content/browser/isolated_origin_browsertest.cc - Issue 2921063003: Fix process reuse for dedicated processes when over process limit.

Side by Side Diff: content/browser/isolated_origin_browsertest.cc

Issue 2921063003: Fix process reuse for dedicated processes when over process limit. (Closed)

Patch Set: Cleanup Created 3 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« no previous file with comments | « content/browser/child_process_security_policy_impl.cc ('k') | content/browser/renderer_host/render_process_host_impl.h » ('j') | content/browser/renderer_host/render_process_host_impl.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2017 The Chromium Authors. All rights reserved.	1 // Copyright 2017 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "base/command_line.h"	5 #include "base/command_line.h"

6 #include "content/browser/child_process_security_policy_impl.h"	6 #include "content/browser/child_process_security_policy_impl.h"

7 #include "content/browser/web_contents/web_contents_impl.h"	7 #include "content/browser/web_contents/web_contents_impl.h"

8 #include "content/public/browser/render_process_host.h"	8 #include "content/public/browser/render_process_host.h"

9 #include "content/public/common/content_switches.h"	9 #include "content/public/common/content_switches.h"

10 #include "content/public/test/browser_test_utils.h"	10 #include "content/public/test/browser_test_utils.h"

(...skipping 335 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
346	346

347 EXPECT_TRUE(ExecuteScript(web_contents(), "document.cookie = 'foo=bar';"));	347 EXPECT_TRUE(ExecuteScript(web_contents(), "document.cookie = 'foo=bar';"));

348	348

349 std::string cookie;	349 std::string cookie;

350 EXPECT_TRUE(ExecuteScriptAndExtractString(	350 EXPECT_TRUE(ExecuteScriptAndExtractString(

351 web_contents(), "window.domAutomationController.send(document.cookie);",	351 web_contents(), "window.domAutomationController.send(document.cookie);",

352 &cookie));	352 &cookie));

353 EXPECT_EQ("foo=bar", cookie);	353 EXPECT_EQ("foo=bar", cookie);

354 }	354 }

355	355

	356 // Check that isolated origins won't be placed into processes for other sites

	357 // when over the process limit.

	358 IN_PROC_BROWSER_TEST_F(IsolatedOriginTest, ProcessLimit) {

	359 // Set the process limit to 1.

	360 RenderProcessHost::SetMaxRendererProcessCount(1);

	361

	362 // Navigate to an unisolated foo.com URL with an iframe.

	363 GURL foo_url(

	364 embedded_test_server()->GetURL("www.foo.com", "/page_with_iframe.html"));

	365 EXPECT_TRUE(NavigateToURL(shell(), foo_url));

	366 FrameTreeNode* root = web_contents()->GetFrameTree()->root();

	367 RenderProcessHost* foo_process = root->current_frame_host()->GetProcess();

	368 FrameTreeNode* child = root->child_at(0);

	369

	370 // Navigate iframe to an isolated origin.

	371 GURL isolated_foo_url(

	372 embedded_test_server()->GetURL("isolated.foo.com", "/title2.html"));

