Google Git
Sign in
chromium / chromium / src / 33e05cb7b3af9dcadddb78e703f19c49f6664218
commit33e05cb7b3af9dcadddb78e703f19c49f6664218[log] [tgz]
authorAlex Moshchuk <alexmos@chromium.org>Sat May 20 00:12:12 2023
committerChromium LUCI CQ <chromium-scoped@luci-project-accounts.iam.gserviceaccount.com>Sat May 20 00:12:12 2023
tree46c09203070660f7d5aca9acc8a242864be9fa6c
parent0a045060ae37533acf4a33375ce76c8f3ed5460b [diff]
Remove SiteInstanceDeleting usage outside of tests.

Currently, the SiteInstance destructor notifies the embedder that it's
about to go away via ContentBrowserClient::SiteInstanceDeleting().
Due to some recent security bugs and a "complicated" relationship
between SiteInstance and BrowserContext destruction, it is desirable
to simplify SiteInstance destruction and, in particular, avoid running
arbitrary embedder code triggered by the destructor.  Outside of
tests, only the extension code uses SiteInstanceDeleting today to
remove entries from the extensions ProcessMap, and, fortunately, it
appears that this is not actually needed:
ExtensionService::RenderProcessHostDestroyed() already removes all
appropriate ProcessMap entries when an extension renderer process gets
destroyed (using RemoveAllFromProcess()), and there appears to be no
use for tracking when individual extension SiteInstance IDs are added
or removed.

Therefore, this CL removes the use of SiteInstanceDeleting() in the
extension code and changes ProcessMap to track a set of <extension_id,
process_id> rather than <extension_id, process_id, site_instance_id>.
Entries are removed from this set in
ExtensionService::RenderProcessHostDestroyed() (which should usually
run before the SiteInstance destructor anyway).  They are still added
by SiteInstanceGotProcess() - this could also eventually be switched
away from SiteInstance observation to process observation via
something like content::RenderProcessHostCreationObserver(), but we'd
need to look for all processes with ProcessLocks that correspond to
extensions, including hosted apps (so, we'd need to look at both site
and lock URLs), and this ProcessLock information isn't yet exposed
outside of //content.

Note that originally, site_instance_id was added to ProcessMap in
https://crrev.com/112921 for https://crbug.com/105328.  It appears
that the DCHECK that used to fire when adding a second entry with the
same process ID for the same extension is no longer there, and this
works just fine (and is covered in tests).  Also, some of the
assumptions are now simpler due to strict extension isolation, which
guarantees at most one extension being associated with each renderer
process.

After this change, ContentBrowserClient::SiteInstanceDeleting() is
only used by a few unit tests inside //content.  These will be cleaned
up in a followup CL.

In review, we discovered one slight behavioral change in a rare corner
case. Namely, if two hosted apps cover different paths on the *same*
origin, and they are opened in unrelated tabs, and we're over the
process limit, the two apps will share a process today (regardless of
this CL).  Then, if hosted app 1's tab is closed, its <app1_id,
process_id> entry in ProcessMap would remain until the hosted app 2 is
also closed and their shared process actually exits.  Previously, the
corresponding <app1_id, process_id, site_instance1_id> entry would be
removed when app 1 is closed.  This implies being a bit more
conservative but still safe (i.e., the process is considered to
contain app1 slightly longer than it actually does).

Change-Id: I2b847a80e2a57523af19ef2bcd04a1070cdad573
Bug: 1444204, 1444438
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4521894
Reviewed-by: Charlie Reis <creis@chromium.org>
Reviewed-by: David Bertoni <dbertoni@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Alex Moshchuk <alexmos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1146796}
13 files changed
tree: 46c09203070660f7d5aca9acc8a242864be9fa6c
  1. android_webview/
  2. apps/
  3. ash/
  4. base/
  5. build/
  6. build_overrides/
  7. buildtools/
  8. cc/
  9. chrome/
  10. chromecast/
  11. chromeos/
  12. codelabs/
  13. components/
  14. content/
  15. courgette/
  16. crypto/
  17. dbus/
  18. device/
  19. docs/
  20. extensions/
  21. fuchsia_web/
  22. gin/
  23. google_apis/
  24. google_update/
  25. gpu/
  26. headless/
  27. infra/
  28. ios/
  29. ipc/
  30. media/
  31. mojo/
  32. native_client_sdk/
  33. net/
  34. pdf/
  35. ppapi/
  36. printing/
  37. remoting/
  38. rlz/
  39. sandbox/
  40. services/
  41. skia/
  42. sql/
  43. storage/
  44. styleguide/
  45. testing/
  46. third_party/
  47. tools/
  48. ui/
  49. url/
  50. weblayer/
  51. .clang-format
  52. .clang-tidy
  53. .eslintrc.js
  54. .git-blame-ignore-revs
  55. .gitattributes
  56. .gitignore
  57. .gn
  58. .mailmap
  59. .rustfmt.toml
  60. .vpython3
  61. .yapfignore
  62. ATL_OWNERS
  63. AUTHORS
  64. BUILD.gn
  65. CODE_OF_CONDUCT.md
  66. codereview.settings
  67. DEPS
  68. DIR_METADATA
  69. LICENSE
  70. LICENSE.chromium_os
  71. OWNERS
  72. PRESUBMIT.py
  73. PRESUBMIT_test.py
  74. PRESUBMIT_test_mocks.py
  75. README.md
  76. WATCHLISTS
README.md

Logo Chromium

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.

The project's web site is https://www.chromium.org.

To check out the source code locally, don't use git clone! Instead, follow the instructions on how to get the code.

Documentation in the source is rooted in docs/README.md.

Learn how to Get Around the Chromium Source Code Directory Structure .

For historical reasons, there are some small top level directories. Now the guidance is that new top level directories are for product (e.g. Chrome, Android WebView, Ash). Even if these products have multiple executables, the code should be in subdirectories of the product.

If you found a bug, please file it at https://crbug.com/new.