Check for already existing entry when adding to SiteProcessMap.

Check for already existing entry when adding to SiteProcessMap.

The SiteProcessMap::RegisterProcess can overwrite existing entries
in the map, which can lead to incorrect process being mapped to
a site in process-per-site mode. This CL checks for existence and
avoids the overwrite.

BUG=700514
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2739193004
Cr-Commit-Position: refs/heads/master@{#456920}
Committed: https://chromium.googlesource.com/chromium/src/+/0e9d619f88ffabc3c237cbdf75603df8af9925e6

[nasko, 2017-03-10 06:42:38]

The CQ bit was checked by nasko@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-03-10 06:42:48]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-03-10 07:06:06]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-03-10 07:06:07]

Dry run: Try jobs failed on following builders:
  linux_chromium_tsan_rel_ng on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[nasko, 2017-03-10 15:18:33]

The CQ bit was checked by nasko@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-03-10 15:18:44]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-03-10 15:56:48]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-03-10 15:56:49]

Dry run: Try jobs failed on following builders:
  win_chromium_rel_ng on master.tryserver.chromium.win (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_rel_...)

[nasko, 2017-03-11 00:25:12]

Fix.

[nasko, 2017-03-11 00:27:36]

Description was changed from

==========
Check for already existing entry when adding to SiteProcessMap.

BUG=
==========

to

==========
Check for already existing entry when adding to SiteProcessMap.

The SiteProcessMap::RegisterProcess can overwrite existing entries
in the map, which can lead to incorrect process being mapped to
a site in process-per-site mode. This CL checks for existence and
avoids the overwrite.

BUG=700514
==========

[nasko, 2017-03-11 00:51:25]

The CQ bit was checked by nasko@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-03-11 00:51:51]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[nasko, 2017-03-11 01:09:37]

nasko@chromium.org changed reviewers:
+ creis@chromium.org, rdevlin.cronin@chromium.org

[nasko, 2017-03-11 01:09:38]

Hey Charlie and Devlin,
Can you review this CL for me?

Devlin, the extension I had to write is pretty trivial, but also has an extra
html file that needs to be present to be blocked. Does that make sense to create
the extension in C++ code?

Thanks in advance!
Nasko

[commit-bot: I haz the power, 2017-03-11 01:36:29]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-03-11 01:36:30]

Dry run: Try jobs failed on following builders:
  linux_chromium_chromeos_rel_ng on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[Devlin, 2017-03-11 01:52:18]

Thanks for tracking this down!! :)

https://codereview.chromium.org/2739193004/diff/40001/chrome/browser/extensio...
File chrome/browser/extensions/process_management_browsertest.cc (right):

https://codereview.chromium.org/2739193004/diff/40001/chrome/browser/extensio...
chrome/browser/extensions/process_management_browsertest.cc:404: // Load an
extension, which will block a request for a specifig page in it.
*specific

https://codereview.chromium.org/2739193004/diff/40001/chrome/browser/extensio...
chrome/browser/extensions/process_management_browsertest.cc:423:
content::TestNavigationObserver observer(web_contents);
Doesn't NavigateToURL by default block until navigation is complete?

Also, from my (more limited) investigation, it seemed like if the extension had
a background page, this wouldn't have failed (because the site instance would
have been created).  It might be good to mention that somewhere, since normally
we'd have this handled by the background page.

https://codereview.chromium.org/2739193004/diff/40001/chrome/browser/extensio...
chrome/browser/extensions/process_management_browsertest.cc:436: web_contents,
"chrome.tabs.create({url: 'about:blank'});"));
Does this have to be done through the extension API?  It might be clearer to
just use e.g. NavigateToURL() with disposition of
NEW_[FOREGROUND|BACKGROUND]_TAB.

https://codereview.chromium.org/2739193004/diff/40001/chrome/browser/extensio...
chrome/browser/extensions/process_management_browsertest.cc:441: if
(new_web_contents->GetLastCommittedURL() != GURL(url::kAboutBlankURL)) {
The above might also solve this, since NavigateToURL should block until
complete.

