Browser Plugin: Don't leak memory on window.open

It turns out that when a guest calls window.open, we create a RenderView that doesn't
render to anywhere. This means we leak A LOT of memory, potentially.

BUG=162490

Review URL: https://codereview.chromium.org/11411154

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@169757 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 97 insertions, 0 deletions

diff --git a/content/browser/browser_plugin/browser_plugin_message_filter.cc b/content/browser/browser_plugin/browser_plugin_message_filter.cc
new file mode 100644
index 0000000..fda1205
--- /dev/null
+++ b/content/browser/browser_plugin/browser_plugin_message_filter.cc
@@ -0,0 +1,43 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/browser/browser_plugin/browser_plugin_message_filter.h"
+
+#include "content/common/view_messages.h"
+
+namespace content {
+
+BrowserPluginMessageFilter::BrowserPluginMessageFilter(
+    int render_process_id,
+    BrowserContext* browser_context)
+    : render_process_id_(render_process_id) {
+}
+
+BrowserPluginMessageFilter::~BrowserPluginMessageFilter() {
+  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
+}
+
+bool BrowserPluginMessageFilter::OnMessageReceived(
+    const IPC::Message& message,
+    bool* message_was_ok) {
+  bool handled = true;
+  IPC_BEGIN_MESSAGE_MAP_EX(BrowserPluginMessageFilter, message, *message_was_ok)
+    IPC_MESSAGE_HANDLER(ViewHostMsg_CreateWindow, OnMsgCreateWindow)
+    IPC_MESSAGE_UNHANDLED(handled = false)
+  IPC_END_MESSAGE_MAP()
+  return handled;
+}
+
+void BrowserPluginMessageFilter::OnMsgCreateWindow(
+    const ViewHostMsg_CreateWindow_Params& params,
+    int* route_id,
+    int* surface_id,
+    int64* cloned_session_storage_namespace_id) {
+  // TODO(fsamuel): We do not currently support window.open.
+  // See http://crbug.com/140316.
+  *route_id = MSG_ROUTING_NONE;
+  *surface_id = 0;
+}
+
+} // namespace content
diff --git a/content/browser/browser_plugin/browser_plugin_message_filter.h b/content/browser/browser_plugin/browser_plugin_message_filter.h
new file mode 100644
index 0000000..26ac9a2
--- /dev/null
+++ b/content/browser/browser_plugin/browser_plugin_message_filter.h
@@ -0,0 +1,41 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CONTENT_BROWSER_BROWSER_PLUGIN_BROWSER_PLUGIN_MESSAGE_FILTER_H_
+#define CONTENT_BROWSER_BROWSER_PLUGIN_BROWSER_PLUGIN_MESSAGE_FILTER_H_
+
+#include "content/public/browser/browser_message_filter.h"
+
+struct ViewHostMsg_CreateWindow_Params;
+
+namespace content {
+class BrowserContext;
+
+// This class filters out incoming IPC messages for the guest renderer process
+// on the IPC thread before other message filters handle them.
+class BrowserPluginMessageFilter : public BrowserMessageFilter {
+ public:
+  BrowserPluginMessageFilter(int render_process_id,
+                             BrowserContext* browser_context);
+
+  // BrowserMessageFilter implementation.
+  virtual bool OnMessageReceived(const IPC::Message& message,
+                                 bool* message_was_ok) OVERRIDE;
+
+ private:
+  virtual ~BrowserPluginMessageFilter();
+  void OnMsgCreateWindow(
+      const ViewHostMsg_CreateWindow_Params& params,
+      int* route_id,
+      int* surface_id,
+      int64* cloned_session_storage_namespace_id);
+
+  int render_process_id_;
+
+  DISALLOW_COPY_AND_ASSIGN(BrowserPluginMessageFilter);
+};
+
+} // namespace content
+
+#endif  // CONTENT_BROWSER_BROWSER_PLUGIN_BROWSER_PLUGIN_MESSAGE_FILTER_H_
diff --git a/content/browser/renderer_host/render_process_host_impl.cc b/content/browser/renderer_host/render_process_host_impl.cc
index 83865964..670fc32 100644
--- a/content/browser/renderer_host/render_process_host_impl.cc
+++ b/content/browser/renderer_host/render_process_host_impl.cc
@@ -41,6 +41,7 @@
 #include "content/browser/appcache/chrome_appcache_service.h"
 #include "content/browser/browser_main.h"
 #include "content/browser/browser_main_loop.h"
+#include "content/browser/browser_plugin/browser_plugin_message_filter.h"
 #include "content/browser/child_process_security_policy_impl.h"
 #include "content/browser/device_orientation/orientation_message_filter.h"
 #include "content/browser/dom_storage/dom_storage_context_impl.h"
@@ -521,6 +522,16 @@ void RenderProcessHostImpl::CreateMessageFilters() {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   MediaObserver* media_observer =
       GetContentClient()->browser()->GetMediaObserver();
+  // Add BrowserPluginMessageFilter to ensure it gets the first stab at messages
+  // from guests.
+  if (IsGuest()) {
+    scoped_refptr<BrowserPluginMessageFilter> bp_message_filter(
+        new BrowserPluginMessageFilter(
+            GetID(),
+            GetBrowserContext()));
+    channel_->AddFilter(bp_message_filter);
+  }
+
   scoped_refptr<RenderMessageFilter> render_message_filter(
       new RenderMessageFilter(
           GetID(),
diff --git a/content/content_browser.gypi b/content/content_browser.gypi
index 7c34d71..fd3ccb5 100644
--- a/content/content_browser.gypi
+++ b/content/content_browser.gypi
@@ -260,6 +260,8 @@
     'browser/browser_plugin/browser_plugin_guest_helper.cc',
     'browser/browser_plugin/browser_plugin_guest_helper.h',
     'browser/browser_plugin/browser_plugin_host_factory.h',
+    'browser/browser_plugin/browser_plugin_message_filter.cc',
+    'browser/browser_plugin/browser_plugin_message_filter.h',
     'browser/browser_process_sub_thread.cc',
     'browser/browser_process_sub_thread.h',
     'browser/browser_thread_impl.cc',