Create swapped-out opener RVHs after a process swap.

content/renderer/render_view_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/render_view_impl.h"
 
 #include <algorithm>
 #include <cmath>
 #include <string>
 #include <vector>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/command_line.h"
 #include "base/compiler_specific.h"
 #include "base/json/json_writer.h"
 #include "base/lazy_instance.h"
 #include "base/metrics/histogram.h"
 #include "base/path_service.h"
 #include "base/process_util.h"
 #include "base/string_number_conversions.h"
 #include "base/string_piece.h"
 #include "base/string_split.h"
 #include "base/string_util.h"
 #include "base/sys_string_conversions.h"
 #include "base/time.h"
 #include "base/utf_string_conversions.h"
 #include "content/common/appcache/appcache_dispatcher.h"
+#include "content/common/child_thread.h"
 #include "content/common/clipboard_messages.h"
 #include "content/common/database_messages.h"
 #include "content/common/drag_messages.h"
 #include "content/common/fileapi/file_system_dispatcher.h"
 #include "content/common/fileapi/webfilesystem_callback_dispatcher.h"
 #include "content/common/gpu/client/webgraphicscontext3d_command_buffer_impl.h"
 #include "content/common/intents_messages.h"
 #include "content/common/java_bridge_messages.h"
 #include "content/common/pepper_messages.h"
 #include "content/common/pepper_plugin_registry.h"
@@ skipping 388 matching lines @@
 RenderViewImpl::RenderViewImpl(
     gfx::NativeViewId parent_hwnd,
     int32 opener_id,
     const content::RendererPreferences& renderer_prefs,
     const WebPreferences& webkit_prefs,
     SharedRenderViewCounter* counter,
     int32 routing_id,
     int32 surface_id,
     int64 session_storage_namespace_id,
     const string16& frame_name,
+    bool is_renderer_created,
+    bool swapped_out,
     int32 next_page_id,
     const WebKit::WebScreenInfo& screen_info,
     bool guest,
     AccessibilityMode accessibility_mode)
-    : RenderWidget(WebKit::WebPopupTypeNone, screen_info),
+    : RenderWidget(WebKit::WebPopupTypeNone, screen_info, swapped_out),
       webkit_preferences_(webkit_prefs),
       send_content_state_immediately_(false),
       enabled_bindings_(0),
       send_preferred_size_changes_(false),
       is_loading_(false),
       navigation_gesture_(NavigationGestureUnknown),
       opened_by_user_gesture_(true),
       opener_suppressed_(false),
       page_id_(-1),
       last_page_id_sent_to_browser_(-1),
@@ skipping 22 matching lines @@
       session_storage_namespace_id_(session_storage_namespace_id),
       handling_select_range_(false),
 #if defined(OS_WIN)
       focused_plugin_id_(-1),
 #endif
       guest_(guest),
       accessibility_mode_(accessibility_mode),
       ALLOW_THIS_IN_INITIALIZER_LIST(pepper_delegate_(this)) {
   routing_id_ = routing_id;
   surface_id_ = surface_id;
-  if (opener_id != MSG_ROUTING_NONE)
+  if (opener_id != MSG_ROUTING_NONE && is_renderer_created)
     opener_id_ = opener_id;
 
   // Ensure we start with a valid next_page_id_ from the browser.
   DCHECK_GE(next_page_id_, 0);
 
 #if defined(ENABLE_NOTIFICATIONS)
   notification_provider_ = new NotificationProvider(this);
 #else
   notification_provider_ = NULL;
 #endif
 
   webwidget_ = WebView::create(this);
   webwidget_mouse_lock_target_.reset(new WebWidgetLockTarget(webwidget_));
 
   if (counter) {
     shared_popup_counter_ = counter;
-    shared_popup_counter_->data++;
+    // Only count this if it isn't swapped out upon creation.
+    if (!swapped_out)
+      shared_popup_counter_->data++;
     decrement_shared_popup_at_destruction_ = true;
   } else {
     shared_popup_counter_ = new SharedRenderViewCounter(0);
     decrement_shared_popup_at_destruction_ = false;
   }
 
   RenderThread::Get()->AddRoute(routing_id_, this);
   // Take a reference on behalf of the RenderThread.  This will be balanced
   // when we receive ViewMsg_ClosePage.
   AddRef();
 
   // If this is a popup, we must wait for the CreatingNew_ACK message before
   // completing initialization.  Otherwise, we can finish it now.
-  if (opener_id == MSG_ROUTING_NONE) {
+  if (opener_id_ == MSG_ROUTING_NONE) {
     did_show_ = true;
     CompleteInit(parent_hwnd);
   }
 
   g_view_map.Get().insert(std::make_pair(webview(), this));
   webkit_preferences_.Apply(webview());
   webview()->initializeMainFrame(this);
   if (!frame_name.empty())
     webview()->mainFrame()->setName(frame_name);
   webview()->settings()->setMinimumTimerInterval(
@@ skipping 28 matching lines @@
 
   new IdleUserDetector(this);
 
   const CommandLine& command_line = *CommandLine::ForCurrentProcess();
   if (command_line.HasSwitch(switches::kDomAutomationController))
     enabled_bindings_ |= content::BINDINGS_POLICY_DOM_AUTOMATION;
 