https://codereview.chromium.org/2739193004/diff/40001/chrome/browser/extensio...
chrome/browser/extensions/process_management_browsertest.cc:453:
EXPECT_TRUE(content::ExecuteScript(new_web_contents, script));
Same question - does this need to be through ExecuteScript?  If so (possible),
why? (extend comments)  If not, prefer NavigateToURL().

https://codereview.chromium.org/2739193004/diff/40001/chrome/browser/extensio...
chrome/browser/extensions/process_management_browsertest.cc:462: // extensions
use the process-per-site model, each extension URL is registered
nit: process-per-extension?  process-per-origin?  Does "site" have a defined
meaning?

https://codereview.chromium.org/2739193004/diff/40001/chrome/browser/extensio...
chrome/browser/extensions/process_management_browsertest.cc:468:
extension->GetResourceURL(""));
nit: extension->url()

https://codereview.chromium.org/2739193004/diff/40001/chrome/test/data/extens...
File chrome/test/data/extensions/web_request_blocking/manifest.json (right):

https://codereview.chromium.org/2739193004/diff/40001/chrome/test/data/extens...
chrome/test/data/extensions/web_request_blocking/manifest.json:6: "permissions":
["webRequest", "webRequestBlocking", "tabs", "<all_urls>"],
is tabs needed?

https://codereview.chromium.org/2739193004/diff/40001/content/browser/rendere...
File content/browser/renderer_host/render_process_host_impl.cc (right):

https://codereview.chromium.org/2739193004/diff/40001/content/browser/rendere...
content/browser/renderer_host/render_process_host_impl.cc:338:
CHECK_EQ(i->second, process);
Looks like this CHECK is failing on bots :(

[nasko, 2017-03-13 15:50:46]

The CQ bit was checked by nasko@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-03-13 15:51:25]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-03-13 16:52:00]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-03-13 16:52:01]

Dry run: This issue passed the CQ dry run.

[nasko, 2017-03-13 17:17:05]

The CQ bit was checked by nasko@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-03-13 17:17:29]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[nasko, 2017-03-13 17:17:30]

Patchset #5 (id:80001) has been deleted

[commit-bot: I haz the power, 2017-03-13 17:20:06]

Dry run: Try jobs failed on following builders:
  ios-device on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-device/builds...)
  ios-device-xcode-clang on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-device-xcode-...)
  ios-simulator on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-simulator/bui...)
  ios-simulator-xcode-clang on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-simulator-xco...)

[nasko, 2017-03-13 17:22:03]

Devlin, can you take another look? I've fixed all of the review comments.

https://codereview.chromium.org/2739193004/diff/40001/chrome/browser/extensio...
File chrome/browser/extensions/process_management_browsertest.cc (right):

https://codereview.chromium.org/2739193004/diff/40001/chrome/browser/extensio...
chrome/browser/extensions/process_management_browsertest.cc:404: // Load an
extension, which will block a request for a specifig page in it.
On 2017/03/11 01:52:17, Devlin wrote:
> *specific

Done.

https://codereview.chromium.org/2739193004/diff/40001/chrome/browser/extensio...
chrome/browser/extensions/process_management_browsertest.cc:423:
content::TestNavigationObserver observer(web_contents);
On 2017/03/11 01:52:17, Devlin wrote:
> Doesn't NavigateToURL by default block until navigation is complete?

Good point :). I had so many iterations of this code that required an observer
that forgot to remove it at the end.
 
> Also, from my (more limited) investigation, it seemed like if the extension
had
> a background page, this wouldn't have failed (because the site instance would
> have been created).  It might be good to mention that somewhere, since
normally
> we'd have this handled by the background page.

