| blob | bc8a487c3db31f79e03dd1a36856969126ff648e |
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
7 #include <algorithm>
8 #include <utility>
53 // Helper function to add the FrameTree of the given node's opener to the list
54 // of |opener_trees|, if it doesn't exist there already. |visited_index|
55 // indicates which FrameTrees in |opener_trees| have already been visited
56 // (i.e., those at indices less than |visited_index|). |nodes_with_back_links|
57 // collects FrameTreeNodes with openers in FrameTrees that have already been
58 // visited (such as those with cycles). This function is intended to be used
59 // with FrameTree::ForEach, so it always returns true to visit all nodes in the
60 // tree.
74 // This is a new opener tree that we will need to process.
77 // If this tree is already on our processing list *and* we have visited it,
78 // then this node's opener is a back link. This means the node will need
79 // special treatment to process its opener.
83 }
85 }
89 // A helper class to hold all frame proxies and register as a
90 // RenderProcessHostObserver for them.
99 // Read-only access to the underlying map of site instance ID to
100 // RenderFrameProxyHosts.
105 // Returns the proxy with the specified ID, or nullptr if there is no such
106 // one.
109 // Adds the specified proxy with the specified ID. It is an error (and fatal)
110 // to add more than one proxy with the specified ID.
113 // Removes the proxy with the specified site instance ID.
116 // Removes all proxies.
119 // RenderProcessHostObserver implementation.
127 MapType map_;
128 };
136 }
139 int32 id) {
144 }
147 int32 id,
151 // If this is the first proxy that has this process host, observe the
152 // process host.
157 });
162 }
169 // If this is the last proxy that has this process host, stop observing the
170 // process host.
175 });
181 }
191 }
196 }
203 }
205 // static
209 }
227 }
233 }
238 }
242 // Delete any RenderFrameProxyHosts and swapped out RenderFrameHosts.
243 // It is important to delete those prior to deleting the current
244 // RenderFrameHost, since the CrossProcessFrameConnector (owned by
245 // RenderFrameProxyHost) points to the RenderWidgetHostView associated with
246 // the current RenderFrameHost and uses it during its destructor.
249 // Release the WebUI prior to resetting the current RenderFrameHost, as the
250 // WebUI accesses the RenderFrameHost during cleanup.
253 // We should always have a current RenderFrameHost except in some tests.
255 }
259 int32 view_routing_id,
260 int32 frame_routing_id,
261 int32 widget_routing_id,
262 int32 surface_id) {
263 // Create a RenderViewHost and RenderFrameHost, once we have an instance. It
264 // is important to immediately give this SiteInstance to a RenderViewHost so
265 // that the SiteInstance is ref counted.
274 // Notify the delegate of the creation of the current RenderFrameHost.
275 // Do this only for subframes, as the main frame case is taken care of by
276 // WebContentsImpl::Init.
280 }
281 }
287 }
293 }
301 }
306 }
308 RenderWidgetHostImpl*
319 }
330 }
340 }
345 }
353 outer_delegate_frame_tree_node);
354 }
359 }
365 // If we have assigned (zero or more) bindings to this NavigationEntry in the
366 // past, make sure we're not granting it different bindings than it had
367 // before. If so, note it and don't give it any bindings, to avoid a
368 // potential privilege escalation.
373 }
375 }
383 // Create a pending RenderFrameHost to use for the navigation.
385 dest_url,
386 // TODO(creis): Move source_site_instance to FNE.
395 // If the current render_frame_host_ isn't live, we should create it so
396 // that we don't show a sad tab while the dest_render_frame_host fetches
397 // its first page. (Bug 1145340)
400 // Note: we don't call InitRenderView here because we are navigating away
401 // soon anyway, and we don't have the NavigationEntry for this host.
405 }
407 // If the renderer isn't live, then try to create a new one to satisfy this
408 // navigation request.
410 // Instruct the destination render frame host to set up a Mojo connection
411 // with the new render frame if necessary. Note that this call needs to
412 // occur before initializing the RenderView; the flow of creating the
413 // RenderView can cause browser-side code to execute that expects the this
414 // RFH's ServiceRegistry to be initialized (e.g., if the site is a WebUI
415 // site that is handled via Mojo, then Mojo WebUI code in //chrome will
416 // add a service to this RFH's ServiceRegistry).
419 // Recreate the opener chain.
421 frame_tree_node_);
423 MSG_ROUTING_NONE))
426 // Now that we've created a new renderer, be sure to hide it if it isn't
427 // our primary one. Otherwise, we might crash if we try to call Show()
428 // on it later.
433 // After a renderer crash we'd have marked the host as invisible, so we
434 // need to set the visibility of the new View to the correct value here
435 // after reload.
443 }
444 }
446 // TODO(nasko): This is a very ugly hack. The Chrome extensions process
447 // manager still uses NotificationService and expects to see a
448 // RenderViewHost changed notification after WebContents and
449 // RenderFrameHostManager are completely initialized. This should be
450 // removed once the process manager moves away from NotificationService.
451 // See https://crbug.com/462682.
454 }
455 }
457 // If entry includes the request ID of a request that is being transferred,
458 // the destination render frame will take ownership, so release ownership of
459 // the request.
465 // The navigating RenderFrameHost should take ownership of the
466 // NavigationHandle that came from the transferring RenderFrameHost.
