Fix WebURLLoaderImpl::Context leak if a pending request is canceled.

content/child/resource_dispatcher.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // See http://dev.chromium.org/developers/design-documents/multi-process-resource-loading
 
 #include "content/child/resource_dispatcher.h"
 
 #include "base/basictypes.h"
 #include "base/bind.h"
@@ skipping 279 matching lines @@
     return true;
   }
 
   PendingRequestInfo* request_info = GetPendingRequestInfo(request_id);
   if (!request_info) {
     // Release resources in the message if it is a data message.
     ReleaseResourcesInDataMessage(message);
     return true;
   }
 
+  // If the request has been canceled, only dispatch
+  // ResourceMsg_RequestComplete (otherwise resource leaks) and drop other
+  // messages.
+  if (request_info->is_canceled) {
+    if (message.type() == ResourceMsg_RequestComplete::ID) {
+      DispatchMessage(message);
+    } else {
+      ReleaseResourcesInDataMessage(message);
+    }
+    return true;
+  }
+
   if (request_info->is_deferred) {
     request_info->deferred_message_queue.push_back(new IPC::Message(message));
     return true;
   }
   // Make sure any deferred messages are dispatched before we dispatch more.
   if (!request_info->deferred_message_queue.empty()) {
     FlushDeferredMessages(request_id);
     // The request could have been deferred now. If yes then the current
     // message has to be queued up. The request_info instance should remain
     // valid here as there are pending messages for it.
@@ skipping 271 matching lines @@
   return true;
 }
 
 void ResourceDispatcher::CancelPendingRequest(int request_id) {
   PendingRequestList::iterator it = pending_requests_.find(request_id);
   if (it == pending_requests_.end()) {
     DVLOG(1) << "unknown request";
     return;
   }
 
+  PendingRequestInfo& request_info = it->second;
+  request_info.is_canceled = true;
+
+  // Because message handlers could result in request_info being destroyed,
+  // we need to work with a stack reference to the deferred queue.
+  MessageQueue queue;
+  queue.swap(request_info.deferred_message_queue);
+  // Removes pending requests. If ResourceMsg_RequestComplete was queued,
+  // dispatch it.
+  bool first_message = true;
+  while (!queue.empty()) {
+    IPC::Message* message = queue.front();

[mmenke, 2014/05/08 17:54:00]

optional:  I think it would be a little cleaner to do:

scoped_ptr<IPC::Message> message = queue.front();
queue.pop_front();

And then get rid of the delete in the end.  It makes it clearer that it's
deleted on all codepaths.

+    if (message->type() == ResourceMsg_RequestComplete::ID) {
+      if (first_message) {
+        // Dispatch as-is.
+        DispatchMessage(*message);
+      } else {
+        // If we skip some ResourceMsg_DataReceived and then dispatched the
+        // original ResourceMsg_RequestComplete(status=success), chrome will
+        // crash because it entered an unexpected state. So replace
+        // ResourceMsg_RequestComplete with failure status.
+        ResourceMsg_RequestCompleteData request_complete_data;
+        request_complete_data.error_code = net::ERR_ABORTED;
+        request_complete_data.was_ignored_by_handler = false;
+        request_complete_data.exists_in_cache = false;
+        request_complete_data.completion_time = base::TimeTicks();
+        request_complete_data.encoded_data_length = 0;
+
+        ResourceMsg_RequestComplete error_message(request_id,
+            request_complete_data);
+        DispatchMessage(error_message);
+      }
+    } else {
+      ReleaseResourcesInDataMessage(*message);
+    }
+    first_message = false;
+    queue.pop_front();
+    delete message;
+  }
+
   // |request_id| will be removed from |pending_requests_| when
   // OnRequestComplete returns with ERR_ABORTED.
   message_sender()->Send(new ResourceHostMsg_CancelRequest(request_id));
 }
 
 void ResourceDispatcher::SetDefersLoading(int request_id, bool value) {
   PendingRequestList::iterator it = pending_requests_.find(request_id);
   if (it == pending_requests_.end()) {
     DLOG(ERROR) << "unknown request";
     return;
@@ skipping 19 matching lines @@
     int intra_priority_value) {
   DCHECK(ContainsKey(pending_requests_, request_id));
   message_sender()->Send(new ResourceHostMsg_DidChangePriority(
       request_id, new_priority, intra_priority_value));
 }
 
 ResourceDispatcher::PendingRequestInfo::PendingRequestInfo()
     : peer(NULL),
       resource_type(ResourceType::SUB_RESOURCE),
       is_deferred(false),
+      is_canceled(false),
       blocked_response(false),
       buffer_size(0) {
 }
 
 ResourceDispatcher::PendingRequestInfo::PendingRequestInfo(
     RequestPeer* peer,
     ResourceType::Type resource_type,
     int origin_pid,
     const GURL& frame_origin,
     const GURL& request_url)
     : peer(peer),
       resource_type(resource_type),
       origin_pid(origin_pid),
       is_deferred(false),
+      is_canceled(false),
       url(request_url),
       frame_origin(frame_origin),
       response_url(request_url),
       request_start(base::TimeTicks::Now()),
       blocked_response(false) {}
 
 ResourceDispatcher::PendingRequestInfo::~PendingRequestInfo() {}
 
 void ResourceDispatcher::DispatchMessage(const IPC::Message& message) {
   IPC_BEGIN_MESSAGE_MAP(ResourceDispatcher, message)
@@ skipping 151 matching lines @@
 void ResourceDispatcher::ReleaseResourcesInMessageQueue(MessageQueue* queue) {
   while (!queue->empty()) {
     IPC::Message* message = queue->front();
     ReleaseResourcesInDataMessage(*message);
     queue->pop_front();
     delete message;
   }
 }
 
 }  // namespace content