Always create FrameTreeNodes and RenderFrameHosts for every frame.

content/renderer/render_frame_impl.cc

Index: content/renderer/render_frame_impl.cc
diff --git a/content/renderer/render_frame_impl.cc b/content/renderer/render_frame_impl.cc
index 5c7bf33324fe30826dc8f08cc3cb7fd886ec25a8..2825d7cfba431b07790071af17bd16cdc5343fe3 100644
--- a/content/renderer/render_frame_impl.cc
+++ b/content/renderer/render_frame_impl.cc
@@ -7,7 +7,7 @@
 #include <map>
 #include <string>
 
-#include "base/command_line.h"
+#include "base/debug/alias.h"
 #include "base/i18n/char_iterator.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/time/time.h"
@@ -143,6 +143,13 @@ RenderFrameImpl::~RenderFrameImpl() {
   RenderThread::Get()->RemoveRoute(routing_id_);
 }
 
+// TODO(nasko): Overload the delete operator to overwrite the freed
+// RenderFrameImpl object and help detect potential use-after-free bug.
+// See https://crbug.com/245126#c34.
+void RenderFrameImpl::operator delete(void* ptr) {
+  memset(ptr, 0xAF, sizeof(RenderFrameImpl));
+}
+
 void RenderFrameImpl::MainWebFrameCreated(blink::WebFrame* frame) {
   FOR_EACH_OBSERVER(RenderFrameObserver, observers_,
                     WebFrameCreated(frame));
@@ -602,31 +609,30 @@ void RenderFrameImpl::didAccessInitialDocument(blink::WebFrame* frame) {
 blink::WebFrame* RenderFrameImpl::createChildFrame(
     blink::WebFrame* parent,
     const blink::WebString& name) {
-  RenderFrameImpl* child_render_frame = this;
   long long child_frame_identifier = WebFrame::generateEmbedderIdentifier();
-  if (CommandLine::ForCurrentProcess()->HasSwitch(switches::kSitePerProcess)) {
-    // Synchronously notify the browser of a child frame creation to get the
-    // routing_id for the RenderFrame.
-    int routing_id;
-    Send(new FrameHostMsg_CreateChildFrame(routing_id_,
-                                           parent->identifier(),
-                                           child_frame_identifier,
-                                           base::UTF16ToUTF8(name),
-                                           &routing_id));
-    child_render_frame = RenderFrameImpl::Create(render_view_, routing_id);
-  }
-
+  // Synchronously notify the browser of a child frame creation to get the
+  // routing_id for the RenderFrame.
+  int routing_id = MSG_ROUTING_NONE;
+  Send(new FrameHostMsg_CreateChildFrame(routing_id_,
+                                         parent->identifier(),
+                                         child_frame_identifier,
+                                         base::UTF16ToUTF8(name),
+                                         &routing_id));
+  if (routing_id == MSG_ROUTING_NONE)
+    return NULL;
+  RenderFrameImpl* child_render_frame = RenderFrameImpl::Create(render_view_,
+                                                                routing_id);
+  CHECK(child_render_frame);

[awong, 2013/12/27 21:59:36]

Add TODO saying this is an over-conservative debug check. 

[nasko, 2013/12/27 22:14:53]

Done.

   blink::WebFrame* web_frame = WebFrame::create(child_render_frame,
                                                 child_frame_identifier);
+  CHECK(web_frame);

[awong, 2013/12/27 21:59:36]

Add TODO saying this is an over-conservative debug check. 

[nasko, 2013/12/27 22:14:53]

Done.

 
-  if (CommandLine::ForCurrentProcess()->HasSwitch(switches::kSitePerProcess)) {
-    g_child_frame_map.Get().insert(
-        std::make_pair(web_frame, child_render_frame));
-  } else {
-    FOR_EACH_OBSERVER(RenderFrameObserver, observers_,
-                      WebFrameCreated(web_frame));
-  }
+  std::pair<FrameMap::iterator, bool> result = g_child_frame_map.Get().insert(
+      std::make_pair(web_frame, child_render_frame));
+  CHECK(result.second) << "Inserting a duplicate item!";

[awong, 2013/12/27 21:59:36]

Add TODO saying this is an over-conservative debug check. 