470 }
474 }
479 // If a cross-process navigation is happening, the pending RenderFrameHost
480 // should stop. This will lead to a DidFailProvisionalLoad, which will
481 // properly destroy it.
485 }
487 // PlzNavigate: a loading speculative RenderFrameHost should also stop.
494 }
495 }
496 }
502 }
505 // If we're waiting for a close ACK, then the tab should close whether there's
506 // a navigation in progress or not. Unfortunately, we also need to check for
507 // cases that we arrive here with no navigation in progress, since there are
508 // some tab closure paths that don't set is_waiting_for_close_ack to true.
509 // TODO(creis): Clean this up in http://crbug.com/418266.
514 // We should always have a pending RFH when there's a cross-process navigation
515 // in progress. Sanity check this for http://crbug.com/276333.
518 // Unload handlers run in the background, so we should never get an
519 // unresponsiveness warning for them.
522 // If the tab becomes unresponsive during beforeunload while doing a
523 // cross-process navigation, proceed with the navigation. (This assumes that
524 // the pending RenderFrameHost is still responsive.)
526 // Haven't gotten around to starting the request, because we're still
527 // waiting for the beforeunload handler to finish. We'll pretend that it
528 // did finish, to let the navigation proceed. Note that there's a danger
529 // that the beforeunload handler will later finish and possibly return
530 // false (meaning the navigation should not proceed), but we'll ignore it
531 // in this case because it took too long.
535 }
536 }
538 }
547 // Ignore if we're not in a cross-process navigation.
552 // Ok to unload the current page, so proceed with the cross-process
553 // navigation. Note that if navigations are not currently suspended, it
554 // might be because the renderer was deemed unresponsive and this call was
555 // already made by ShouldCloseTabOnUnresponsiveRenderer. In that case, it
556 // is ok to do nothing here.
560 proceed_time);
561 }
563 // Current page says to cancel.
565 }
567 // Non-cross-process transition means closing the entire tab.
573 // If we're about to close the tab and there's a pending RFH, cancel it.
574 // Otherwise, if the navigation in the pending RFH completes before the
575 // close in the current RFH, we'll lose the tab close.
578 }
580 // PlzNavigate: clean up the speculative RenderFrameHost if there is one.
583 speculative_render_frame_host_) {
585 }
587 // This is not a cross-process navigation; the tab is being closed.
589 }
590 }
591 }
601 // We should only get here for transfer navigations. Most cross-process
602 // navigations can just continue and wait to run the unload handler (by
603 // swapping out) when the new navigation commits.
606 // A transfer should only have come from our pending or current RFH.
607 // TODO(creis): We need to handle the case that the pending RFH has changed
608 // in the mean time, while this was being posted from the IO thread. We
609 // should probably cancel the request in that case.
613 // Store the transferring request so that we can release it if the transfer
614 // navigation matches.
617 // Store the NavigationHandle to give it to the appropriate RenderFrameHost
618 // after it started navigating.
619 transfer_navigation_handle_ =
623 // Sanity check that the params are for the correct frame and process.
624 // These should match the RenderFrameHost that made the request.
625 // If it started as a cross-process navigation via OpenURL, this is the
626 // pending one. If it wasn't cross-process until the transfer, this is
627 // the current one.
637 // Treat the last URL in the chain as the destination and the remainder as
638 // the redirect chain.
644 // We don't know whether the original request had |user_action| set to true.
645 // However, since we force the navigation to be in the current tab, it
646 // doesn't matter.
652 // The transferring request was only needed during the RequestTransferURL
653 // call, so it is safe to clear at this point.
656 // If the navigation continued, the NavigationHandle should have been
657 // transfered to a RenderFrameHost. In the other cases, it should be cleared.
659 }
666 // Make sure any dynamic changes to this frame's sandbox flags that were made
667 // prior to navigation take effect.
669 }
677 // We should only hear this from our current renderer.
680 // Even when there is no pending RVH, there may be a pending Web UI.
684 }
688 // The pending cross-process navigation completed, so show the renderer.
696 // A navigation in the original page has taken place. Cancel the
697 // pending one. Only do it for user gesture originated navigations to
698 // prevent page doing any shenanigans to prevent user from navigating.
699 // See https://code.google.com/p/chromium/issues/detail?id=75195
701 }
702 }
704 // No one else should be sending us DidNavigate in this state.
706 }
707 }
716 // If |opener_rfhi| is null, the opener RFH has already disappeared. In
717 // this case, clear the opener rather than keeping the old opener around.
720 }
731 }
736 // Notify the pending and speculative RenderFrameHosts as well. This is
737 // necessary in case a process swap has started while the message was in
738 // flight.
742 }
746 source_site_instance) {
748 }
749 }
752 // Return early if there were no pending sandbox flags updates.
756 // Sandbox flags updates can only happen when the frame has a parent.
759 // Notify all of the frame's proxies about updated sandbox flags, excluding
760 // the parent process since it already knows the latest flags.
768 }
769 }
770 }
774 // Remove any swapped out RVHs from this process, so that we don't try to
775 // swap them back in while the process is exiting. Start by finding them,
776 // since there could be more than one.
778 // Do not remove proxies in the dead process that still have active frame
779 // count though, we just reset them to be uninitialized.
791 }
792 }
794 // Now delete them.