	373 NavigateIframeToURL(web_contents(), "test_iframe", isolated_foo_url);
	alexmos 2017/06/12 17:35:07 Interesting note: without this CL, this actually h Interesting note: without this CL, this actually hangs. This is because we first attempted the transfer but then, because of (incorrectly) trying to reuse the existing www.foo.com process, we hit the is_transfer_to_same path: bool is_transfer_to_same = is_transfer && entry.transferred_global_request_id().child_id == dest_render_frame_host->GetProcess()->GetID(); because we compare process IDs and not SiteInstances (the SiteInstances are different but process ID is the same due to the reuse). This causes us to not send the Navigate IPC. I wonder if this can come up in other cases as well, and whether we should avoid comparing process IDs in the is_transfer_to_same check due to this. Charlie Reis 2017/06/12 23:08:17 Wow, nice find-- that could definitely come up in Show quoted text On 2017/06/12 17:35:07, alexmos wrote: > Interesting note: without this CL, this actually hangs. This is because we > first attempted the transfer but then, because of (incorrectly) trying to reuse > the existing http://www.foo.com process, we hit the is_transfer_to_same path: > bool is_transfer_to_same = > is_transfer && > entry.transferred_global_request_id().child_id == > dest_render_frame_host->GetProcess()->GetID(); > > because we compare process IDs and not SiteInstances (the SiteInstances are > different but process ID is the same due to the reuse). This causes us to not > send the Navigate IPC. I wonder if this can come up in other cases as well, and > whether we should avoid comparing process IDs in the is_transfer_to_same check > due to this. Wow, nice find-- that could definitely come up in other cases. It's perhaps not as common as it could be since most sites don't trigger a cross-process redirect and those that do (e.g., CWS) tend to require a different process. But I could see it happening for a redirect from one extension to another when we're over the limit and the extensions end up sharing a process. Can you file a bug? alexmos 2017/06/14 22:39:04 Done - filed https://crbug.com/733023. Show quoted text On 2017/06/12 23:08:17, Charlie Reis wrote: > On 2017/06/12 17:35:07, alexmos wrote: > > Interesting note: without this CL, this actually hangs. This is because we > > first attempted the transfer but then, because of (incorrectly) trying to > reuse > > the existing http://www.foo.com process, we hit the is_transfer_to_same path: > > bool is_transfer_to_same = > > is_transfer && > > entry.transferred_global_request_id().child_id == > > dest_render_frame_host->GetProcess()->GetID(); > > > > because we compare process IDs and not SiteInstances (the SiteInstances are > > different but process ID is the same due to the reuse). This causes us to not > > send the Navigate IPC. I wonder if this can come up in other cases as well, > and > > whether we should avoid comparing process IDs in the is_transfer_to_same check > > due to this. > > Wow, nice find-- that could definitely come up in other cases. It's perhaps not > as common as it could be since most sites don't trigger a cross-process redirect > and those that do (e.g., CWS) tend to require a different process. But I could > see it happening for a redirect from one extension to another when we're over > the limit and the extensions end up sharing a process. Can you file a bug? Done - filed https://crbug.com/733023.
	374

	375 // Ensure that the subframe was rendered in a new process.

	376 EXPECT_NE(child->current_frame_host()->GetProcess(), foo_process);

	377

	378 // Sanity-check IsSuitableHost values for the current processes.

	379 BrowserContext* browser_context = web_contents()->GetBrowserContext();

	380 auto is_suitable_host = [browser_context](RenderProcessHost* process,

	381 GURL url) {

	382 return RenderProcessHostImpl::IsSuitableHost(

	383 process, browser_context,

	384 SiteInstance::GetSiteForURL(browser_context, url));

	385 };

	386 EXPECT_TRUE(is_suitable_host(foo_process, foo_url));

	387 EXPECT_FALSE(is_suitable_host(foo_process, isolated_foo_url));

	388 EXPECT_TRUE(is_suitable_host(child->current_frame_host()->GetProcess(),

	389 isolated_foo_url));

	390 EXPECT_FALSE(

	391 is_suitable_host(child->current_frame_host()->GetProcess(), foo_url));

	392

	393 // Open a new, unrelated tab and navigate it to isolated.foo.com. This

	394 // should use a new, unrelated SiteInstance that reuses the existing isolated

	395 // origin process from first tab's subframe.

	396 Shell* new_shell = CreateBrowser();

	397 EXPECT_TRUE(NavigateToURL(new_shell, isolated_foo_url));

	398 scoped_refptr<SiteInstance> isolated_foo_instance(

	399 new_shell->web_contents()->GetMainFrame()->GetSiteInstance());

	400 RenderProcessHost* isolated_foo_process = isolated_foo_instance->GetProcess();

	401 EXPECT_NE(child->current_frame_host()->GetSiteInstance(),

	402 isolated_foo_instance);
	Charlie Reis 2017/06/12 23:08:17 Can you also check that isolated_foo_instance and Can you also check that isolated_foo_instance and the previous subframe SiteInstance are not related, as the comment mentions? alexmos 2017/06/14 22:39:04 Done. Show quoted text On 2017/06/12 23:08:17, Charlie Reis wrote: > Can you also check that isolated_foo_instance and the previous subframe > SiteInstance are not related, as the comment mentions? Done.
	403 // TODO(alexmos): with --site-per-process, this won't currently reuse the

