Fix a memory leak in ResourceDispatcher

When we delete a ResourceLoaderBridge before OnCompletedRequest is received, bad things happen. There's a lot of leaks at the following points:
1. OnMessageReceived ignores the message.
2. RemovePendingRequest removes it's internal deferred_message_queue.

But ViewHostMsg_Resource_DataReceived is not POD. We should also close the shared memory handle inside it.

Review URL: http://codereview.chromium.org/115396

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@16297 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 40 insertions, 0 deletions

diff --git a/chrome/common/resource_dispatcher.cc b/chrome/common/resource_dispatcher.cc
index c669d43..e879c36 100644
--- a/chrome/common/resource_dispatcher.cc
+++ b/chrome/common/resource_dispatcher.cc
@@ -276,6 +276,8 @@ bool ResourceDispatcher::OnMessageReceived(const IPC::Message& message) {
     // This might happen for kill()ed requests on the webkit end, so perhaps it
     // shouldn't be a warning...
     DLOG(WARNING) << "Got response for a nonexistant or finished request";
+    // Release resources in the message if it is a data message.
+    ReleaseResourcesInDataMessage(message);
     return true;
   }
 
@@ -467,6 +469,17 @@ bool ResourceDispatcher::RemovePendingRequest(int request_id) {
   PendingRequestList::iterator it = pending_requests_.find(request_id);
   if (it == pending_requests_.end())
     return false;
+
+  // Iterate through the deferred message queue and clean up the messages.
+  PendingRequestInfo& request_info = it->second;
+  MessageQueue& q = request_info.deferred_message_queue;
+  while (!q.empty()) {
+    IPC::Message* m = q.front();
+    ReleaseResourcesInDataMessage(*m);
+    q.pop_front();
+    delete m;
+  }
+
   pending_requests_.erase(it);
   return true;
 }
@@ -559,3 +572,24 @@ bool ResourceDispatcher::IsResourceDispatcherMessage(
 
   return false;
 }
+
+void ResourceDispatcher::ReleaseResourcesInDataMessage(
+    const IPC::Message& message) {
+  void* iter = NULL;
+  int request_id;
+  if (!message.ReadInt(&iter, &request_id)) {
+    NOTREACHED() << "malformed resource message";
+    return;
+  }
+
+  // If the message contains a shared memory handle, we should close the
+  // handle or there will be a memory leak.
+  if (message.type() == ViewMsg_Resource_DataReceived::ID) {
+    base::SharedMemoryHandle shm_handle;
+    if (IPC::ParamTraits<base::SharedMemoryHandle>::Read(&message,
+                                                         &iter,
+                                                         &shm_handle)) {
+      base::SharedMemory::CloseHandle(shm_handle);
+    }
+  }
+}
diff --git a/chrome/common/resource_dispatcher.h b/chrome/common/resource_dispatcher.h
index 8ad20fe..f4494a5 100644
--- a/chrome/common/resource_dispatcher.h
+++ b/chrome/common/resource_dispatcher.h
@@ -114,6 +114,12 @@ class ResourceDispatcher {
   // Returns true if the message passed in is a resource related message.
   static bool IsResourceDispatcherMessage(const IPC::Message& message);
 
+  // ViewHostMsg_Resource_DataReceived is not POD, it has a shared memory
+  // handle in it that we should cleanup it up nicely. This method accepts any
+  // message and determine whether the message is
+  // ViewHostMsg_Resource_DataReceived and clean up the shared memory handle.
+  void ReleaseResourcesInDataMessage(const IPC::Message& message);
+
   IPC::Message::Sender* message_sender_;
 
   // All pending requests issued to the host