[nasko, 2013/12/27 22:14:53]

I'd like to actually keep this in the long term, we should never be adding
duplicates.

[awong, 2013/12/27 22:25:47]

Okay. Remove the exclamation then. :)

IIRC, there's a tendency to avoid exclamatory log messages.

 
+  FOR_EACH_OBSERVER(RenderFrameObserver, observers_,
+                    WebFrameCreated(web_frame));
   return web_frame;
 }
 
@@ -639,46 +645,46 @@ void RenderFrameImpl::frameDetached(blink::WebFrame* frame) {
   // the parent frame.  This is different from createChildFrame() which is
   // called on the parent frame.
   CHECK(!is_detaching_);
+  base::debug::Alias(frame);

[awong, 2013/12/27 21:59:36]

Add TODO saying to remove all the Alias() calls int he function.

[nasko, 2013/12/27 22:14:53]

Done.

+
+  bool is_subframe = !!frame->parent();
+  base::debug::Alias(&is_subframe);
 
   int64 parent_frame_id = -1;
-  if (frame->parent())
+  if (is_subframe)
     parent_frame_id = frame->parent()->identifier();
+  base::debug::Alias(&parent_frame_id);

[awong, 2013/12/27 21:59:36]

Move the alias to right after declaration?

[nasko, 2013/12/27 22:14:53]

Done.

 
   Send(new FrameHostMsg_Detach(routing_id_, parent_frame_id,
                                frame->identifier()));
 
-  // Currently multiple WebCore::Frames can send frameDetached to a single
-  // RenderFrameImpl. This is legacy behavior from when RenderViewImpl served
-  // as a shared WebFrameClient for multiple Webcore::Frame objects. It also
-  // prevents this class from entering the |is_detaching_| state because
-  // even though one WebCore::Frame may have detached itself, others will
-  // still need to use this object.
-  if (CommandLine::ForCurrentProcess()->HasSwitch(switches::kSitePerProcess)) {
-    // The |is_detaching_| flag disables Send(). FrameHostMsg_Detach must be
-    // sent before setting |is_detaching_| to true. In contrast, Observers
-    // should only be notified afterwards so they cannot call back into and
-    // have IPCs fired off.
-    is_detaching_ = true;
-  }
+  // The |is_detaching_| flag disables Send(). FrameHostMsg_Detach must be
+  // sent before setting |is_detaching_| to true. In contrast, Observers
+  // should only be notified afterwards so they cannot call back into and

[awong, 2013/12/27 21:59:36]

nit: back into -> back into here

[nasko, 2013/12/27 22:14:53]

Done.

+  // have IPCs fired off.
+  is_detaching_ = true;
 
   // Call back to RenderViewImpl for observers to be notified.
   // TODO(nasko): Remove once we have RenderFrameObserver.
   render_view_->frameDetached(frame);
 
+  // We need to clean up subframes by removing them from the map and deleting
+  // the RenderFrameImpl.  In contrast, the main frame is owned by its
+  // containing RenderViewHost (so that they have the same lifetime), so it does
+  // not require any cleanup here.
+  if (is_subframe) {
+    FrameMap::iterator it = g_child_frame_map.Get().find(frame);
+    CHECK(it != g_child_frame_map.Get().end());
+    CHECK_EQ(it->second, this);
+    g_child_frame_map.Get().erase(it);
+  }
+
+  // |frame| is invalid after here.
   frame->close();
 
-  if (CommandLine::ForCurrentProcess()->HasSwitch(switches::kSitePerProcess)) {
-    // If the frame does not have a parent, it is the main frame. The main
-    // frame is owned by the containing RenderViewHost so it does not require
-    // any cleanup here.
-    if (frame->parent()) {
-      FrameMap::iterator it = g_child_frame_map.Get().find(frame);
-      DCHECK(it != g_child_frame_map.Get().end());
-      DCHECK_EQ(it->second, this);
-      g_child_frame_map.Get().erase(it);
-      delete this;
-      // Object is invalid after this point.
-    }
+  if (is_subframe) {
+    delete this;
+    // Object is invalid after this point.
   }
 }