798 }
806 }
807 }
814 // Tell the renderer to suppress any further modal dialogs so that we can swap
815 // it out. This must be done before canceling any current dialog, in case
816 // there is a loop creating additional dialogs.
817 // TODO(creis): Handle modal dialogs in subframe processes.
820 // Now close any modal dialogs that would prevent us from swapping out. This
821 // must be done separately from SwapOut, so that the PageGroupLoadDeferrer is
822 // no longer on the stack when we send the SwapOut message.
825 // If the old RFH is not live, just return as there is no further work to do.
826 // It will be deleted and there will be no proxy created.
827 int32 old_site_instance_id =
832 }
834 // If there are no active frames besides this one, we can delete the old
835 // RenderFrameHost once it runs its unload handler, without replacing it with
836 // a proxy.
840 // Clear out any proxies from this SiteInstance, in case this was the
841 // last one keeping other proxies alive.
844 // Tell the old RenderFrameHost to swap out, with no proxy to replace it.
848 }
850 // Otherwise there are active views and we need a proxy for the old RFH.
851 // (There should not be one yet.)
857 // Tell the old RenderFrameHost to swap out and be replaced by the proxy.
860 // SwapOut creates a RenderFrameProxy, so set the proxy to be initialized.
864 // In --site-per-process, frames delete their RFH rather than storing it
865 // in the proxy. Schedule it for deletion once the SwapOutACK comes in.
866 // TODO(creis): This will be the default when we remove swappedout://.
869 // We shouldn't get here for subframes, since we only swap subframes when
870 // --site-per-process is used.
873 // The old RenderFrameHost will stay alive inside the proxy so that existing
874 // JavaScript window references to it stay valid.
876 }
877 }
881 // TODO(carlosk): this code is very similar to what can be found in
882 // SwapOutOldFrame and we should see that these are unified at some point.
884 // If the SiteInstance for the pending RFH is being used by others don't
885 // delete the RFH. Just swap it out and it can be reused at a later point.
886 // In --site-per-process, RenderFrameHosts are not kept around and are
887 // deleted when not used, replaced by RenderFrameProxyHosts.
890 // Any currently suspended navigations are no longer needed.
897 // Check if the RenderFrameHost is already swapped out, to avoid swapping it
898 // out again.
905 }
906 }
909 // We won't be coming back, so delete this one.
912 }
913 }
917 // |render_frame_host| will be deleted when its SwapOut ACK is received, or
918 // when the timer times out, or when the RFHM itself is deleted (whichever
919 // comes first).
922 }
929 }
931 }
937 iter++) {
941 }
942 }
944 }
948 }
950 // PlzNavigate
955 // Clean up any state in case there's an ongoing navigation.
956 // TODO(carlosk): remove this cleanup here once we properly cancel ongoing
957 // navigations.
962 }
964 // PlzNavigate
973 speculative_render_frame_host_
984 // The appropriate RenderFrameHost to commit the navigation.
987 // Renderer-initiated main frame navigations that may require a SiteInstance
988 // swap are sent to the browser via the OpenURL IPC and are afterwards treated
989 // as browser-initiated navigations. NavigationRequests marked as
990 // renderer-initiated are created by receiving a BeginNavigation IPC, and will
991 // then proceed in the same renderer that sent the IPC due to the condition
992 // below.
993 // Subframe navigations will use the current renderer, unless
994 // --site-per-process is enabled.
995 // TODO(carlosk): Have renderer-initated main frame navigations swap processes
996 // if needed when it no longer breaks OAuth popups (see
997 // https://crbug.com/440266).
1003 // Reuse the current RFH if its SiteInstance matches the the navigation's
1004 // or if this is a subframe navigation. We only swap RFHs for subframes when
1005 // --site-per-process is enabled.
1009 // As SiteInstances are the same, check if the WebUI should be reused.
1017 // Make sure the current RenderViewHost has the right bindings.
1022 }
1023 }
1025 // If the SiteInstance for the final URL doesn't match the one from the
1026 // speculatively created RenderFrameHost, create a new RenderFrameHost using
1027 // this new SiteInstance.
1036 }
1040 // Check if our current RFH is live.
1042 // The current RFH is not live. There's no reason to sit around with a
1043 // sad tab or a newly created RFH while we wait for the navigation to
1044 // complete. Just switch to the speculative RFH now and go back to normal.
1045 // (Note that we don't care about on{before}unload handlers if the current
1046 // RFH isn't live.)
1048 }
1049 }
1054 // If the RenderFrame that needs to navigate is not live (its process was just
1055 // created or has crashed), initialize it.
1057 // Recreate the opener chain.
1061 }
1064 // TODO(nasko): This is a very ugly hack. The Chrome extensions process
1065 // manager still uses NotificationService and expects to see a
1066 // RenderViewHost changed notification after WebContents and
1067 // RenderFrameHostManager are completely initialized. This should be
1068 // removed once the process manager moves away from NotificationService.
1069 // See https://crbug.com/462682.
1072 }
1073 }
1076 }
1078 // PlzNavigate
1086 }
1088 // PlzNavigate
1095 }
1101 }
1102 }
1107 }
1108 }
1111 // The window.name message may be sent outside of --site-per-process when
1112 // report_frame_name_changes renderer preference is set (used by
1113 // WebView). Don't send the update to proxies in those cases.
