Migrate LocalFrame to use GC mojo wrappers.

No behavior change. This CL reduces potential risks of use-after-free bugs. Bug: 1049056 Change-Id: Ibf4e509a959108ddee42bef7233a0436ee7376cf Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2192574 Commit-Queue: Minoru Chikamune <chikamune@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Cr-Commit-Position: refs/heads/master@{#771491}

Migrate LocalFrame to use GC mojo wrappers.
No behavior change. This CL reduces potential risks of use-after-free bugs. Bug: 1049056 Change-Id: Ibf4e509a959108ddee42bef7233a0436ee7376cf Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2192574 Commit-Queue: Minoru Chikamune <chikamune@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Cr-Commit-Position: refs/heads/master@{#771491}
bc5da8c9 · Minoru Chikamune · Commit Bot · ed7f2284 · bc5da8c9 · bc5da8c9
Commit bc5da8c9 authored May 25, 2020 by Minoru Chikamune Committed by Commit Bot May 25, 2020
6 changed files
--- a/third_party/blink/renderer/core/frame/local_frame.cc
+++ b/third_party/blink/renderer/core/frame/local_frame.cc
@@ -322,7 +322,8 @@ void LocalFrame::Init() {
  CoreInitializer::GetInstance().InitLocalFrame(*this);

  GetRemoteNavigationAssociatedInterfaces()->GetInterface(
-      local_frame_host_remote_.BindNewEndpointAndPassReceiver());
+      local_frame_host_remote_.BindNewEndpointAndPassReceiver(
+          GetTaskRunner(blink::TaskType::kInternalDefault)));
  GetInterfaceRegistry()->AddAssociatedInterface(WTF::BindRepeating(
      &LocalFrame::BindToReceiver, WrapWeakPersistent(this)));

@@ -413,6 +414,14 @@ void LocalFrame::Trace(Visitor* visitor) const {
  visitor->Trace(system_clipboard_);
  visitor->Trace(raw_system_clipboard_);
  visitor->Trace(virtual_keyboard_overlay_changed_observers_);
+  visitor->Trace(pause_handle_receivers_);
+  visitor->Trace(reporting_service_);
+#if defined(OS_MACOSX)
+  visitor->Trace(text_input_host_);
+#endif
+  visitor->Trace(local_frame_host_remote_);
+  visitor->Trace(receiver_);
+  visitor->Trace(main_frame_receiver_);
  Frame::Trace(visitor);
  Supplementable<LocalFrame>::Trace(visitor);
 }
@@ -1115,7 +1124,8 @@ LocalFrame::LocalFrame(LocalFrameClient* client,
  // It should be bound before accessing TextInputHost which is the interface to
  // respond to GetCharacterIndexAtPoint.
  GetBrowserInterfaceBroker().GetInterface(
-      text_input_host_.BindNewPipeAndPassReceiver());
+      text_input_host_.BindNewPipeAndPassReceiver(
+          GetTaskRunner(blink::TaskType::kInternalDefault)));
 #endif
 }

@@ -1714,7 +1724,8 @@ void LocalFrame::PauseSubresourceLoading(
  auto handle = GetFrameScheduler()->GetPauseSubresourceLoadingHandle();
  if (!handle)
    return;
-  pause_handle_receivers_.Add(std::move(handle), std::move(receiver));
+  pause_handle_receivers_.Add(std::move(handle), std::move(receiver),
+                              GetTaskRunner(blink::TaskType::kInternalDefault));
 }

 void LocalFrame::ResumeSubresourceLoading() {
@@ -1761,13 +1772,13 @@ const base::UnguessableToken& LocalFrame::GetAgentClusterId() const {
                       : base::UnguessableToken::Null();
 }

-const mojo::Remote<mojom::blink::ReportingServiceProxy>&
-LocalFrame::GetReportingService() const {
-  if (!reporting_service_) {
+mojom::blink::ReportingServiceProxy* LocalFrame::GetReportingService() {
+  if (!reporting_service_.is_bound()) {
    Platform::Current()->GetBrowserInterfaceBroker()->GetInterface(
-        reporting_service_.BindNewPipeAndPassReceiver());
+        reporting_service_.BindNewPipeAndPassReceiver(
+            GetTaskRunner(blink::TaskType::kInternalDefault)));
  }
-  return reporting_service_;
+  return reporting_service_.get();
 }

 // static
@@ -2310,7 +2321,8 @@ void LocalFrame::AddMessageToConsole(mojom::blink::ConsoleMessageLevel level,

 void LocalFrame::AddInspectorIssue(mojom::blink::InspectorIssueInfoPtr info) {
  if (GetPage()) {
-    GetPage()->GetInspectorIssueStorage().AddInspectorIssue(DomWindow(), std::move(info));
+    GetPage()->GetInspectorIssueStorage().AddInspectorIssue(DomWindow(),
+                                                            std::move(info));
  }
 }