I don't know if background pages are accounted differently, but SiteInstance is
already created by this navigation. I can experiment with background pages as a
follow up.

https://codereview.chromium.org/2739193004/diff/40001/chrome/browser/extensio...
chrome/browser/extensions/process_management_browsertest.cc:436: web_contents,
"chrome.tabs.create({url: 'about:blank'});"));
On 2017/03/11 01:52:18, Devlin wrote:
> Does this have to be done through the extension API?  It might be clearer to
> just use e.g. NavigateToURL() with disposition of
> NEW_[FOREGROUND|BACKGROUND]_TAB.

I was trying to mimic as closely what I observed. It is a good point that these
should be equivalent.

https://codereview.chromium.org/2739193004/diff/40001/chrome/browser/extensio...
chrome/browser/extensions/process_management_browsertest.cc:441: if
(new_web_contents->GetLastCommittedURL() != GURL(url::kAboutBlankURL)) {
On 2017/03/11 01:52:17, Devlin wrote:
> The above might also solve this, since NavigateToURL should block until
> complete.

Done.

https://codereview.chromium.org/2739193004/diff/40001/chrome/browser/extensio...
chrome/browser/extensions/process_management_browsertest.cc:453:
EXPECT_TRUE(content::ExecuteScript(new_web_contents, script));
On 2017/03/11 01:52:17, Devlin wrote:
> Same question - does this need to be through ExecuteScript?  If so (possible),
> why? (extend comments)  If not, prefer NavigateToURL().

This needs to be a renderer initiated navigation and NavigateToURL is
browser-initiated. I have a comment about it on the redirect_url declaration,
but I can add a bit more here too.

https://codereview.chromium.org/2739193004/diff/40001/chrome/browser/extensio...
chrome/browser/extensions/process_management_browsertest.cc:462: // extensions
use the process-per-site model, each extension URL is registered
On 2017/03/11 01:52:17, Devlin wrote:
> nit: process-per-extension?  process-per-origin?  Does "site" have a defined
> meaning?

Our codebase and docs already talk about process-per-site process model, so I'd
rather use that instead of inventing new name for it. 

https://www.chromium.org/developers/design-documents/process-models
https://cs.chromium.org/chromium/src/content/public/browser/site_instance.h?r...

https://codereview.chromium.org/2739193004/diff/40001/chrome/browser/extensio...
chrome/browser/extensions/process_management_browsertest.cc:468:
extension->GetResourceURL(""));
On 2017/03/11 01:52:17, Devlin wrote:
> nit: extension->url()

Done.

https://codereview.chromium.org/2739193004/diff/40001/chrome/test/data/extens...
File chrome/test/data/extensions/web_request_blocking/manifest.json (right):

https://codereview.chromium.org/2739193004/diff/40001/chrome/test/data/extens...
chrome/test/data/extensions/web_request_blocking/manifest.json:6: "permissions":
["webRequest", "webRequestBlocking", "tabs", "<all_urls>"],
On 2017/03/11 01:52:18, Devlin wrote:
> is tabs needed?

Yes, it was used by tabs.create API call made in the test. I've removed it after
fixing the test.

https://codereview.chromium.org/2739193004/diff/40001/content/browser/rendere...
File content/browser/renderer_host/render_process_host_impl.cc (right):

https://codereview.chromium.org/2739193004/diff/40001/content/browser/rendere...
content/browser/renderer_host/render_process_host_impl.cc:338:
CHECK_EQ(i->second, process);
On 2017/03/11 01:52:18, Devlin wrote:
> Looks like this CHECK is failing on bots :(

Yes, I'm purposefully hitting it with my test too :). It was there to see how
broken things are. I will submit this CL without it and follow up with a
DumpWithoutCrashing, so we can understand whether this happens in practice.

[nasko, 2017-03-13 17:22:25]

The CQ bit was checked by nasko@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-03-13 17:22:50]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-03-13 19:09:29]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-03-13 19:09:30]

Dry run: This issue passed the CQ dry run.

