Fix detach IPCs races against navigation commit with navigation queueing
With navigation queueing, a pending commit navigation is never cancelled. If a pending commit navigation races with the frame being removed from the DOM, the renderer process committing the navigation can end up missing the detach: in the browser process, the detach is replicated to the other renderers by deleting the RenderFrameProxyHosts for the FrameTreeNode. However, the committing renderer process will no longer have a RenderFrameProxy after the commit completes in its process, so it will never hear about the detach. The fix is to also call `DeleteRenderFrame()` when discard pending commit speculative RFHs, rather than assuming that the pending commit RenderFrame will be implicitly cleaned up. Bug: 332746903 Change-Id: I0e8c48b0c17271cdf974ec40ff6a479346581def Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5460976 Reviewed-by:Alex Moshchuk <alexmos@chromium.org> Commit-Queue: Daniel Cheng <dcheng@chromium.org> Reviewed-by:
Loading
Please register or sign in to comment