@@ -2732,7 +2744,7 @@ bool LocalFrame::ShouldThrottleDownload() {

 #if defined(OS_MACOSX)
 mojom::blink::TextInputHost& LocalFrame::GetTextInputHost() {
-  DCHECK(text_input_host_);
+  DCHECK(text_input_host_.is_bound());
  return *text_input_host_.get();
 }
 #endif

--- a/third_party/blink/renderer/core/frame/local_frame.h
+++ b/third_party/blink/renderer/core/frame/local_frame.h
@@ -35,8 +35,6 @@
 #include "base/time/default_tick_clock.h"
 #include "base/unguessable_token.h"
 #include "build/build_config.h"
-#include "mojo/public/cpp/bindings/associated_receiver.h"
-#include "mojo/public/cpp/bindings/associated_remote.h"
 #include "mojo/public/cpp/bindings/pending_associated_receiver.h"
 #include "mojo/public/cpp/bindings/pending_receiver.h"
 #include "mojo/public/cpp/bindings/unique_receiver_set.h"
@@ -63,6 +61,11 @@
 #include "third_party/blink/renderer/platform/heap/handle.h"
 #include "third_party/blink/renderer/platform/instrumentation/instance_counters.h"
 #include "third_party/blink/renderer/platform/loader/fetch/client_hints_preferences.h"
+#include "third_party/blink/renderer/platform/mojo/heap_mojo_associated_receiver.h"
+#include "third_party/blink/renderer/platform/mojo/heap_mojo_associated_remote.h"
+#include "third_party/blink/renderer/platform/mojo/heap_mojo_remote.h"
+#include "third_party/blink/renderer/platform/mojo/heap_mojo_unique_receiver_set.h"
+#include "third_party/blink/renderer/platform/mojo/heap_mojo_wrapper_mode.h"
 #include "third_party/blink/renderer/platform/scheduler/public/frame_scheduler.h"
 #include "third_party/blink/renderer/platform/supplementable.h"
 #include "third_party/blink/renderer/platform/wtf/hash_set.h"
@@ -447,8 +450,7 @@ class CORE_EXPORT LocalFrame final : public Frame,

  SmoothScrollSequencer& GetSmoothScrollSequencer();

-  const mojo::Remote<mojom::blink::ReportingServiceProxy>& GetReportingService()
-      const;
+  mojom::blink::ReportingServiceProxy* GetReportingService();

  // Returns the frame host ptr. The interface returned is backed by an
  // associated interface with the legacy Chrome IPC channel.
@@ -680,8 +682,13 @@ class CORE_EXPORT LocalFrame final : public Frame,

  // Holds all PauseSubresourceLoadingHandles allowing either |this| to delete
  // them explicitly or the pipe closing to delete them.
-  mojo::UniqueReceiverSet<blink::mojom::blink::PauseSubresourceLoadingHandle>
-      pause_handle_receivers_;
+  //
+  // LocalFrame can be reused by multiple ExecutionContext.
+  HeapMojoUniqueReceiverSet<
+      blink::mojom::blink::PauseSubresourceLoadingHandle,
+      std::default_delete<blink::mojom::blink::PauseSubresourceLoadingHandle>,
+      HeapMojoWrapperMode::kWithoutContextObserver>
+      pause_handle_receivers_{nullptr};

  // Keeps track of all the registered VK observers.
  HeapHashSet<WeakMember<VirtualKeyboardOverlayChangedObserver>>
@@ -738,10 +745,17 @@ class CORE_EXPORT LocalFrame final : public Frame,
  InterfaceRegistry* const interface_registry_;
  // This is declared mutable so that the service endpoint can be cached by
  // const methods.
-  mutable mojo::Remote<mojom::blink::ReportingServiceProxy> reporting_service_;
+  //
+  // LocalFrame can be reused by multiple ExecutionContext.
+  mutable HeapMojoRemote<mojom::blink::ReportingServiceProxy,
+                         HeapMojoWrapperMode::kWithoutContextObserver>
+      reporting_service_{nullptr};

 #if defined(OS_MACOSX)
-  mojo::Remote<mojom::blink::TextInputHost> text_input_host_;
+  // LocalFrame can be reused by multiple ExecutionContext.
+  HeapMojoRemote<mojom::blink::TextInputHost,
+                 HeapMojoWrapperMode::kWithoutContextObserver>
+      text_input_host_{nullptr};
 #endif