[Devlin, 2017-03-13 19:19:56]

lgtm

https://codereview.chromium.org/2739193004/diff/40001/chrome/test/data/extens...
File chrome/test/data/extensions/web_request_blocking/manifest.json (right):

https://codereview.chromium.org/2739193004/diff/40001/chrome/test/data/extens...
chrome/test/data/extensions/web_request_blocking/manifest.json:6: "permissions":
["webRequest", "webRequestBlocking", "tabs", "<all_urls>"],
On 2017/03/13 17:22:03, nasko (slow) wrote:
> On 2017/03/11 01:52:18, Devlin wrote:
> > is tabs needed?
> 
> Yes, it was used by tabs.create API call made in the test. I've removed it
after
> fixing the test.

Fun fact: tabs.create doesn't require the tabs permission.

https://codereview.chromium.org/2739193004/diff/100001/chrome/browser/extensi...
File chrome/browser/extensions/process_management_browsertest.cc (right):

https://codereview.chromium.org/2739193004/diff/100001/chrome/browser/extensi...
chrome/browser/extensions/process_management_browsertest.cc:406:
LoadExtension(test_data_dir_.AppendASCII("web_request_blocking"));
nit: can we name the new extension something slightly different?  This is eerily
similar to e.g. webrequest/test_blocking.

https://codereview.chromium.org/2739193004/diff/100001/chrome/browser/extensi...
chrome/browser/extensions/process_management_browsertest.cc:426:
content::WindowedNotificationObserver tab_added_observer(
Is this observer still needed?

[Charlie Reis, 2017-03-13 19:57:30]

Hmm, I have a concern about this fix below.  (Overall, very nice investigation
and test!)

https://codereview.chromium.org/2739193004/diff/100001/content/browser/render...
File content/browser/renderer_host/render_process_host_impl.cc (right):

https://codereview.chromium.org/2739193004/diff/100001/content/browser/render...
content/browser/renderer_host/render_process_host_impl.cc:336:
SiteToProcessMap::iterator i = map_.find(site);
This should have a comment, since at first glance it's not obvious why this can
happen or what the right thing to do is (e.g., ignore, overwrite, or crash).

And actually, that makes me realize there may be a problem here.  Thanks for the
detailed explanation of the scenario in https://crbug.com/700514#c1, which helps
a lot.

Suppose in that case, we left out steps 1 and 2 and someone else (perhaps the
user) navigated to the blocked URL in a blank SiteInstance.  Wouldn't that mean
we'd register the blocked error page's SiteInstance in this map, preventing a
real extension process from being registered later?  (Or would real extension
pages get forced into this error page SiteInstance, which might lack bindings
and/or be sharing a process with web pages?)

It seems like the real problem here is that we're treating the error URL as the
SiteInstance's site URL.  I know we want to change the committed URL for blocked
navigations at some point after this CL and
https://codereview.chromium.org/2738643002/, but I wonder if we can do a better
job fixing this aspect now.

For example, maybe the blank SiteInstance's site URL shouldn't be derived from
the "committed" URL if it was an unsuccessful navigation?

(If we did go that route, we'd probably still want to decide what the right
behavior here is, whether's it's NOTREACHED, ignore, or overwrite.  I suppose we
can also get here if we race two blank SiteInstances to the same site?)

[nasko, 2017-03-13 21:01:42]

Description was changed from

==========
Check for already existing entry when adding to SiteProcessMap.

The SiteProcessMap::RegisterProcess can overwrite existing entries
in the map, which can lead to incorrect process being mapped to
a site in process-per-site mode. This CL checks for existence and
avoids the overwrite.

BUG=700514
==========

to

==========
Check for already existing entry when adding to SiteProcessMap.

The SiteProcessMap::RegisterProcess can overwrite existing entries
in the map, which can lead to incorrect process being mapped to
a site in process-per-site mode. This CL checks for existence and
avoids the overwrite.

