Fix process reuse for dedicated processes when over process limit.

content/browser/renderer_host/render_process_host_impl.cc

 // Copyright 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // Represents the browser side of the browser <--> renderer communication
 // channel. There will be one RenderProcessHost per renderer process.
 
 #include "content/browser/renderer_host/render_process_host_impl.h"
 
 #include <algorithm>
@@ skipping 920 matching lines @@
       visible_widgets_(0),
       is_process_backgrounded_(kLaunchingProcessIsBackgrounded),
       boost_priority_for_pending_views_(
           kLaunchingProcessIsBoostedForPendingView),
       id_(ChildProcessHostImpl::GenerateChildProcessUniqueId()),
       browser_context_(browser_context),
       storage_partition_impl_(storage_partition_impl),
       sudden_termination_allowed_(true),
       ignore_input_events_(false),
       is_for_guests_only_(is_for_guests_only),
+      is_unused_(true),
       gpu_observer_registered_(false),
       delayed_cleanup_needed_(false),
       within_process_died_observer_(false),
 #if BUILDFLAG(ENABLE_WEBRTC)
       webrtc_eventlog_host_(id_),
 #endif
       permission_service_context_(new PermissionServiceContext(this)),
       indexed_db_factory_(new IndexedDBDispatcherHost(
           id_,
           storage_partition_impl_->GetURLRequestContext(),
@@ skipping 848 matching lines @@
   is_never_suitable_for_reuse_ = true;
 }
 
 bool RenderProcessHostImpl::MayReuseHost() {
   if (is_never_suitable_for_reuse_)
     return false;
 
   return GetContentClient()->browser()->MayReuseHost(this);
 }
 
+bool RenderProcessHostImpl::IsUnused() {
+  return is_unused_;
+}
+
+void RenderProcessHostImpl::SetIsUsed() {
+  is_unused_ = false;
+}
+
 mojom::RouteProvider* RenderProcessHostImpl::GetRemoteRouteProvider() {
   return remote_route_provider_.get();
 }
 
 void RenderProcessHostImpl::AddRoute(int32_t routing_id,
                                      IPC::Listener* listener) {
   CHECK(!listeners_.Lookup(routing_id)) << "Found Routing ID Conflict: "
                                         << routing_id;
   listeners_.AddWithID(listener, routing_id);
 }
@@ skipping 1084 matching lines @@
     return false;
 
   // Check whether the given host and the intended site_url will be using the
   // same StoragePartition, since a RenderProcessHost can only support a single
   // StoragePartition.  This is relevant for packaged apps.
   StoragePartition* dest_partition =
       BrowserContext::GetStoragePartitionForSite(browser_context, site_url);
   if (!host->InSameStoragePartition(dest_partition))
     return false;
 
-  // TODO(nick): Consult the SiteIsolationPolicy here. https://crbug.com/513036
-  if (ChildProcessSecurityPolicyImpl::GetInstance()->HasWebUIBindings(
-          host->GetID()) !=
+  auto* policy = ChildProcessSecurityPolicyImpl::GetInstance();
+  if (policy->HasWebUIBindings(host->GetID()) !=
       WebUIControllerFactoryRegistry::GetInstance()->UseWebUIBindingsForURL(
           browser_context, site_url)) {
     return false;
   }
 
+  // Sites requiring dedicated processes can only reuse a compatible process.
+  auto lock_state = policy->CheckOriginLock(host->GetID(), site_url);
+  if (lock_state !=
+      ChildProcessSecurityPolicyImpl::CheckOriginLockResult::NO_LOCK) {
+    // If the process is already dedicated to a site, only allow the destination
+    // URL to reuse this process if the URL has the same site.
+    return lock_state == ChildProcessSecurityPolicyImpl::CheckOriginLockResult::
+                             HAS_EQUAL_LOCK;
+  } else if (!host->IsUnused() &&
+             SiteInstanceImpl::ShouldLockToOrigin(browser_context, site_url)) {
+    // Otherwise, if this process has been used to host any other content, it
+    // cannot be reused if the destination site indeed requires a dedicated
+    // process and can be locked to just that site.
+    return false;
+  }
+
   return GetContentClient()->browser()->IsSuitableHost(host, site_url);
 }
 