	404 // subframe process, because the new SiteInstance will initialize its

	405 // process while it still has no site (during CreateBrowser()), and since

	406 // dedicated processes can't currently be reused for a SiteInstance with no

	407 // site, this creates a new process. The subsequent navigation to

	408 // \|isolated_foo_url\| stays in that new process without consulting whether it

	409 // can now reuse a different process. This should be fixed; see

	410 // https://crbug.com/513036. Without --site-per-process, this works because

	411 // the site-less SiteInstance is allowed to reuse the first tab's foo.com

	412 // process (which isn't dedicated), and then it swaps to the isolated.foo.com

	413 // process during navigation.

	414 if (!AreAllSitesIsolatedForTesting())

	415 EXPECT_EQ(child->current_frame_host()->GetProcess(), isolated_foo_process);
	alexmos 2017/06/12 17:35:07 I decided to deal with this for a followup to keep I decided to deal with this for a followup to keep this CL simpler. The sequence of events is: - start with all processes hosting only dedicated sites - create new tab with site-less SiteInstance - call GetProcess() on that SiteInstance. This creates a new process since none of the dedicated processes can host it. - navigate new tab to a site that has an existing dedicated process. Even though process reuse is possible, we hit the checks that say that a site-less SiteInstance that sets a site should stay in the same process. It doesn't matter much in practice, as opening a new tab has the NTP and never hits this path. Potential fixes could be to checking for process reuse when a site-less SI sets a site, or to allow dedicated processes to host uninitialized SiteInstances (they should transfer out if necessary when they navigate). Charlie Reis 2017/06/12 23:08:17 For potential fix #1, what would we do at the time Show quoted text On 2017/06/12 17:35:07, alexmos wrote: > I decided to deal with this for a followup to keep this CL simpler. The > sequence of events is: > - start with all processes hosting only dedicated sites > - create new tab with site-less SiteInstance > - call GetProcess() on that SiteInstance. This creates a new process since none > of the dedicated processes can host it. > - navigate new tab to a site that has an existing dedicated process. Even > though process reuse is possible, we hit the checks that say that a site-less > SiteInstance that sets a site should stay in the same process. > > It doesn't matter much in practice, as opening a new tab has the NTP and never > hits this path. Potential fixes could be to checking for process reuse when a > site-less SI sets a site, or to allow dedicated processes to host uninitialized > SiteInstances (they should transfer out if necessary when they navigate). For potential fix #1, what would we do at the time of setting the site? That's at commit time, right? (That would be too late to transfer to an existing process.) For potential fix #2, I'm not sure I understand-- would we randomly put a blank SiteInstance into a dedicated process and hope that's the site we end up on? That seems unlikely to succeed in most cases, but maybe I'm missing the idea. I could see setting up a transfer once we know we're going to commit a URL that needs a dedicated (existing) process. Or rather, letting PlzNavigate switch to an RFH in that process, since there's not much point in fixing it in the non-PlzNavigate case. Either way, I agree there's probably no rush. alexmos 2017/06/14 22:39:04 Yeah, agreed that commit-time SetSite is too late Show quoted text On 2017/06/12 23:08:17, Charlie Reis wrote: > On 2017/06/12 17:35:07, alexmos wrote: > > I decided to deal with this for a followup to keep this CL simpler. The > > sequence of events is: > > - start with all processes hosting only dedicated sites > > - create new tab with site-less SiteInstance > > - call GetProcess() on that SiteInstance. This creates a new process since > none > > of the dedicated processes can host it. > > - navigate new tab to a site that has an existing dedicated process. Even > > though process reuse is possible, we hit the checks that say that a site-less > > SiteInstance that sets a site should stay in the same process. > > > > It doesn't matter much in practice, as opening a new tab has the NTP and never > > hits this path. Potential fixes could be to checking for process reuse when a > > site-less SI sets a site, or to allow dedicated processes to host > uninitialized > > SiteInstances (they should transfer out if necessary when they navigate). > > For potential fix #1, what would we do at the time of setting the site? That's > at commit time, right? (That would be too late to transfer to an existing > process.) Yeah, agreed that commit-time SetSite is too late (without PlzNavigate). Show quoted text > > For potential fix #2, I'm not sure I understand-- would we randomly put a blank > SiteInstance into a dedicated process and hope that's the site we end up on? > That seems unlikely to succeed in most cases, but maybe I'm missing the idea. Yes, the idea was to allow a blank SiteInstance into a dedicated process and then transfer it out if it turns out to be for a different site. This does seem somewhat fragile though. Show quoted text > > I could see setting up a transfer once we know we're going to commit a URL that > needs a dedicated (existing) process. Or rather, letting PlzNavigate switch to > an RFH in that process, since there's not much point in fixing it in the > non-PlzNavigate case. Either way, I agree there's probably no rush. I agree this will be easier with PlzNavigate, so maybe we can just wait until PlzNavigate ships before tackling this, since there's no rush.
	416