1114 // TODO(nick,nasko): Should this be IsSwappedOutStateForbidden, to match
1115 // OnDidUpdateOrigin?
1122 }
1123 }
1132 }
1133 }
1137 GURL dest_url,
1142 }
1144 // static
1146 int32 site_instance_id,
1151 // Delete the proxy. If it is for a main frame (and thus the RFH is stored
1152 // in the proxy) and it was still pending swap out, move the RFH to the
1153 // pending deletion list first.
1162 }
1164 }
1167 }
1169 // static.
1178 }
1181 // The logic below is weaker than "are all sites isolated" -- it asks instead,
1182 // "is any site isolated". That's appropriate here since we're just trying to
1183 // figure out if we're in any kind of site isolated mode, and in which case,
1184 // we ignore the kSingleProcess and kProcessPerTab settings.
1185 //
1186 // TODO(nick): Move all handling of kSingleProcess/kProcessPerTab into
1187 // SiteIsolationPolicy so we have a consistent behavior around the interaction
1188 // of the process model flags.
1192 // False in the single-process mode, as it makes RVHs to accumulate
1193 // in swapped_out_hosts_.
1194 // True if we are using process-per-site-instance (default) or
1195 // process-per-site (kProcessPerSite).
1196 // TODO(nick): Move handling of kSingleProcess and kProcessPerTab into
1197 // SiteIsolationPolicy.
1202 }
1210 // If new_entry already has a SiteInstance, assume it is correct. We only
1211 // need to force a swap if it is in a different BrowsingInstance.
1215 }
1217 // Check for reasons to swap processes even if we are in a process model that
1218 // doesn't usually swap (e.g., process-per-tab). Any time we return true,
1219 // the new_entry will be rendered in a new SiteInstance AND BrowsingInstance.
1223 // Don't force a new BrowsingInstance for debug URLs that are handled in the
1224 // renderer process, like javascript: or chrome://crash.
1228 // For security, we should transition between processes when one is a Web UI
1229 // page and one isn't.
1234 // If so, force a swap if destination is not an acceptable URL for Web UI.
1235 // Here, data URLs are never allowed.
1239 }
1241 // Force a swap if it's a Web UI URL.
1245 }
1246 }
1248 // Check with the content client as well. Important to pass
1249 // current_effective_url here, which uses the SiteInstance's site if there is
1250 // no current_entry.
1255 }
1257 // We can't switch a RenderView between view source and non-view source mode
1258 // without screwing up the session history sometimes (when navigating between
1259 // "view-source:http://foo.com/" and "http://foo.com/", Blink doesn't treat
1260 // it as a new navigation). So require a BrowsingInstance switch.
1265 }
1277 }
1289 // We do not currently swap processes for navigations in webview tag guests.
1293 // Determine if we need a new BrowsingInstance for this entry. If true, this
1294 // implies that it will get a new SiteInstance (and likely process), and that
1295 // other tabs in the current BrowsingInstance will be unable to script it.
1296 // This is used for cases that require a process swap even in the
1297 // process-per-tab model, such as WebUI pages.
1298 // TODO(clamy): Remove the dependency on the current entry.
1310 current_effective_url,
1311 current_is_view_source_mode,
1312 dest_instance,
1314 dest_is_view_source_mode);
1315 SiteInstanceDescriptor new_instance_descriptor =
1321 }
1326 // If |force_swap| is true, we must use a different SiteInstance than the
1327 // current one. If we didn't, we would have two RenderFrameHosts in the same
1328 // SiteInstance and the same frame, resulting in page_id conflicts for their
1329 // NavigationEntries.
1333 }
1351 // If the entry has an instance already we should use it.
1353 // If we are forcing a swap, this should be in a different BrowsingInstance.
1357 }
1359 }
1361 // If a swap is required, we need to force the SiteInstance AND
1362 // BrowsingInstance to be different ones, using CreateForURL.
1366 // (UGLY) HEURISTIC, process-per-site only:
1367 //
1368 // If this navigation is generated, then it probably corresponds to a search
1369 // query. Given that search results typically lead to users navigating to
1370 // other sites, we don't really want to use the search engine hostname to
1371 // determine the site instance for this navigation.
1372 //
1373 // NOTE: This can be removed once we have a way to transition between
1374 // RenderViews in response to a link click.
1375 //
1380 }
1382 // If we haven't used our SiteInstance (and thus RVH) yet, then we can use it
1383 // for this entry. We won't commit the SiteInstance to this site until the
1384 // navigation commits (in DidNavigate), unless the navigation entry was
1385 // restored or it's a Web UI as described below.
1387 // If we've already created a SiteInstance for our destination, we don't
1388 // want to use this unused SiteInstance; use the existing one. (We don't
1389 // do this check if the current_instance has a site, because for now, we
1390 // want to compare against the current URL and not the SiteInstance's site.
1391 // In this case, there is no current URL, so comparing against the site is
1392 // ok. See additional comments below.)
1393 //
1394 // Also, if the URL should use process-per-site mode and there is an
1395 // existing process for the site, we should use it. We can call
1396 // GetRelatedSiteInstance() for this, which will eagerly set the site and
1397 // thus use the correct process.