   ProcessViewLayoutFlags(command_line);
 
   content::GetContentClient()->renderer()->RenderViewCreated(this);
+
+  // If we have an opener_id but we weren't created by a renderer, then
+  // it's the browser asking us to set our opener to another RenderView.
+  // TODO(creis): This doesn't yet handle openers that are subframes.
+  if (opener_id != MSG_ROUTING_NONE && !is_renderer_created) {
+    RenderViewImpl* opener_view = static_cast<RenderViewImpl*>(
+        ChildThread::current()->ResolveRoute(opener_id));
+    webview()->mainFrame()->setOpener(opener_view->webview()->mainFrame());
+  }
+
+  // If we are initially swapped out, navigate to kSwappedOutURL.
+  // This ensures we are in a unique origin that others cannot script.
+  if (is_swapped_out_)
+    NavigateToSwappedOutURL();
 }
 
 RenderViewImpl::~RenderViewImpl() {
   history_page_ids_.clear();
 
   if (decrement_shared_popup_at_destruction_)
     shared_popup_counter_->data--;
 
   // If file chooser is still waiting for answer, dispatch empty answer.
   while (!file_chooser_completions_.empty()) {
@@ skipping 51 matching lines @@
 RenderViewImpl* RenderViewImpl::Create(
     gfx::NativeViewId parent_hwnd,
     int32 opener_id,
     const content::RendererPreferences& renderer_prefs,
     const WebPreferences& webkit_prefs,
     SharedRenderViewCounter* counter,
     int32 routing_id,
     int32 surface_id,
     int64 session_storage_namespace_id,
     const string16& frame_name,
+    bool is_renderer_created,
+    bool swapped_out,
     int32 next_page_id,
     const WebKit::WebScreenInfo& screen_info,
     bool guest,
     AccessibilityMode accessibility_mode) {
   DCHECK(routing_id != MSG_ROUTING_NONE);
   return new RenderViewImpl(
       parent_hwnd,
       opener_id,
       renderer_prefs,
       webkit_prefs,
       counter,
       routing_id,
       surface_id,
       session_storage_namespace_id,
       frame_name,
+      is_renderer_created,
+      swapped_out,
       next_page_id,
       screen_info,
       guest,
       accessibility_mode);
 }
 
 WebPeerConnectionHandler* RenderViewImpl::CreatePeerConnectionHandler(
     WebPeerConnectionHandlerClient* client) {
   EnsureMediaStreamImpl();
   if (!media_stream_impl_)
@@ skipping 845 matching lines @@
   RenderViewImpl* view = RenderViewImpl::Create(
       0,
       routing_id_,
       renderer_preferences_,
       webkit_preferences_,
       shared_popup_counter_,
       routing_id,
       surface_id,
       cloned_session_storage_namespace_id,
       frame_name,
+      true,
+      false,
       1,
       screen_info_,
       guest_,
       accessibility_mode_);
   view->opened_by_user_gesture_ = params.user_gesture;
 
   // Record whether the creator frame is trying to suppress the opener field.
   view->opener_suppressed_ = params.opener_suppressed;
 
   // Record the security origin of the creator.
@@ skipping 2919 matching lines @@
     SyncNavigationState();
 
     // Synchronously run the unload handler before sending the ACK.
     webview()->dispatchUnloadEvent();
 
     // Swap out and stop sending any IPC messages that are not ACKs.
     SetSwappedOut(true);
 
     // Replace the page with a blank dummy URL. The unload handler will not be
     // run a second time, thanks to a check in FrameLoader::stopLoading.
-    // We use loadRequest instead of loadHTMLString because the former commits
-    // synchronously.  Otherwise a new navigation can interrupt the navigation
-    // to content::kSwappedOutURL. If that happens to be to the page we had been
-    // showing, then WebKit will never send a commit and we'll be left spinning.
     // TODO(creis): Need to add a better way to do this that avoids running the
     // beforeunload handler. For now, we just run it a second time silently.
-    GURL swappedOutURL(content::kSwappedOutURL);
-    WebURLRequest request(swappedOutURL);
-    webview()->mainFrame()->loadRequest(request);
+    NavigateToSwappedOutURL();
   }
 
   // Just echo back the params in the ACK.
   Send(new ViewHostMsg_SwapOut_ACK(routing_id_, params));
 }
 
+void RenderViewImpl::NavigateToSwappedOutURL() {
+  // We use loadRequest instead of loadHTMLString because the former commits
+  // synchronously.  Otherwise a new navigation can interrupt the navigation
+  // to content::kSwappedOutURL. If that happens to be to the page we had been
+  // showing, then WebKit will never send a commit and we'll be left spinning.
+  GURL swappedOutURL(content::kSwappedOutURL);
+  WebURLRequest request(swappedOutURL);
+  webview()->mainFrame()->loadRequest(request);
+}
+
 void RenderViewImpl::OnClosePage() {
   FOR_EACH_OBSERVER(RenderViewObserver, observers_, ClosePage());
   // TODO(creis): We'd rather use webview()->Close() here, but that currently
   // sets the WebView's delegate_ to NULL, preventing any JavaScript dialogs
   // in the onunload handler from appearing.  For now, we're bypassing that and
   // calling the FrameLoader's CloseURL method directly.  This should be
   // revisited to avoid having two ways to close a page.  Having a single way
   // to close that can run onunload is also useful for fixing
   // http://b/issue?id=753080.
   webview()->dispatchUnloadEvent();
@@ skipping 776 matching lines @@
 bool RenderViewImpl::WebWidgetHandlesCompositorScheduling() const {
   return !!RenderThreadImpl::current()->compositor_thread();
 }
 
 void RenderViewImpl::OnJavaBridgeInit() {
   DCHECK(!java_bridge_dispatcher_.get());
 #if defined(ENABLE_JAVA_BRIDGE)
   java_bridge_dispatcher_.reset(new JavaBridgeDispatcher(this));
 #endif
 }