WebContentsImpl::GetCreatedWindow has a "return nullptr" case that appears to leak the pending WebContents created by window.open(), if the process crashes at just the right moment.
This would occur if either of the following conditions caused the branch to be taken:
if (!new_contents->GetMainFrame()->GetProcess()->HasConnection() ||
!new_contents->GetMainFrame()->GetView()) {
GetProcess->HasConnection() seems unlikely, since we are in the middle of processing a message from exactly that process. I am not sure about the GetView() clause.
A leak may also be possible if the WebContents is closed while pending_contents_ is nonempty. This, also, should be exceptionally rare: the ShowCreatedWindow IPC is sent immediately after the CreateNewWindow IPC, but a user action is possible here. This case ought to be reproducable in a browsertest modeled after SitePerProcessBrowserTest.TwoSubframesCreatePopupsSimultaneously
I believe that these cases can be solved by having pending_contents_ hold unique_ptrs<> to its WebContents instances.
WebContentsImpl::GetCreatedWindow has a "return nullptr" case that appears to leak the pending WebContents created by window.open(), if the process crashes at just the right moment.
This would occur if either of the following conditions caused the branch to be taken:
if (!new_contents->GetMainFrame()->GetProcess()->HasConnection() ||
!new_contents->GetMainFrame()->GetView()) {
GetProcess->HasConnection() seems unlikely, since we are in the middle of processing a message from exactly that process. I am not sure about the GetView() clause.
A leak may also be possible if the WebContents is closed while pending_contents_ is nonempty. This, also, should be exceptionally rare: the ShowCreatedWindow IPC is sent immediately after the CreateNewWindow IPC, but an intervening user action is possible here. This case ought to be reproducable in a browsertest modeled after SitePerProcessBrowserTest.TwoSubframesCreatePopupsSimultaneously
I believe that these cases can be solved by having pending_contents_ hold unique_ptrs<> to its WebContents instances.
Summary: WebContentsImpl might leak pending a WebContents* in some error cases (was: WebContentsImpl might leak pending a WebContentses in some error cases)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.
Sorry for the inconvenience if the bug really should have been left as Available. If you change it back, also remove the "Hotlist-Recharge-Cold" label.
For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Comment 1 by nick@chromium.org
, Dec 14 2016