OOPIF: Reinitialize a dead subframe correctly for same-site navigations.

content/browser/frame_host/render_frame_host_manager.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/frame_host/render_frame_host_manager.h"
 
 #include <stddef.h>
 
 #include <algorithm>
 #include <utility>
@@ skipping 220 matching lines @@
   if (!dest_render_frame_host->IsRenderFrameLive()) {
     // Instruct the destination render frame host to set up a Mojo connection
     // with the new render frame if necessary.  Note that this call needs to
     // occur before initializing the RenderView; the flow of creating the
     // RenderView can cause browser-side code to execute that expects the this
     // RFH's shell::InterfaceRegistry to be initialized (e.g., if the site is a
     // WebUI site that is handled via Mojo, then Mojo WebUI code in //chrome
     // will add an interface to this RFH's InterfaceRegistry).
     dest_render_frame_host->SetUpMojoIfNeeded();
 
-    // Recreate the opener chain.
-    CreateOpenerProxies(dest_render_frame_host->GetSiteInstance(),
-                        frame_tree_node_);
-    if (!InitRenderView(dest_render_frame_host->render_view_host(), nullptr))
+    if (!ReinitializeRenderFrame(dest_render_frame_host))
       return nullptr;
 
     if (GetNavigatingWebUI()) {
       // A new RenderView was created and there is a navigating WebUI which
       // never interacted with it. So notify the WebUI using RenderViewCreated.
       GetNavigatingWebUI()->RenderViewCreated(
           dest_render_frame_host->render_view_host());
     }
 
     // Now that we've created a new renderer, be sure to hide it if it isn't
@@ skipping 609 matching lines @@
       }
     }
   }
   DCHECK(navigation_rfh &&
          (navigation_rfh == render_frame_host_.get() ||
           navigation_rfh == speculative_render_frame_host_.get()));
 
   // If the RenderFrame that needs to navigate is not live (its process was just
   // created or has crashed), initialize it.
   if (!navigation_rfh->IsRenderFrameLive()) {
-    // Recreate the opener chain.
-    CreateOpenerProxies(navigation_rfh->GetSiteInstance(), frame_tree_node_);
-    if (!InitRenderView(navigation_rfh->render_view_host(), nullptr))
+    if (!ReinitializeRenderFrame(navigation_rfh))
       return nullptr;
+
     notify_webui_of_rv_creation = true;
 
     if (navigation_rfh == render_frame_host_.get()) {
       // TODO(nasko): This is a very ugly hack. The Chrome extensions process
       // manager still uses NotificationService and expects to see a
       // RenderViewHost changed notification after WebContents and
       // RenderFrameHostManager are completely initialized. This should be
       // removed once the process manager moves away from NotificationService.
       // See https://crbug.com/462682.
       delegate_->NotifyMainFrameSwappedFromRenderManager(
           nullptr, render_frame_host_->render_view_host());
     }
-    DCHECK(navigation_rfh->IsRenderFrameLive());
   }
 
   // If a WebUI was created in a speculative RenderFrameHost or a new RenderView
   // was created then the WebUI never interacted with the RenderView. Notify
   // using RenderViewCreated.
   if (notify_webui_of_rv_creation && GetNavigatingWebUI())
     GetNavigatingWebUI()->RenderViewCreated(navigation_rfh->render_view_host());
 
   return navigation_rfh;
 }
@@ skipping 1118 matching lines @@
 
       base::debug::DumpWithoutCrashing();
     }
   }
 
   return delegate_->CreateRenderFrameForRenderManager(
       render_frame_host, proxy_routing_id, opener_routing_id, parent_routing_id,
       previous_sibling_routing_id);
 }
 
+bool RenderFrameHostManager::ReinitializeRenderFrame(
+    RenderFrameHostImpl* render_frame_host) {
+  // This should be used only when the RenderFrame is not live.
+  DCHECK(!render_frame_host->IsRenderFrameLive());
+
+  // Recreate the opener chain.
+  CreateOpenerProxies(render_frame_host->GetSiteInstance(), frame_tree_node_);
+
+  // Main frames need both the RenderView and RenderFrame reinitialized, so
+  // use InitRenderView.  For cross-process subframes, InitRenderView won't
+  // recreate the RenderFrame, so use InitRenderFrame instead.  Note that for
+  // subframe RenderFrameHosts, the swapped out RenderView in their
+  // SiteInstance will be recreated as part of CreateOpenerProxies above.
+  if (!frame_tree_node_->parent()) {
+    DCHECK(!GetRenderFrameProxyHost(render_frame_host->GetSiteInstance()));
+    if (!InitRenderView(render_frame_host->render_view_host(), nullptr))

[alexmos, 2016/08/11 01:07:31]

I was thinking whether passing a nullptr proxy is always correct here, and I
think it is - for one, UpdateStateForNavigate would've cleared the proxy before
we get here.

[Charlie Reis, 2016/08/11 18:50:29]

Acknowledged.

+      return false;
+  } else {
+    if (!InitRenderFrame(render_frame_host))
+      return false;
+
+    // When a subframe renderer dies, its RenderWidgetHostView is cleared in
+    // its CrossProcessFrameConnector, so we need to restore it now that it
+    // is re-initialized.
+    RenderFrameProxyHost* proxy_to_parent = GetProxyToParent();
+    if (proxy_to_parent)
+      GetProxyToParent()->SetChildRWHView(render_frame_host->GetView());

[alexmos, 2016/08/11 01:07:31]

Normally, this is done as part of CommitPending().  However, for same-site
navigations CommitPending won't happen, since the current RFH will be reused.  

The RWHVCF is cleared in the CPFC when the process dies in
RWHVCF::RenderProcessGone -> RWHVCF::Destroy.

[Charlie Reis, 2016/08/11 18:50:29]

Acknowledged.

+  }
+
+  DCHECK(render_frame_host->IsRenderFrameLive());
+  return true;
+}
+
 int RenderFrameHostManager::GetRoutingIdForSiteInstance(
     SiteInstance* site_instance) {
   if (render_frame_host_->GetSiteInstance() == site_instance)
     return render_frame_host_->GetRoutingID();
 
   RenderFrameProxyHost* proxy = GetRenderFrameProxyHost(site_instance);
   if (proxy)
     return proxy->GetRoutingID();
 
   return MSG_ROUTING_NONE;
@@ skipping 585 matching lines @@
                                              resolved_url)) {
     DCHECK(!dest_instance ||
            dest_instance == render_frame_host_->GetSiteInstance());
     return false;
   }
 
   return true;
 }
 
 }  // namespace content