  ViewportIntersectionState intersection_state_;
@@ -771,10 +785,20 @@ class CORE_EXPORT LocalFrame final : public Frame,

  std::unique_ptr<WebPrescientNetworking> prescient_networking_;

-  mojo::AssociatedRemote<mojom::blink::LocalFrameHost> local_frame_host_remote_;
-  mojo::AssociatedReceiver<mojom::blink::LocalFrame> receiver_{this};
-  mojo::AssociatedReceiver<mojom::blink::LocalMainFrame> main_frame_receiver_{
-      this};
+  // LocalFrame can be reused by multiple ExecutionContext.
+  HeapMojoAssociatedRemote<mojom::blink::LocalFrameHost,
+                           HeapMojoWrapperMode::kWithoutContextObserver>
+      local_frame_host_remote_{nullptr};
+  // LocalFrame can be reused by multiple ExecutionContext.
+  HeapMojoAssociatedReceiver<mojom::blink::LocalFrame,
+                             LocalFrame,
+                             HeapMojoWrapperMode::kWithoutContextObserver>
+      receiver_{this, nullptr};
+  // LocalFrame can be reused by multiple ExecutionContext.
+  HeapMojoAssociatedReceiver<mojom::blink::LocalMainFrame,
+                             LocalFrame,
+                             HeapMojoWrapperMode::kWithoutContextObserver>
+      main_frame_receiver_{this, nullptr};

  // Variable to control burst of download requests.
  int num_burst_download_requests_ = 0;

--- a/third_party/blink/renderer/core/frame/local_frame_test.cc
+++ b/third_party/blink/renderer/core/frame/local_frame_test.cc
@@ -260,7 +260,8 @@ TEST_F(LocalFrameTest, CharacterIndexAtPointWithPinchZoom) {
  TestTextInputHostWaiter waiter;
  waiter.Init(run_loop.QuitClosure(), main_frame->GetBrowserInterfaceBroker());
  main_frame->GetBrowserInterfaceBroker().GetInterface(
-      main_frame->text_input_host_.BindNewPipeAndPassReceiver());
+      main_frame->text_input_host_.BindNewPipeAndPassReceiver(
+          main_frame->GetTaskRunner(blink::TaskType::kInternalDefault)));
  // Since we're zoomed in to 2X, each char of Ahem is 20px wide/tall in
  // viewport space. We expect to hit the fifth char on the first line.
  main_frame->GetCharacterIndexAtPoint(gfx::Point(100, 15));

--- a/third_party/blink/renderer/platform/mojo/heap_mojo_associated_receiver_set.h
+++ b/third_party/blink/renderer/platform/mojo/heap_mojo_associated_receiver_set.h
@@ -35,7 +35,6 @@ class HeapMojoAssociatedReceiverSet {
                  "Owner should implement Interface");
    static_assert(IsGarbageCollectedType<Owner>::value,
                  "Owner needs to be a garbage collected object");
-    DCHECK(context);
  }
  HeapMojoAssociatedReceiverSet(const HeapMojoAssociatedReceiverSet&) = delete;
  HeapMojoAssociatedReceiverSet& operator=(

--- a/third_party/blink/renderer/platform/mojo/heap_mojo_receiver_set.h
+++ b/third_party/blink/renderer/platform/mojo/heap_mojo_receiver_set.h
@@ -35,7 +35,6 @@ class HeapMojoReceiverSet {
                  "Owner should implement Interface");
    static_assert(IsGarbageCollectedType<Owner>::value,
                  "Owner needs to be a garbage collected object");
-    DCHECK(context);
  }
  HeapMojoReceiverSet(const HeapMojoReceiverSet&) = delete;
  HeapMojoReceiverSet& operator=(const HeapMojoReceiverSet&) = delete;

--- a/third_party/blink/renderer/platform/mojo/heap_mojo_unique_receiver_set.h
+++ b/third_party/blink/renderer/platform/mojo/heap_mojo_unique_receiver_set.h
@@ -31,9 +31,7 @@ class HeapMojoUniqueReceiverSet {
      mojo::UniquePtrImplRefTraits<Interface, Deleter>>::ImplPointerType;

  explicit HeapMojoUniqueReceiverSet(ContextLifecycleNotifier* context)
-      : wrapper_(MakeGarbageCollected<Wrapper>(context)) {
-    DCHECK(context);
-  }
+      : wrapper_(MakeGarbageCollected<Wrapper>(context)) {}
  HeapMojoUniqueReceiverSet(const HeapMojoUniqueReceiverSet&) = delete;
  HeapMojoUniqueReceiverSet& operator=(const HeapMojoUniqueReceiverSet&) =
      delete;