BUG=700514
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation
==========

[nasko, 2017-03-13 21:06:01]

Patchset #6 (id:120001) has been deleted

[nasko, 2017-03-13 21:06:19]

https://codereview.chromium.org/2739193004/diff/100001/chrome/browser/extensi...
File chrome/browser/extensions/process_management_browsertest.cc (right):

https://codereview.chromium.org/2739193004/diff/100001/chrome/browser/extensi...
chrome/browser/extensions/process_management_browsertest.cc:406:
LoadExtension(test_data_dir_.AppendASCII("web_request_blocking"));
On 2017/03/13 19:19:56, Devlin wrote:
> nit: can we name the new extension something slightly different?  This is
eerily
> similar to e.g. webrequest/test_blocking.

Done.

https://codereview.chromium.org/2739193004/diff/100001/chrome/browser/extensi...
chrome/browser/extensions/process_management_browsertest.cc:426:
content::WindowedNotificationObserver tab_added_observer(
On 2017/03/13 19:19:56, Devlin wrote:
> Is this observer still needed?

Probably not. Waiting for commit should be guaranteed to wait long enough for
the WebContents to be added to the tabstrip. Removed.

https://codereview.chromium.org/2739193004/diff/100001/content/browser/render...
File content/browser/renderer_host/render_process_host_impl.cc (right):

https://codereview.chromium.org/2739193004/diff/100001/content/browser/render...
content/browser/renderer_host/render_process_host_impl.cc:336:
SiteToProcessMap::iterator i = map_.find(site);
On 2017/03/13 19:57:30, Charlie Reis (slow) wrote:
> This should have a comment, since at first glance it's not obvious why this
can
> happen or what the right thing to do is (e.g., ignore, overwrite, or crash).

Comment added.

> And actually, that makes me realize there may be a problem here.  Thanks for
the
> detailed explanation of the scenario in https://crbug.com/700514#c1, which
helps
> a lot.
> 
> Suppose in that case, we left out steps 1 and 2 and someone else (perhaps the
> user) navigated to the blocked URL in a blank SiteInstance.  Wouldn't that
mean
> we'd register the blocked error page's SiteInstance in this map, preventing a
> real extension process from being registered later?  (Or would real extension
> pages get forced into this error page SiteInstance, which might lack bindings
> and/or be sharing a process with web pages?)

I think the latter will happen and we will put the extension in a process
without
bindings. It is the safer fallback though, so it shouldn't result in security 
bugs.

> It seems like the real problem here is that we're treating the error URL as
the
> SiteInstance's site URL.  I know we want to change the committed URL for
blocked
> navigations at some point after this CL and
> https://codereview.chromium.org/2738643002/, but I wonder if we can do a
better
> job fixing this aspect now.
> 
> For example, maybe the blank SiteInstance's site URL shouldn't be derived from
> the "committed" URL if it was an unsuccessful navigation?

Indeed. And as discussed, I'm adding code to not call SetSite on the empty 
SiteInstance in the case of an error page.
 
> (If we did go that route, we'd probably still want to decide what the right
> behavior here is, whether's it's NOTREACHED, ignore, or overwrite.  I suppose
we
> can also get here if we race two blank SiteInstances to the same site?)

I think a race can indeed cause us to get here. I think not overwriting is
the approach easiest to reason about.

[nasko, 2017-03-13 21:06:38]

The CQ bit was checked by nasko@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-03-13 21:07:29]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Charlie Reis, 2017-03-13 22:31:33]

Thanks!  I think it's almost ready, depending on whether there are concrete
problems in the case below.

https://codereview.chromium.org/2739193004/diff/140001/chrome/browser/extensi...
File chrome/browser/extensions/process_management_browsertest.cc (right):

https://codereview.chromium.org/2739193004/diff/140001/chrome/browser/extensi...
chrome/browser/extensions/process_management_browsertest.cc:451: // the process
is the same for all SiteInstances.
Thanks for explaining, but I think this is missing the part saying what we're
actually trying to verify.  Maybe add:

This allows us to verify that the site-to-process map for the extension hasn't
been overwritten by the process of the blocked_url.

https://codereview.chromium.org/2739193004/diff/140001/content/browser/frame_...
File content/browser/frame_host/navigator_impl.cc (right):

https://codereview.chromium.org/2739193004/diff/140001/content/browser/frame_...
content/browser/frame_host/navigator_impl.cc:629: // error page.  In that case,
the SiteInstance can still be considered unused
Leaving it unassigned for the error page is something we may want to revisit
later (or possibly now?).  It's not terrible, since the error page itself is
under Chrome's control and shouldn't pose a risk to whatever ends up in the
process next, but I do wonder what would happen if you went to an allowed
extension URL next.  Would we end up giving the process bindings?  Would that
result in a kill or a crash because of the mix of non-bindings and bindings in
the same process?

