RenderWidgetHost. The EnableDeviceEmulation message is sent when navigation is ready to commit, which is when the RenderWidget is still for a provisional frame. At that point the widget is not undead, and the WebFrameWidget is valid. So it's not too terrible. Once the RenderWidget is deleted instead of made undead, we can just accept messages while provisional without worry. R=avi@chromium.org Bug: 419087 Change-Id: I9ddfd81bc1ea0c448e86afe13e2b0a1b38dd6121 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1853675 Commit-Queue: danakj <danakj@chromium.org> Reviewed-by: Avi Drissman <avi@chromium.org> Cr-Commit-Position: refs/heads/master@{#704922}
a2d65792 · danakj · Commit Bot · 3c93461e · a2d65792
Commit a2d65792 authored Oct 11, 2019 by danakj Committed by Commit Bot Oct 11, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 4 deletions

content/renderer/render_widget.cc content/renderer/render_widget.cc +11 -4

No files found.
--- a/content/renderer/render_widget.cc
+++ b/content/renderer/render_widget.cc
@@ -592,18 +592,23 @@ bool RenderWidget::OnMessageReceived(const IPC::Message& message) {
  if (is_undead_)
    return false;

+  // The EnableDeviceEmulation message is sent to a provisional RenderWidget
+  // before the navigation completes. Some investigation into why is done in
+  // https://chromium-review.googlesource.com/c/chromium/src/+/1853675/5#message-e6edc3fd708d7d267ee981ffe43cae090b37a906
+  // but it's unclear what would need to be done to delay this until after
+  // navigation.
  bool handled = false;
  IPC_BEGIN_MESSAGE_MAP(RenderWidget, message)
    IPC_MESSAGE_HANDLER(WidgetMsg_EnableDeviceEmulation,
                        OnEnableDeviceEmulation)
-    IPC_MESSAGE_HANDLER(WidgetMsg_DisableDeviceEmulation,
-                        OnDisableDeviceEmulation)
  IPC_END_MESSAGE_MAP()
  if (handled)
    return true;

-  // TODO(https://crbug.com/1000502): We shouldn't process IPC messages on
-  // provisional frames.
+  // We shouldn't receive IPC messages on provisional frames. It's possible the
+  // message was destined for a RenderWidget that was made undead and then
+  // revived since it keeps the same routing id. Just drop it here if that
+  // happened.
  if (IsForProvisionalFrame())
    return false;

@@ -616,6 +621,8 @@ bool RenderWidget::OnMessageReceived(const IPC::Message& message) {
    return true;

  IPC_BEGIN_MESSAGE_MAP(RenderWidget, message)
+    IPC_MESSAGE_HANDLER(WidgetMsg_DisableDeviceEmulation,
+                        OnDisableDeviceEmulation)
    IPC_MESSAGE_HANDLER(WidgetMsg_ShowContextMenu, OnShowContextMenu)
    IPC_MESSAGE_HANDLER(WidgetMsg_Close, OnClose)
    IPC_MESSAGE_HANDLER(WidgetMsg_WasHidden, OnWasHidden)