1402 use_process_per_site) {
1404 }
1406 // For extensions, Web UI URLs (such as the new tab page), and apps we do
1407 // not want to use the |current_instance_impl| if it has no site, since it
1408 // will have a RenderProcessHost of PRIV_NORMAL. Create a new SiteInstance
1409 // for this URL instead (with the correct process type).
1413 // View-source URLs must use a new SiteInstance and BrowsingInstance.
1414 // TODO(nasko): This is the same condition as later in the function. This
1415 // should be taken into account when refactoring this method as part of
1416 // http://crbug.com/123007.
1420 // If we are navigating from a blank SiteInstance to a WebUI, make sure we
1421 // create a new SiteInstance.
1425 }
1427 // Normally the "site" on the SiteInstance is set lazily when the load
1428 // actually commits. This is to support better process sharing in case
1429 // the site redirects to some other site: we want to use the destination
1430 // site in the site instance.
1431 //
1432 // In the case of session restore, as it loads all the pages immediately
1433 // we need to set the site first, otherwise after a restore none of the
1434 // pages would share renderers in process-per-site.
1435 //
1436 // The embedder can request some urls never to be assigned to SiteInstance
1437 // through the ShouldAssignSiteForURL() content client method, so that
1438 // renderers created for particular chrome urls (e.g. the chrome-native://
1439 // scheme) can be reused for subsequent navigations in the same WebContents.
1440 // See http://crbug.com/386542.
1444 }
1447 }
1449 // Otherwise, only create a new SiteInstance for a cross-process navigation.
1451 // TODO(creis): Once we intercept links and script-based navigations, we
1452 // will be able to enforce that all entries in a SiteInstance actually have
1453 // the same site, and it will be safe to compare the URL against the
1454 // SiteInstance's site, as follows:
1455 // const GURL& current_url = current_instance_impl->site();
1456 // For now, though, we're in a hybrid model where you only switch
1457 // SiteInstances if you type in a cross-site URL. This means we have to
1458 // compare the entry's URL to the last committed entry's URL.
1461 // The interstitial is currently the last committed entry, but we want to
1462 // compare against the last non-interstitial entry.
1464 }
1466 // View-source URLs must use a new SiteInstance and BrowsingInstance.
1467 // We don't need a swap when going from view-source to a debug URL like
1468 // chrome://crash, however.
1469 // TODO(creis): Refactor this method so this duplicated code isn't needed.
1470 // See http://crbug.com/123007.
1475 }
1477 // Use the source SiteInstance in case of data URLs or about:blank pages,
1478 // because the content is then controlled and/or scriptable by the source
1479 // SiteInstance.
1484 }
1486 // Use the current SiteInstance for same site navigations, as long as the
1487 // process type is correct. (The URL may have been installed as an app since
1488 // the last time we visited it.)
1494 }
1496 // Start the new renderer in a new SiteInstance, but in the current
1497 // BrowsingInstance. It is important to immediately give this new
1498 // SiteInstance to a RenderViewHost (if it is different than our current
1499 // SiteInstance), so that it is ref counted. This will happen in
1500 // CreateRenderView.
1502 }
1509 // Note: If the |candidate_instance| matches the descriptor, it will already
1510 // be set to |descriptor.existing_site_instance|.
1514 // Note: If the |candidate_instance| matches the descriptor,
1515 // GetRelatedSiteInstance will return it.
1519 // At this point we know an unrelated site instance must be returned. First
1520 // check if the candidate matches.
1525 }
1527 // Otherwise return a newly created one.
1531 }
1535 // If this is a subframe that is potentially out of process from its parent,
1536 // don't consider using current_entry's url for SiteInstance selection, since
1537 // current_entry's url is for the main frame and may be in a different site
1538 // than this frame.
1539 // TODO(creis): Remove this when we can check the FrameNavigationEntry's url.
1540 // See http://crbug.com/369654
1545 // If there is no last non-interstitial entry (and current_instance already
1546 // has a site), then we must have been opened from another tab. We want
1547 // to compare against the URL of the page that opened us, but we can't
1548 // get to it directly. The best we can do is check against the site of
1549 // the SiteInstance. This will be correct when we intercept links and
1550 // script-based navigations, but for now, it could place some pages in a
1551 // new process unnecessarily. We should only hit this case if a page tries
1552 // to open a new tab to an interstitial-inducing URL, and then navigates
1553 // the page to a different same-site URL. (This seems very unlikely in
1554 // practice.)
1558 }
1570 // The process for the new SiteInstance may (if we're sharing a process with
1571 // another host that already initialized it) or may not (we have our own
1572 // process or the existing process crashed) have been initialized. Calling
1573 // Init multiple times will be ignored, so this is safe.
1579 // Create a non-swapped-out RFH with the given opener.
1582 }
1587 // Only create opener proxies if they are in the same BrowsingInstance.
1591 // Ensure that the frame tree has RenderFrameProxyHosts for the
1592 // new SiteInstance in all nodes except the current one. We do this for
1593 // all frames in the tree, whether they are in the same BrowsingInstance or
1594 // not. If |new_instance| is in the same BrowsingInstance as
1595 // |old_instance|, this will be done as part of CreateOpenerProxies above;
1596 // otherwise, we do this here. We will still check whether two frames are
1597 // in the same BrowsingInstance before we allow them to interact (e.g.,
1598 // postMessage).