 // static
 bool RenderProcessHost::run_renderer_in_process() {
   return g_run_renderer_in_process_;
 }
 
 // static
 void RenderProcessHost::SetRunRendererInProcess(bool value) {
@@ skipping 24 matching lines @@
 // static
 RenderProcessHost* RenderProcessHost::FromID(int render_process_id) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
   return g_all_hosts.Get().Lookup(render_process_id);
 }
 
 // static
 bool RenderProcessHost::ShouldTryToUseExistingProcessHost(
     BrowserContext* browser_context,
     const GURL& url) {
-  // This needs to be checked first to ensure that --single-process
-  // and --site-per-process can be used together.
   if (run_renderer_in_process())
     return true;
 
-  // If --site-per-process is enabled, do not try to reuse renderer processes
-  // when over the limit.
-  // TODO(nick): This is overly conservative and isn't launchable. Move this
-  // logic into IsSuitableHost, and check |url| against the URL the process is
-  // dedicated to. This will allow pages from the same site to share, and will
-  // also allow non-isolated sites to share processes. https://crbug.com/513036
-  if (SiteIsolationPolicy::UseDedicatedProcessesForAllSites())
-    return false;
-
   // NOTE: Sometimes it's necessary to create more render processes than
   //       GetMaxRendererProcessCount(), for instance when we want to create
   //       a renderer process for a browser context that has no existing
   //       renderers. This is OK in moderation, since the
   //       GetMaxRendererProcessCount() is conservative.
   if (g_all_hosts.Get().size() >= GetMaxRendererProcessCount())
     return true;
 
   return GetContentClient()->browser()->ShouldTryToUseExistingProcessHost(
       browser_context, url);
@@ skipping 54 matching lines @@
 }
 
 // static
 RenderProcessHost* RenderProcessHostImpl::GetProcessHostForSite(
     BrowserContext* browser_context,
     const GURL& url) {
   // Look up the map of site to process for the given browser_context.
   SiteProcessMap* map = GetSiteProcessMapForBrowserContext(browser_context);
 
   // See if we have an existing process with appropriate bindings for this site.
-  // If not, the caller should create a new process and register it.
-  std::string site =
-      SiteInstance::GetSiteForURL(browser_context, url).possibly_invalid_spec();
-  RenderProcessHost* host = map->FindProcess(site);
+  // If not, the caller should create a new process and register it.  Note that
+  // IsSuitableHost expects a site URL rather than the full |url|.
+  GURL site_url = SiteInstance::GetSiteForURL(browser_context, url);
+  RenderProcessHost* host = map->FindProcess(site_url.possibly_invalid_spec());
   if (host && (!host->MayReuseHost() ||
-               !IsSuitableHost(host, browser_context, url))) {
+               !IsSuitableHost(host, browser_context, site_url))) {
     // The registered process does not have an appropriate set of bindings for
     // the url.  Remove it from the map so we can register a better one.
     RecordAction(
         base::UserMetricsAction("BindingsMismatch_GetProcessHostPerSite"));
     map->RemoveProcess(host);
     host = NULL;
   }
 
   return host;
 }
@@ skipping 563 matching lines @@
   LOG(ERROR) << "Terminating render process for bad Mojo message: " << error;
 
   // The ReceivedBadMessage call below will trigger a DumpWithoutCrashing.
   // Capture the error message in a crash key value.
   base::debug::ScopedCrashKey error_key_value("mojo-message-error", error);
   bad_message::ReceivedBadMessage(render_process_id,
                                   bad_message::RPH_MOJO_PROCESS_ERROR);
 }
 
 }  // namespace content