(For example, start with about:blank, then go to the blocked extension URL,
getting here.  We leave the site unassigned.  Then go to a real extension URL--
do we stay in the same process?  If so, do we crash when going back because the
bindings on the NavigationEntry don't match the RFH?)

If that is a problem, we could consider setting the site URL to data: for the
error page, so that it isn't reused later for the next navigation.

[commit-bot: I haz the power, 2017-03-13 22:39:43]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-03-13 22:39:44]

Dry run: Try jobs failed on following builders:
  linux_chromium_chromeos_rel_ng on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[nasko, 2017-03-14 16:56:02]

https://codereview.chromium.org/2739193004/diff/140001/chrome/browser/extensi...
File chrome/browser/extensions/process_management_browsertest.cc (right):

https://codereview.chromium.org/2739193004/diff/140001/chrome/browser/extensi...
chrome/browser/extensions/process_management_browsertest.cc:446: // Very subtle
check for content/ internal functionality :(.
I was thinking more and more about this test and whether a follow up should be a
content/ internal test that forces Chrome in --process-per-site mode and
verifies the same properties hold.

https://codereview.chromium.org/2739193004/diff/140001/chrome/browser/extensi...
chrome/browser/extensions/process_management_browsertest.cc:451: // the process
is the same for all SiteInstances.
On 2017/03/13 22:31:33, Charlie Reis (slow) wrote:
> Thanks for explaining, but I think this is missing the part saying what we're
> actually trying to verify.  Maybe add:
> 
> This allows us to verify that the site-to-process map for the extension hasn't
> been overwritten by the process of the blocked_url.

Done.

https://codereview.chromium.org/2739193004/diff/140001/content/browser/frame_...
File content/browser/frame_host/navigator_impl.cc (right):

https://codereview.chromium.org/2739193004/diff/140001/content/browser/frame_...
content/browser/frame_host/navigator_impl.cc:629: // error page.  In that case,
the SiteInstance can still be considered unused
On 2017/03/13 22:31:33, Charlie Reis (slow) wrote:
> Leaving it unassigned for the error page is something we may want to revisit
> later (or possibly now?).  It's not terrible, since the error page itself is
> under Chrome's control and shouldn't pose a risk to whatever ends up in the
> process next, but I do wonder what would happen if you went to an allowed
> extension URL next.  

We correctly transfer it to the extension process :)

> Would we end up giving the process bindings?  Would that
> result in a kill or a crash because of the mix of non-bindings and bindings in
> the same process?

The process is no longer used, so it goes away.
 
> (For example, start with about:blank, then go to the blocked extension URL,
> getting here.  We leave the site unassigned.  Then go to a real extension
URL--
> do we stay in the same process?  If so, do we crash when going back because
the
> bindings on the NavigationEntry don't match the RFH?)

I tried renderer-initiated direct navigation to the extension allowed URL,
renderer-initiated navigation to server that redirects to the allowed URL and
browser-initiated navigation to the same URL. They all resulted in committing in
the extension process with this CL in place.
 
> If that is a problem, we could consider setting the site URL to data: for the
> error page, so that it isn't reused later for the next navigation.

