commit | fa84233d2339c1be03a754d81a201a75f076184f | [log] [tgz] |
---|---|---|
author | Matt Giuca <mgiuca@chromium.org> | Fri Aug 02 03:07:28 2019 |
committer | Commit Bot <commit-bot@chromium.org> | Fri Aug 02 03:07:28 2019 |
tree | 8079417eb416f33ae39cff1151e21309ae7ec383 | |
parent | 4dcc8e2b937cda23e8f7b86a84727795cd55f706 [diff] |
Revert "Make browser process own RenderView." This reverts commit 55bc919aff4f9d30d03090859321050557407e85. Reason for revert: Suspected cause of https://crbug.com/990192 Since this changes the ownership of RenderWidget and the newly flaky test (which started failing on MSAN 1 build after this landed) has a use-after-free in RenderWidget, I am suspecting this CL. Original change's description: > Make browser process own RenderView. > > Historically, RenderView and RenderWidget were 1:1, and their lifetimes were > entwined. > 1) RenderViewHost would create the RenderView. > 2) RenderView would create a RenderWidget and pass ownership of itself to the > RenderWidget. > 3) RenderViewHost's destructor would destroy the RenderWidget, thus destroying > the RenderView > > We want the lifetime of RenderView and RenderWidget to be decoupled. The first > step of this is making RenderView explicitly owned by the browser. This means > that instead of (3), RenderViewHost's destructor will destroy the RenderView, > which will in turn destroy the RenderWidget. > > One subtlety is that prior to this CL, RenderWidget was always destroyed > asynchronously. The original reason for supporting this -- dealing with > re-entrancy from nested message loops -- is no longer applicable. The IPC that > destroys RenderWidget is asynchronous, which means it can never be called from a > re-entrant context. However, it is possible for a RenderWidget associated with a > child-frame to be synchronously destroyed by JS. This can be re-entrant. This CL > updates destruction of RenderWidget to be synchronous when called from IPC. > > Bug: 987731 > Change-Id: If4b319fab19d02c5495ba14e5cc929f441ca4d2e > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1717456 > Commit-Queue: Avi Drissman <avi@chromium.org> > Reviewed-by: Avi Drissman <avi@chromium.org> > Reviewed-by: Daniel Cheng <dcheng@chromium.org> > Auto-Submit: Erik Chen <erikchen@chromium.org> > Cr-Commit-Position: refs/heads/master@{#683247} TBR=avi@chromium.org,dcheng@chromium.org,erikchen@chromium.org Change-Id: I762230d0df57c6bcd75af80c1aa231d7b4d2183e No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 987731, 990192 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1731991 Reviewed-by: Matt Giuca <mgiuca@chromium.org> Commit-Queue: Matt Giuca <mgiuca@chromium.org> Cr-Commit-Position: refs/heads/master@{#683457}
Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.
The project's web site is https://www.chromium.org.
Documentation in the source is rooted in docs/README.md.
Learn how to Get Around the Chromium Source Code Directory Structure .