refactor: remove potential double free when managing WebContents (#15280)

* refactor: remove -new-contents-created event Chromium expects us to take ownership of WebContents in AddNewContents, we should not create V8 wrapper in WebContentsCreated, otherwise we would have WebContents being managed by 2 unique_ptr at the same time. * refactor: make CreateAndTake take unique_ptr
2018-10-23 03:02:25 +09:00 · 2018-10-23 03:02:25 +09:00 · cb9be091aa
commit cb9be091aa
parent e8e7edf017
8 changed files with 59 additions and 101 deletions
--- a/atom/browser/api/atom_api_web_contents.cc
+++ b/atom/browser/api/atom_api_web_contents.cc
@ -320,13 +320,13 @@ WebContents::WebContents(v8::Isolate* isolate,
 }

 WebContents::WebContents(v8::Isolate* isolate,
-                         content::WebContents* web_contents,
+                         std::unique_ptr<content::WebContents> web_contents,
                         Type type)
-    : content::WebContentsObserver(web_contents), type_(type) {
+    : content::WebContentsObserver(web_contents.get()), type_(type) {
  DCHECK(type != REMOTE) << "Can't take ownership of a remote WebContents";
  auto session = Session::CreateFrom(isolate, GetBrowserContext());
  session_.Reset(isolate, session.ToV8());
-  InitWithSessionAndOptions(isolate, web_contents, session,
+  InitWithSessionAndOptions(isolate, std::move(web_contents), session,
                            mate::Dictionary::CreateEmpty(isolate));
 }

@ -413,7 +413,7 @@ WebContents::WebContents(v8::Isolate* isolate,
    web_contents = content::WebContents::Create(params);
  }

-  InitWithSessionAndOptions(isolate, web_contents.release(), session, options);
+  InitWithSessionAndOptions(isolate, std::move(web_contents), session, options);
 }

 void WebContents::InitZoomController(content::WebContents* web_contents,
@ -425,16 +425,21 @@ void WebContents::InitZoomController(content::WebContents* web_contents,
    zoom_controller_->SetDefaultZoomFactor(zoom_factor);
 }

-void WebContents::InitWithSessionAndOptions(v8::Isolate* isolate,
-                                            content::WebContents* web_contents,
-                                            mate::Handle<api::Session> session,
-                                            const mate::Dictionary& options) {
-  Observe(web_contents);
-  InitWithWebContents(web_contents, session->browser_context(), IsGuest());
+void WebContents::InitWithSessionAndOptions(
+    v8::Isolate* isolate,
+    std::unique_ptr<content::WebContents> owned_web_contents,
+    mate::Handle<api::Session> session,
+    const mate::Dictionary& options) {
+  Observe(owned_web_contents.get());
+  // TODO(zcbenz): Make InitWithWebContents take unique_ptr.
+  // At the time of writing we are going through a refactoring and I don't want
+  // to make other people's work harder.
+  InitWithWebContents(owned_web_contents.release(), session->browser_context(),
+                      IsGuest());

  managed_web_contents()->GetView()->SetDelegate(this);

-  auto* prefs = web_contents->GetMutableRendererPrefs();
+  auto* prefs = web_contents()->GetMutableRendererPrefs();
  prefs->accept_languages = g_browser_process->GetApplicationLocale();

 #if defined(OS_LINUX) || defined(OS_WIN)
@ -451,17 +456,17 @@ void WebContents::InitWithSessionAndOptions(v8::Isolate* isolate,
 #endif

  // Save the preferences in C++.
-  new WebContentsPreferences(web_contents, options);
+  new WebContentsPreferences(web_contents(), options);

  // Initialize permission helper.
-  WebContentsPermissionHelper::CreateForWebContents(web_contents);
+  WebContentsPermissionHelper::CreateForWebContents(web_contents());
  // Initialize security state client.
-  SecurityStateTabHelper::CreateForWebContents(web_contents);
+  SecurityStateTabHelper::CreateForWebContents(web_contents());
  // Initialize zoom controller.
-  InitZoomController(web_contents, options);
+  InitZoomController(web_contents(), options);

-  web_contents->SetUserAgentOverride(GetBrowserContext()->GetUserAgent(),
-                                     false);
+  web_contents()->SetUserAgentOverride(GetBrowserContext()->GetUserAgent(),
+                                       false);

  if (IsGuest()) {
    NativeWindow* owner_window = nullptr;
@ -477,7 +482,7 @@ void WebContents::InitWithSessionAndOptions(v8::Isolate* isolate,
  }

  Init(isolate);
-  AttachAsUserData(web_contents);
+  AttachAsUserData(web_contents());
 }

 WebContents::~WebContents() {
@ -539,11 +544,10 @@ void WebContents::WebContentsCreated(content::WebContents* source_contents,
                                     const std::string& frame_name,
                                     const GURL& target_url,
                                     content::WebContents* new_contents) {
-  v8::Locker locker(isolate());
-  v8::HandleScope handle_scope(isolate());
-  // Create V8 wrapper for the |new_contents|.
-  auto wrapper = CreateAndTake(isolate(), new_contents, BROWSER_WINDOW);
-  Emit("-web-contents-created", wrapper, target_url, frame_name);
+  ChildWebContentsTracker::CreateForWebContents(new_contents);
+  auto* tracker = ChildWebContentsTracker::FromWebContents(new_contents);
+  tracker->url = target_url;
+  tracker->frame_name = frame_name;
 }

 void WebContents::AddNewContents(
@ -553,17 +557,16 @@ void WebContents::AddNewContents(
    const gfx::Rect& initial_rect,
    bool user_gesture,
    bool* was_blocked) {
-  new ChildWebContentsTracker(new_contents.get());
+  auto* tracker = ChildWebContentsTracker::FromWebContents(new_contents.get());
+  DCHECK(tracker);
+
  v8::Locker locker(isolate());
  v8::HandleScope handle_scope(isolate());
-  // Note that the ownership of |new_contents| has already been claimed by
-  // the WebContentsCreated method, the release call here completes
-  // the ownership transfer.
-  auto api_web_contents = From(isolate(), new_contents.release());
-  DCHECK(!api_web_contents.IsEmpty());
+  auto api_web_contents =
+      CreateAndTake(isolate(), std::move(new_contents), BROWSER_WINDOW);
  if (Emit("-add-new-contents", api_web_contents, disposition, user_gesture,
           initial_rect.x(), initial_rect.y(), initial_rect.width(),
-           initial_rect.height())) {
+           initial_rect.height(), tracker->url, tracker->frame_name)) {
    api_web_contents->DestroyWebContents(true /* async */);
  }
 }
@ -2196,10 +2199,10 @@ mate::Handle<WebContents> WebContents::Create(v8::Isolate* isolate,
 // static
 mate::Handle<WebContents> WebContents::CreateAndTake(
    v8::Isolate* isolate,
-    content::WebContents* web_contents,
+    std::unique_ptr<content::WebContents> web_contents,
    Type type) {
-  return mate::CreateHandle(isolate,
-                            new WebContents(isolate, web_contents, type));
+  return mate::CreateHandle(
+      isolate, new WebContents(isolate, std::move(web_contents), type));
 }

 // static