	417 // Navigate iframe on the first tab to a non-isolated site. This should swap

	418 // processes so that it does not reuse the isolated origin's process.

	419 NavigateIframeToURL(

	420 web_contents(), "test_iframe",

	421 embedded_test_server()->GetURL("www.foo.com", "/title1.html"));

	422 EXPECT_EQ(foo_process, child->current_frame_host()->GetProcess());

	423 EXPECT_NE(isolated_foo_process, child->current_frame_host()->GetProcess());

	424

	425 // Navigate iframe back to isolated origin. See that it reuses the

	426 // \|new_shell\| process.

	427 NavigateIframeToURL(web_contents(), "test_iframe", isolated_foo_url);

	428 EXPECT_NE(foo_process, child->current_frame_host()->GetProcess());

	429 EXPECT_EQ(isolated_foo_process, child->current_frame_host()->GetProcess());

	430

	431 // Navigate iframe to a different isolated origin. Ensure that this creates

	432 // a third process.

	433 GURL isolated_bar_url(

	434 embedded_test_server()->GetURL("isolated.bar.com", "/title3.html"));

	435 NavigateIframeToURL(web_contents(), "test_iframe", isolated_bar_url);

	436 RenderProcessHost* isolated_bar_process =

	437 child->current_frame_host()->GetProcess();

	438 EXPECT_NE(foo_process, isolated_bar_process);

	439 EXPECT_NE(isolated_foo_process, isolated_bar_process);

	440

	441 // The new process should only be suitable to host isolated.bar.com, not

	442 // regular web URLs or other isolated origins.

	443 EXPECT_TRUE(is_suitable_host(isolated_bar_process, isolated_bar_url));

	444 EXPECT_FALSE(is_suitable_host(isolated_bar_process, foo_url));

	445 EXPECT_FALSE(is_suitable_host(isolated_bar_process, isolated_foo_url));

	446

	447 // Navigate second tab (currently at isolated.foo.com) to the

	448 // second isolated origin, and see that it switches processes.

	449 EXPECT_TRUE(NavigateToURL(new_shell, isolated_bar_url));

	450 EXPECT_NE(foo_process,

	451 new_shell->web_contents()->GetMainFrame()->GetProcess());

	452 EXPECT_NE(isolated_foo_process,

	453 new_shell->web_contents()->GetMainFrame()->GetProcess());

	454 EXPECT_EQ(isolated_bar_process,

	455 new_shell->web_contents()->GetMainFrame()->GetProcess());

	456

	457 // Navigate second tab to a non-isolated URL and see that it goes back into

	458 // the www.foo.com process, and that it does not share processes with any

	459 // isolated origins.

	460 EXPECT_TRUE(NavigateToURL(new_shell, foo_url));

	461 EXPECT_EQ(foo_process,

	462 new_shell->web_contents()->GetMainFrame()->GetProcess());

	463 EXPECT_NE(isolated_foo_process,

	464 new_shell->web_contents()->GetMainFrame()->GetProcess());

	465 EXPECT_NE(isolated_bar_process,

	466 new_shell->web_contents()->GetMainFrame()->GetProcess());

	467 }

	468

356 } // namespace content	469 } // namespace content

OLD	NEW