1601 }
1602 }
1610 // If this is a top-level frame, create proxies for this node in the
1611 // SiteInstances of its opener's ancestors, which are allowed to discover
1612 // this frame by name (see https://crbug.com/511474 and part 4 of
1613 // https://html.spec.whatwg.org/#the-rules-for-choosing-a-browsing-context-
1614 // given-a-browsing-context-name).
1620 // Start from opener's parent. There's no need to create a proxy in the
1621 // opener's SiteInstance, since new windows are always first opened in the
1622 // same SiteInstance as their opener, and if the new window navigates
1623 // cross-site, that proxy would be created as part of swapping out.
1629 }
1630 }
1634 int32 view_routing_id,
1635 int32 frame_routing_id,
1636 int32 widget_routing_id,
1637 int32 surface_id,
1645 // Create a RVH for main frames, or find the existing one for subframes.
1654 }
1660 }
1662 // PlzNavigate
1672 // Note: |speculative_web_ui_| must be initialized before starting the
1673 // |speculative_render_frame_host_| creation steps otherwise the WebUI
1674 // won't be properly initialized.
1677 // The process for the new SiteInstance may (if we're sharing a process with
1678 // another host that already initialized it) or may not (we have our own
1679 // process or the existing process crashed) have been initialized. Calling
1680 // Init multiple times will be ignored, so this is safe.
1689 speculative_render_frame_host_ =
1696 }
1698 }
1714 // Swapped out views should always be hidden.
1722 // We are creating a pending, speculative or swapped out RFH here. We should
1723 // never create it in the same SiteInstance as our current RFH.
1726 // Check if we've already created an RFH for this SiteInstance. If so, try
1727 // to re-use the existing one, which has already been initialized. We'll
1728 // remove it from the list of proxy hosts below if it will be active.
1735 // Delete the existing RenderFrameProxyHost, but reuse the RenderFrameHost.
1736 // Prevent the process from exiting while we're trying to use it.
1742 // NB |proxy| is deleted at this point.
1744 // If we are reusing the RenderViewHost and it doesn't already have a
1745 // RenderWidgetHostView, we need to create one if this is the main frame.
1748 }
1750 // Create a new RenderFrameHost if we don't find an existing one.
1754 // A RenderFrame in a different process from its parent RenderFrame
1755 // requires a RenderWidget for input/layout/painting.
1758 instance) {
1763 }
1765 new_render_frame_host =
1772 // Prevent the process from exiting while we're trying to navigate in it.
1773 // Otherwise, if the new RFH is swapped out already, store it.
1783 }
1788 // If we are reusing the RenderViewHost and it doesn't already have a
1789 // RenderWidgetHostView, we need to create one if this is the main frame.
1794 }
1797 // Remember that InitRenderView also created the RenderFrameProxy.
1801 // Don't show the main frame's view until we get a DidNavigate from it.
1802 // Only the RenderViewHost for the top-level RenderFrameHost has a
1803 // RenderWidgetHostView; RenderWidgetHosts for out-of-process iframes
1804 // will be created later and hidden.
1807 }
1808 // RenderViewHost for |instance| might exist prior to calling
1809 // CreateRenderFrame. In such a case, InitRenderView will not create the
1810 // RenderFrame in the renderer process and it needs to be done
1811 // explicitly.
1813 // Init the RFH, so a RenderFrame is created in the renderer.
1816 }
1817 }
1822 }
1823 }
1825 // When a new RenderView is created by the renderer process, the new
1826 // WebContents gets a RenderViewHost in the SiteInstance of its opener
1827 // WebContents. If not used in the first navigation, this RVH is swapped out
1828 // and is not granted bindings, so we may need to grant them when swapping it
1829 // in.
1835 required_bindings) {
1837 }
1838 }
1840 // Returns the new RFH if it isn't swapped out.
1844 }
1846 }
1849 // A RenderFrameProxyHost should never be created in the same SiteInstance as
1850 // the current RFH.
1856 // Ensure a RenderViewHost exists for |instance|, as it creates the page
1857 // level structure in Blink.
1859 render_view_host =
1865 }
1866 }
1873 proxy =
1876 }
1884 }
1887 }
1891 // Do not create proxies for subframes in the outer delegate's process,
1892 // since the outer delegate does not need to interact with them.
1898 }
1899 }
1909 // If the proxy in |instance| doesn't exist, this RenderView is not swapped
1910 // out and shouldn't be reinitialized here.
1917 }
1928 // Swap the outer WebContents's frame with the proxy to inner WebContents.
1929 //
1930 // We are in the outer WebContents, and its FrameTree would never see
1931 // a load start for any of its inner WebContents. Eventually, that also makes
1932 // the FrameTree never see the matching load stop. Therefore, we always pass
1933 // false to |is_loading| below.
1934 // TODO(lazyboy): This |is_loading| behavior might not be what we want,
1935 // investigate and fix.
1940 }
1946 }
1951 // Ensure the renderer process is initialized before creating the
1952 // RenderView.
1956 // We may have initialized this RenderViewHost for another RenderFrameHost.
1960 // If the ongoing navigation is to a WebUI and the RenderView is not in a
1961 // guest process, tell the RenderViewHost about any bindings it will need
1962 // enabled.
1966 dest_web_ui =
1970 }
1974 // Ensure that we don't create an unprivileged RenderView in a WebUI-enabled
1975 // process unless it's swapped out.
