Prevent creating a swapped out RVH in the same SiteInstance as the current one.

content/browser/web_contents/render_view_host_manager.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/web_contents/render_view_host_manager.h"
 
 #include <utility>
 
 #include "base/command_line.h"
 #include "base/debug/trace_event.h"
@@ skipping 411 matching lines @@
 }
 
 bool RenderViewHostManager::ShouldSwapProcessesForNavigation(
     const NavigationEntry* curr_entry,
     const NavigationEntryImpl* new_entry) const {
   DCHECK(new_entry);
 
   // Check for reasons to swap processes even if we are in a process model that
   // doesn't usually swap (e.g., process-per-tab).
 
-  // For security, we should transition between processes when one is a Web UI
-  // page and one isn't.  If there's no curr_entry, check the current RVH's
-  // site, which might already be committed to a Web UI URL (such as the NTP).
-  const GURL& current_url = (curr_entry) ? curr_entry->GetURL() :
-      render_view_host_->GetSiteInstance()->GetSiteURL();
+  // We use the effective URL here, since that's what is used in the
+  // SiteInstance's site and when we later call IsSameWebSite.  If there's no
+  // curr_entry, check the current SiteInstance's site, which might already be
+  // committed to a Web UI URL (such as the NTP).
   BrowserContext* browser_context =
       delegate_->GetControllerForRenderManager().GetBrowserContext();
+  const GURL& current_url = (curr_entry) ?
+      SiteInstanceImpl::GetEffectiveURL(browser_context, curr_entry->GetURL()) :
+      render_view_host_->GetSiteInstance()->GetSiteURL();
+  const GURL& new_url = SiteInstanceImpl::GetEffectiveURL(browser_context,
+                                                          new_entry->GetURL());
+
+  // For security, we should transition between processes when one is a Web UI
+  // page and one isn't.
   if (WebUIControllerFactoryRegistry::GetInstance()->UseWebUIForURL(
           browser_context, current_url)) {
     // Force swap if it's not an acceptable URL for Web UI.
     // Here, data URLs are never allowed.
     if (!WebUIControllerFactoryRegistry::GetInstance()->IsURLAcceptableForWebUI(
-            browser_context, new_entry->GetURL(), false)) {
+            browser_context, new_url, false)) {
       return true;
     }
   } else {
     // Force swap if it's a Web UI URL.
     if (WebUIControllerFactoryRegistry::GetInstance()->UseWebUIForURL(
-            browser_context, new_entry->GetURL())) {
+            browser_context, new_url)) {
       return true;
     }
   }
 
+  // Check with the content client as well.  Important to pass current_url here,
+  // which uses the SiteInstance's site if there is no curr_entry.
   if (GetContentClient()->browser()->ShouldSwapProcessesForNavigation(
-          render_view_host_->GetSiteInstance(),
-          curr_entry ? curr_entry->GetURL() : GURL(),
-          new_entry->GetURL())) {
+          render_view_host_->GetSiteInstance(), current_url, new_url)) {
     return true;
   }
 
   if (!curr_entry)
     return false;
 
   // We can't switch a RenderView between view source and non-view source mode
   // without screwing up the session history sometimes (when navigating between
   // "view-source:http://foo.com/" and "http://foo.com/", WebKit doesn't treat
   // it as a new navigation). So require a view switch.
@@ skipping 172 matching lines @@
     return curr_instance->GetRelatedSiteInstance(dest_url);
   }
 }
 
 int RenderViewHostManager::CreateRenderView(
     SiteInstance* instance,
     int opener_route_id,
     bool swapped_out) {
   CHECK(instance);
 
+  // We are creating a pending or swapped out RVH here.  We should never create
+  // it in the same SiteInstance as our current RVH.
+  CHECK_NE(render_view_host_->GetSiteInstance(), instance);
+
   // Check if we've already created an RVH for this SiteInstance.  If so, try
   // to re-use the existing one, which has already been initialized.  We'll
   // remove it from the list of swapped out hosts if it commits.
   RenderViewHostImpl* new_render_view_host = static_cast<RenderViewHostImpl*>(
       GetSwappedOutRenderViewHost(instance));
   if (new_render_view_host) {
     // Prevent the process from exiting while we're trying to use it.
     if (!swapped_out)
       new_render_view_host->GetProcess()->AddPendingView();
   } else {
@@ skipping 347 matching lines @@
 RenderViewHostImpl* RenderViewHostManager::GetSwappedOutRenderViewHost(
     SiteInstance* instance) {
   RenderViewHostMap::iterator iter = swapped_out_hosts_.find(instance->GetId());
   if (iter != swapped_out_hosts_.end())
     return iter->second;
 
   return NULL;
 }
 
 }  // namespace content