[nasko, 2017-03-14 22:41:31]

The CQ bit was checked by nasko@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-03-14 22:42:36]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Charlie Reis, 2017-03-14 23:46:47]

Thanks.  LGTM if the case below isn't problematic.

https://codereview.chromium.org/2739193004/diff/140001/chrome/browser/extensi...
File chrome/browser/extensions/process_management_browsertest.cc (right):

https://codereview.chromium.org/2739193004/diff/140001/chrome/browser/extensi...
chrome/browser/extensions/process_management_browsertest.cc:446: // Very subtle
check for content/ internal functionality :(.
On 2017/03/14 16:56:02, nasko (slow) wrote:
> I was thinking more and more about this test and whether a follow up should be
a
> content/ internal test that forces Chrome in --process-per-site mode and
> verifies the same properties hold.

I like that idea.

https://codereview.chromium.org/2739193004/diff/140001/content/browser/frame_...
File content/browser/frame_host/navigator_impl.cc (right):

https://codereview.chromium.org/2739193004/diff/140001/content/browser/frame_...
content/browser/frame_host/navigator_impl.cc:629: // error page.  In that case,
the SiteInstance can still be considered unused
On 2017/03/14 16:56:02, nasko (slow) wrote:
> On 2017/03/13 22:31:33, Charlie Reis (slow) wrote:
> > Leaving it unassigned for the error page is something we may want to revisit
> > later (or possibly now?).  It's not terrible, since the error page itself is
> > under Chrome's control and shouldn't pose a risk to whatever ends up in the
> > process next, but I do wonder what would happen if you went to an allowed
> > extension URL next.  
> 
> We correctly transfer it to the extension process :)
> 
> > Would we end up giving the process bindings?  Would that
> > result in a kill or a crash because of the mix of non-bindings and bindings
in
> > the same process?
> 
> The process is no longer used, so it goes away.
>  
> > (For example, start with about:blank, then go to the blocked extension URL,
> > getting here.  We leave the site unassigned.  Then go to a real extension
> URL--
> > do we stay in the same process?  If so, do we crash when going back because
> the
> > bindings on the NavigationEntry don't match the RFH?)
> 
> I tried renderer-initiated direct navigation to the extension allowed URL,
> renderer-initiated navigation to server that redirects to the allowed URL and
> browser-initiated navigation to the same URL. They all resulted in committing
in
> the extension process with this CL in place.
>  
> > If that is a problem, we could consider setting the site URL to data: for
the
> > error page, so that it isn't reused later for the next navigation.

Ok-- I'm glad you tested the redirect case, since I know that was needed in your
browsertest.  Maybe it's not an issue.  I'm still a bit nervous about it, but
hopefully our plans to change how error pages work can resolve this aspect down
the road.

One other case to test, and then I'll be happy.  :)  What happens if you visit
blocked.html and get to the error page, do a renderer-initiated navigation to a
web page (redirecting if needed, so that we stay in process), then change the
onBeforeRequest listener in the extension to stop blocking, then go back?  Would
we end up loading blocked.html in the process that has now been used for web
pages?

[commit-bot: I haz the power, 2017-03-15 00:22:22]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-03-15 00:22:23]

Dry run: This issue passed the CQ dry run.

[nasko, 2017-03-15 00:32:06]

https://codereview.chromium.org/2739193004/diff/140001/content/browser/frame_...
File content/browser/frame_host/navigator_impl.cc (right):

