Fix leaking of RenderFrames.

content/renderer/render_frame_impl.cc

Index: content/renderer/render_frame_impl.cc
diff --git a/content/renderer/render_frame_impl.cc b/content/renderer/render_frame_impl.cc
index 623fd1679c52b25ea070f4fb974b3ecbe4f00856..f7774bbcbe79befc224ff8f4db528fa6092c5524 100644
--- a/content/renderer/render_frame_impl.cc
+++ b/content/renderer/render_frame_impl.cc
@@ -670,6 +670,13 @@ void RenderFrameImpl::CreateFrame(
 }
 
 // static
+void RenderFrameImpl::DetachFrame(int routing_id) {
+  RenderFrameImpl* frame = RenderFrameImpl::FromRoutingID(routing_id);
+  frame->set_in_browser_initiated_detach();
+  frame->GetWebFrame()->detach();
+}
+
+// static
 RenderFrame* RenderFrame::FromWebFrame(blink::WebFrame* web_frame) {
   return RenderFrameImpl::FromWebFrame(web_frame);
 }
@@ -732,6 +739,7 @@ RenderFrameImpl::RenderFrameImpl(const CreateParams& params)
     : frame_(NULL),
       is_main_frame_(true),
       is_local_root_(false),
+      in_browser_initiated_detach_(false),
       render_view_(params.render_view->AsWeakPtr()),
       routing_id_(params.routing_id),
       is_swapped_out_(false),
@@ -2360,9 +2368,8 @@ void RenderFrameImpl::frameDetached(blink::WebFrame* frame, DetachType type) {
                     FrameDetached(frame));
 
   // We only notify the browser process when the frame is being detached for
-  // removal. If the frame is being detached for swap, we don't need to do this
-  // since we are not modifiying the frame tree.
-  if (type == DetachType::Remove)
+  // removal and it was initiated from the renderer process.
+  if (!in_browser_initiated_detach_ && type == DetachType::Remove)
     Send(new FrameHostMsg_Detach(routing_id_));
 
   // The |is_detaching_| flag disables Send(). FrameHostMsg_Detach must be
@@ -2385,10 +2392,20 @@ void RenderFrameImpl::frameDetached(blink::WebFrame* frame, DetachType type) {
   g_frame_map.Get().erase(it);
 
   // Only remove the frame from the renderer's frame tree if the frame is
-  // being detached for removal. In the case of a swap, the frame needs to
-  // remain in the tree so WebFrame::swap() can replace it with the new frame.
-  if (!is_main_frame_ && type == DetachType::Remove)
-    frame->parent()->removeChild(frame);
+  // being detached for removal and it is inserted in the set of child frames.
+  // In the case of a swap, the frame needs to remain in the tree so
+  // WebFrame::swap() can replace it with the new frame.
+  if (!is_main_frame_ && type == DetachType::Remove) {
+    for (WebFrame* child = frame->firstChild(); child;

[Charlie Reis, 2015/11/02 23:43:50]

This doesn't look right to me.  Shouldn't we be looking at frame->parent()'s
children?  frame won't ever be equal to its own child.

+         child = child->nextSibling()) {
+      if (child == frame) {
+        LOG(ERROR) << "Removing child from parent";
+        frame->parent()->removeChild(frame);
+        break;
+      }
+    }
+    LOG(ERROR) << "Frame not found in parent's children";
+  }
 
   // |frame| is invalid after here.  Be sure to clear frame_ as well, since this
   // object may not be deleted immediately and other methods may try to access