1979 }
1980 }
1988 }
2007 }
2009 // At this point, all RenderFrameProxies for sibling frames have already been
2010 // created, including any proxies that come after this frame. To preserve
2011 // correct order for indexed window access (e.g., window.frames[1]), pass the
2012 // previous sibling frame so that this frame is correctly inserted into the
2013 // frame tree on the renderer side.
2017 previous_sibling_routing_id =
2019 site_instance);
2021 }
2023 // Check whether there is an existing proxy for this frame in this
2024 // SiteInstance. If there is, the new RenderFrame needs to be able to find
2025 // the proxy it is replacing, so that it can fully initialize itself.
2026 // NOTE: This is the only time that a RenderFrameProxyHost can be in the same
2027 // SiteInstance as its RenderFrameHost. This is only the case until the
2028 // RenderFrameHost commits, at which point it will replace and delete the
2029 // RenderFrameProxyHost.
2037 }
2041 previous_sibling_routing_id);
2042 }
2049 // If there is a matching pending RFH, only return it if swapped out is
2050 // allowed, since otherwise there should be a proxy that should be used
2051 // instead.
2062 }
2071 // First check whether we're going to want to focus the location bar after
2072 // this commit. We do this now because the navigation hasn't formally
2073 // committed yet, so if we've already cleared |pending_web_ui_| the call chain
2074 // this triggers won't be able to figure out what's going on.
2077 // Next commit the Web UI, if any. Either replace |web_ui_| with
2078 // |pending_web_ui_|, or clear |web_ui_| if there is no pending WebUI, or
2079 // leave |web_ui_| as is if reusing it.
2092 }
2095 }
2099 // It's possible for the pending_render_frame_host_ to be nullptr when we
2100 // aren't crossing process boundaries. If so, we just needed to handle the Web
2101 // UI committing above and we're done.
2106 }
2108 // Remember if the page was focused so we can focus the new renderer in
2109 // that case.
2116 // Swap in the pending or speculative frame and make it active. Also ensure
2117 // the FrameTree stays in sync.
2121 old_render_frame_host =
2124 // PlzNavigate
2126 old_render_frame_host =
2128 }
2130 // Remove the children of the old frame from the tree.
2133 // The process will no longer try to exit, so we can decrement the count.
2136 // Show the new view (or a sad tab) if necessary.
2139 // In most cases, we need to show the new view.
2141 }
2143 // If the view is gone, then this RenderViewHost died while it was hidden.
2144 // We ignored the RenderProcessGone call at the time, so we should send it
2145 // now to make sure the sad tab shows up, etc.
2150 }
2152 // For top-level frames, also hide the old RenderViewHost's view.
2153 // TODO(creis): As long as show/hide are on RVH, we don't want to hide on
2154 // subframe navigations or we will interfere with the top-level frame.
2158 // Make sure the size is up to date. (Fix for bug 1079768.)
2165 }
2167 // Notify that we've swapped RenderFrameHosts. We do this before shutting down
2168 // the RFH so that we can clean up RendererResources related to the RFH first.
2172 // The RenderViewHost keeps track of the main RenderFrameHost routing id.
2173 // If this is committing a main frame navigation, update it and set the
2174 // routing id in the RenderViewHost associated with the old RenderFrameHost
2175 // to MSG_ROUTING_NONE.
2180 MSG_ROUTING_NONE);
2181 }
2183 // Swap out the old frame now that the new one is visible.
2184 // This will swap it out and then put it on the proxy list (if there are other
2185 // active views in its SiteInstance) or schedule it for deletion when the swap
2186 // out ack arrives (or immediately if the process isn't live).
2187 // In the --site-per-process case, old subframe RFHs are not kept alive inside
2188 // the proxy.
2192 // Since the new RenderFrameHost is now committed, there must be no proxies
2193 // for its SiteInstance. Delete any existing ones.
2195 }
2197 // If this is a subframe, it should have a CrossProcessFrameConnector
2198 // created already. Use it to link the new RFH's view to the proxy that
2199 // belongs to the parent frame's SiteInstance. If this navigation causes
2200 // an out-of-process frame to return to the same process as its parent, the
2201 // proxy would have been removed from proxy_hosts_ above.
2202 // Note: We do this after swapping out the old RFH because that may create
2203 // the proxy we're looking for.
2208 }
2210 // After all is done, there must never be a proxy in the list which has the
2211 // same SiteInstance as the current RenderFrameHost.
2213 }
2224 // After |render_frame_host| goes away, there will be no active frames left in
2225 // its SiteInstance, so we can delete all proxies created in that SiteInstance
2226 // on behalf of frames anywhere in the BrowsingInstance.
2229 // First remove any proxies for this SiteInstance from our own list.
2232 // Use the safe RenderWidgetHost iterator for now to find all RenderViewHosts
2233 // in the SiteInstance, then tell their respective FrameTrees to remove all
2234 // RenderFrameProxyHosts corresponding to them.
2235 // TODO(creis): Replace this with a RenderFrameHostIterator that protects
2236 // against use-after-frees if a later element is deleted before getting to it.
2245 // This deletes all RenderFrameHosts using the |rvh|, which then causes
2246 // |rvh| to Shutdown.
