New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 686184 link

Starred by 1 user
Status: Fixed
Owner:
alex...@chromium.org
Closed: Mar 2017
Cc:
engedy@chromium.org
creis@chromium.org
lukasza@chromium.org
dcheng@chromium.org
nasko@chromium.org
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment

OOPIF: Transfers back to current RFH's SiteInstance are broken

Project Member Reported by alex...@chromium.org, Jan 27 2017 
This is a followup to the remaining problems of  issue 681077 .  Pasting the description from a comment there:

The setup is: we've got a a current RFH for baz.com in the subframe, let's say RFH1.  We navigate that to a.com/cross-site/baz.com/title2.html.  This creates a pending RFH, say RFH2, for a.com, which transfers back to baz.com.

During the transfer, we end up picking the RFH1 as the new navigation target.  That happens as the first thing in UpdateStateForNavigate:

  if (!frame_tree_node_->IsMainFrame() &&
      !CanSubframeSwapProcess(dest_url, source_instance, dest_instance)) {
    // Note: Do not add code here to determine whether the subframe should swap
    // or not. Add it to CanSubframeSwapProcess instead.
    return render_frame_host_.get();
  }

This (correctly) returns RFH1, but it seems to skips some crucial steps just below, namely, calling Transfer() on the transfer_navigation_handle_ (we're in the middle of transfer here after all), and canceling the pending RFH.  Not canceling the pending RFH possibly leads to leaking RFH2, AFAICT.  Skipping the Transfer() call is more interesting, as it later leads to RFH1's transferred baz.com request to be dropped in ResourceDispatcherHostImpl::CompleteTransfer, here:

  if (it == pending_loaders_.end()) {
    // Renderer sent transferred_request_request_id and/or
    // transferred_request_child_id that doesn't have a corresponding entry on
    // the browser side.
    // TODO(lukasza): https://crbug.com/659613: Need to understand the scenario
    // that can lead here (and then attempt to reintroduce a renderer kill
    // below).
    return;
  }

So this could be one explanation for why we saw the RDH_TRANSFERRING_REQUEST_NOT_FOUND kill in issues  659613  and 660407.  CC-ing Charlie and Lukasz for that.

I've verified that doing the Transfer() work and canceling the pending RFH for the !CanSubframeSwapProcess case in UpdateStateForNavigate seems to fix this.  I've got a draft fix in progress at https://codereview.chromium.org/2636193003/.

Balazs mentioned there might be followup issues with compositing/rendering.  I'll try to triage those as well.

Comment 1 by alex...@chromium.org, Mar 3 2017

Status: Fixed (was: Started)
My fix for this landed in r453800.  I forgot to include a reference for this particular bug number, but it should be fixed.  There's a followup issue with data: URLs which is tracked in  issue 697513 .

Sign in to add a comment