Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(253)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 799593004: Don't crash while detaching a pending child frame under --site-per-process. (Closed)

Created:
6 years ago by ncarter (slow)
Modified:
6 years ago
Reviewers:
nasko
CC:
chromium-reviews, darin-cc_chromium.org, nasko+codewatch_chromium.org, jam, creis+watch_chromium.org, site-isolation-dev_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Project:
chromium
Visibility:
Public.

Description

Don't crash while detaching a pending child frame under --site-per-process. Fixes a null pointer dereference in RenderFrameProxyHost::RenderFrameProxyHost, when a RenderFrameProxyHost is created as a side effect of destroying the FrameTreeNode and RenderFrameHostManager. The crash occurs because of the operation below: if (!frame_tree_node_->IsMainFrame() && frame_tree_node_->parent() ->render_manager() ->current_frame_host() ->GetSiteInstance() == site_instance) { When a FrameTreeNode is being detached from the tree, it is not the main frame (because it is not equal to the root), but it also does not have a parent (because, for reasons explained in FrameTreeNode::RemoveChild, it is trimmed from the tree before destruction). So the parent() call above returns NULL, resulting in great misfortune. Add a test that failed without the fix. BUG=441357 Committed: https://crrev.com/807e4955fa017715970d456d17bcc3a0730c72a0 Cr-Commit-Position: refs/heads/master@{#308219}

Patch Set 1 #

Patch Set 2 : Self-review fixes #

Total comments: 14

Patch Set 3 : Nasko's fixes #

Patch Set 4 : Rebase of patch set 3 #

Patch Set 5 : Fix compile after rebase #

Total comments: 2

Patch Set 6 : Undo inline of DiscardUnusedFrame #

Total comments: 1

Patch Set 7 : size_t unsigned compile fix #

Unified diffs Side-by-side diffs Delta from patch set Stats (+97 lines, -7 lines) Patch
M content/browser/frame_host/render_frame_host_manager.h View 1 2 3 1 chunk +5 lines, -1 line 0 comments Download
M content/browser/frame_host/render_frame_host_manager.cc View 1 2 3 4 5 3 chunks +8 lines, -3 lines 0 comments Download
M content/browser/frame_host/render_frame_host_manager_unittest.cc View 1 2 3 4 5 6 4 chunks +84 lines, -3 lines 0 comments Download

Messages

Total messages: 12 (2 generated)
ncarter (slow)
Hi Nasko, please review.
6 years ago (2014-12-11 23:24:27 UTC) #2
nasko
Looking good, a few nits here and there. https://codereview.chromium.org/799593004/diff/20001/content/browser/frame_host/render_frame_host_manager.cc File content/browser/frame_host/render_frame_host_manager.cc (right): https://codereview.chromium.org/799593004/diff/20001/content/browser/frame_host/render_frame_host_manager.cc#newcode70 content/browser/frame_host/render_frame_host_manager.cc:70: pending_render_frame_host_->GetProcess()->RemovePendingView(); ...
6 years ago (2014-12-11 23:49:54 UTC) #3
ncarter (slow)
PTAL. I significantly changed the approach for the fix, and had to rebase to fix ...
6 years ago (2014-12-12 20:21:06 UTC) #4
ncarter (slow)
https://codereview.chromium.org/799593004/diff/20001/content/browser/frame_host/render_frame_host_manager.cc File content/browser/frame_host/render_frame_host_manager.cc (right): https://codereview.chromium.org/799593004/diff/20001/content/browser/frame_host/render_frame_host_manager.cc#newcode70 content/browser/frame_host/render_frame_host_manager.cc:70: pending_render_frame_host_->GetProcess()->RemovePendingView(); On 2014/12/12 20:21:06, ncarter wrote: > On 2014/12/11 ...
6 years ago (2014-12-12 20:22:41 UTC) #5
nasko
Just one comment, to avoid extraneous moving of code around. https://codereview.chromium.org/799593004/diff/20001/content/browser/frame_host/render_frame_host_manager_unittest.cc File content/browser/frame_host/render_frame_host_manager_unittest.cc (right): https://codereview.chromium.org/799593004/diff/20001/content/browser/frame_host/render_frame_host_manager_unittest.cc#newcode1836 ...
6 years ago (2014-12-12 21:54:50 UTC) #6
ncarter (slow)
https://codereview.chromium.org/799593004/diff/80001/content/browser/frame_host/render_frame_host_manager.cc File content/browser/frame_host/render_frame_host_manager.cc (left): https://codereview.chromium.org/799593004/diff/80001/content/browser/frame_host/render_frame_host_manager.cc#oldcode567 content/browser/frame_host/render_frame_host_manager.cc:567: void RenderFrameHostManager::DiscardUnusedFrame( On 2014/12/12 21:54:49, nasko wrote: > In ...
6 years ago (2014-12-12 22:33:24 UTC) #7
nasko
LGTM https://codereview.chromium.org/799593004/diff/100001/content/browser/frame_host/render_frame_host_manager.cc File content/browser/frame_host/render_frame_host_manager.cc (right): https://codereview.chromium.org/799593004/diff/100001/content/browser/frame_host/render_frame_host_manager.cc#newcode1594 content/browser/frame_host/render_frame_host_manager.cc:1594: DiscardUnusedFrame(UnsetPendingRenderFrameHost()); Looks actually quite nice! Thanks!
6 years ago (2014-12-12 22:36:17 UTC) #8
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/799593004/120001
6 years ago (2014-12-13 00:52:16 UTC) #10
commit-bot: I haz the power
Committed patchset #7 (id:120001)
6 years ago (2014-12-13 01:53:57 UTC) #11
commit-bot: I haz the power
6 years ago (2014-12-13 01:55:18 UTC) #12
Message was sent while issue was closed. 
Patchset 7 (id:??) landed as
https://crrev.com/807e4955fa017715970d456d17bcc3a0730c72a0
Cr-Commit-Position: refs/heads/master@{#308219}

Powered by Google App Engine
This is Rietveld 408576698