2250 site_instance_id));
2251 }
2252 }
2253 }
2264 // Don't swap for subframes unless we are in --site-per-process. We can get
2265 // here in tests for subframes (e.g., NavigateFrameToURL).
2269 }
2271 // If we are currently navigating cross-process, we want to get back to normal
2272 // and then navigate as usual.
2290 TRACE_EVENT_SCOPE_THREAD,
2294 // New SiteInstance: create a pending RFH to navigate.
2296 // This will possibly create (set to nullptr) a Web UI object for the
2297 // pending page. We'll use this later to give the page special access. This
2298 // must happen before the new renderer is created below so it will get
2299 // bindings. It must also happen after the above conditional call to
2300 // CancelPending(), otherwise CancelPending may clear the pending_web_ui_
2301 // and the page will not have its bindings set appropriately.
2307 // Check if our current RFH is live before we set up a transition.
2309 // The current RFH is not live. There's no reason to sit around with a
2310 // sad tab or a newly created RFH while we wait for the pending RFH to
2311 // navigate. Just switch to the pending RFH now and go back to normal.
2312 // (Note that we don't care about on{before}unload handlers if the current
2313 // RFH isn't live.)
2316 }
2317 // Otherwise, it's safe to treat this as a pending cross-process transition.
2319 // We now have a pending RFH.
2322 // We need to wait until the beforeunload handler has run, unless we are
2323 // transferring an existing request (in which case it has already run).
2324 // Suspend the new render view (i.e., don't let it send the cross-process
2325 // Navigate message) until we hear back from the old renderer's
2326 // beforeunload handler. If the handler returns false, we'll have to
2327 // cancel the request.
2328 //
2332 // We don't need to stop the old renderer or run beforeunload/unload
2333 // handlers, because those have already been done.
2335 transferred_request_id);
2337 // Also make sure the old render view stops, in case a load is in
2338 // progress. (We don't want to do this for transfers, since it will
2339 // interrupt the transfer with an unexpected DidStopLoading.)
2344 // Unless we are transferring an existing request, we should now tell the
2345 // old render view to run its beforeunload handler, since it doesn't
2346 // otherwise know that the cross-site request is happening. This will
2347 // trigger a call to OnBeforeUnloadACK with the reply.
2349 }
2352 }
2354 // Otherwise the same SiteInstance can be used. Navigate render_frame_host_.
2356 // It's possible to swap out the current RFH and then decide to navigate in it
2357 // anyway (e.g., a cross-process navigation that redirects back to the
2358 // original site). In that case, we have a proxy for the current RFH but
2359 // haven't deleted it yet. The new navigation will swap it back in, so we can
2360 // delete the proxy.
2368 // Make sure the new RenderViewHost has the right bindings.
2373 }
2374 }
2379 }
2381 // The renderer can exit view source mode when any error or cancellation
2382 // happen. We must overwrite to recover the mode.
2387 }
2390 }
2396 }
2407 // We no longer need to prevent the process from exiting.
2414 }
2418 // Swap the two.
2424 // Update the count of top-level frames using this SiteInstance. All
2425 // subframes are in the same BrowsingInstance as the main frame, so we only
2426 // count top-level ones. This makes the value easier for consumers to
2427 // interpret.
2431 }
2435 }
2436 }
2439 }
2447 // If there is a proxy without RFH, it is for a subframe in the SiteInstance
2448 // of |rvh|. Subframes should be ignored in this case.
2452 }
2465 }
2473 }
2478 }
2485 }
2496 visited_index++;
2499 }
2500 }
2510 // Create opener proxies for frame trees, processing furthest openers from
2511 // this node first and this node last. In the common case without cycles,
2512 // this will ensure that each tree's openers are created before the tree's
2513 // nodes need to reference them.
2519 }
2521 // Set openers for nodes in |nodes_with_back_links| in a second pass.
2522 // The proxies created at these FrameTreeNodes in
2523 // CreateOpenerProxiesForFrameTree won't have their opener routing ID
2524 // available when created due to cycles or back links in the opener chain.
2525 // They must have their openers updated as a separate step after proxy
2526 // creation.
2530 // If there is no proxy, the cycle may involve nodes in the same process,
2531 // or, if this is a subframe, --site-per-process may be off. Either way,
2532 // there's nothing more to do.
2540 opener_routing_id));
2541 }
2542 }
2547 // Currently, this function is only called on main frames. It should
2548 // actually work correctly for subframes as well, so if that need ever
2549 // arises, it should be sufficient to remove this DCHECK.
2557 // Ensure that all the nodes in the opener's FrameTree have
2558 // RenderFrameProxyHosts for the new SiteInstance. Only pass the node to
2559 // be skipped if it's in the same FrameTree.
2564 // If any of the RenderViewHosts (current, pending, or swapped out) for this
2565 // FrameTree has the same SiteInstance, then we can return early and reuse
2566 // them. An exception is if we are in IsSwappedOutStateForbidden mode and
2567 // find a pending RenderViewHost: in this case, we should still create a
2568 // proxy, which will allow communicating with the opener until the pending
2569 // RenderView commits, or if the pending navigation is canceled.
2580 // Create a swapped out RenderView in the given SiteInstance if none
2581 // exists. Since an opener can point to a subframe, do this on the root
2582 // frame of the current opener's frame tree.
2589 }
2590 }
2591 }
2592 }
2601 }