https://codereview.chromium.org/2739193004/diff/140001/content/browser/frame_...
content/browser/frame_host/navigator_impl.cc:629: // error page.  In that case,
the SiteInstance can still be considered unused
On 2017/03/14 23:46:47, Charlie Reis (slow) wrote:
> On 2017/03/14 16:56:02, nasko (slow) wrote:
> > On 2017/03/13 22:31:33, Charlie Reis (slow) wrote:
> > > Leaving it unassigned for the error page is something we may want to
revisit
> > > later (or possibly now?).  It's not terrible, since the error page itself
is
> > > under Chrome's control and shouldn't pose a risk to whatever ends up in
the
> > > process next, but I do wonder what would happen if you went to an allowed
> > > extension URL next.  
> > 
> > We correctly transfer it to the extension process :)
> > 
> > > Would we end up giving the process bindings?  Would that
> > > result in a kill or a crash because of the mix of non-bindings and
bindings
> in
> > > the same process?
> > 
> > The process is no longer used, so it goes away.
> >  
> > > (For example, start with about:blank, then go to the blocked extension
URL,
> > > getting here.  We leave the site unassigned.  Then go to a real extension
> > URL--
> > > do we stay in the same process?  If so, do we crash when going back
because
> > the
> > > bindings on the NavigationEntry don't match the RFH?)
> > 
> > I tried renderer-initiated direct navigation to the extension allowed URL,
> > renderer-initiated navigation to server that redirects to the allowed URL
and
> > browser-initiated navigation to the same URL. They all resulted in
committing
> in
> > the extension process with this CL in place.
> >  
> > > If that is a problem, we could consider setting the site URL to data: for
> the
> > > error page, so that it isn't reused later for the next navigation.
> 
> Ok-- I'm glad you tested the redirect case, since I know that was needed in
your
> browsertest.  Maybe it's not an issue.  I'm still a bit nervous about it, but
> hopefully our plans to change how error pages work can resolve this aspect
down
> the road.
> 
> One other case to test, and then I'll be happy.  :)  What happens if you visit
> blocked.html and get to the error page, do a renderer-initiated navigation to
a
> web page (redirecting if needed, so that we stay in process), then change the
> onBeforeRequest listener in the extension to stop blocking, then go back? 
Would
> we end up loading blocked.html in the process that has now been used for web
> pages?

Commits as expected in the extension process :). However, I should note that
changing the JS required the extension to be restarted, so it resulted in a new
process. I tried making the JS dynamic, such that it will only block the first
request and allow afterwards. That also resulted in the page to be put in the
extension process.

[nasko, 2017-03-15 00:32:30]

The CQ bit was checked by nasko@chromium.org

[nasko, 2017-03-15 00:32:31]

The patchset sent to the CQ was uploaded after l-g-t-m from
rdevlin.cronin@chromium.org
Link to the patchset: https://codereview.chromium.org/2739193004/#ps160001
(title: "Add extra comment.")

[commit-bot: I haz the power, 2017-03-15 00:33:40]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-03-15 00:43:03]

CQ is committing da patch.

Bot data: {"patchset_id": 160001, "attempt_start_ts": 1489537950726600,
"parent_rev": "fd0523d1fb0087eb86205242d06a8044a5107ceb", "commit_rev":
"0e9d619f88ffabc3c237cbdf75603df8af9925e6"}

[commit-bot: I haz the power, 2017-03-15 00:43:45]

Description was changed from

==========
Check for already existing entry when adding to SiteProcessMap.

The SiteProcessMap::RegisterProcess can overwrite existing entries
in the map, which can lead to incorrect process being mapped to
a site in process-per-site mode. This CL checks for existence and
avoids the overwrite.

BUG=700514
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation
==========

to

==========
Check for already existing entry when adding to SiteProcessMap.

The SiteProcessMap::RegisterProcess can overwrite existing entries
in the map, which can lead to incorrect process being mapped to
a site in process-per-site mode. This CL checks for existence and
avoids the overwrite.

BUG=700514
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2739193004
Cr-Commit-Position: refs/heads/master@{#456920}
Committed:
https://chromium.googlesource.com/chromium/src/+/0e9d619f88ffabc3c237cbdf7560...
==========

[commit-bot: I haz the power, 2017-03-15 00:43:47]

Committed patchset #7 (id:160001) as
https://chromium.googlesource.com/chromium/src/+/0e9d619f88ffabc3c237cbdf7560...

[tzik, 2017-03-15 06:12:25]

A revert of this CL (patchset #7 id:160001) has been created in
https://codereview.chromium.org/2749543004/ by tzik@chromium.org.

The reason for reverting is: Speculative revert to see a bot failure.

SubresourceFilterBrowserTest.FailedProvisionalLoadInMainframe got flaky around
this CL, and this is relatively more suspicious in the failing range.

BUG=701663.