Bug 1782505 - Observe destroyed actors in IPC fuzzing. r=nika

Differential Revision: https://phabricator.services.mozilla.com/D153344
2022-08-02 22:06:28 +00:00 · 2022-08-02 22:06:28 +00:00 · 53b78333a2
--- a/ipc/glue/MessageChannel.h
+++ b/ipc/glue/MessageChannel.h
@ -316,7 +316,7 @@ class MessageChannel : HasResultCodes {
 #ifdef FUZZING_SNAPSHOT
  Maybe<mojo::core::ports::PortName> GetPortName() {
    MonitorAutoLock lock(*mMonitor);
-    return mLink->GetPortName();
+    return mLink ? mLink->GetPortName() : Nothing();
  }
 #endif

--- a/ipc/glue/ProtocolUtils.cpp
+++ b/ipc/glue/ProtocolUtils.cpp
@ -546,6 +546,10 @@ void IProtocol::DestroySubtree(ActorDestroyReason aWhy) {
  MOZ_ASSERT(CanRecv(), "destroying non-connected actor");
  MOZ_ASSERT(mLifecycleProxy, "destroying zombie actor");

+#ifdef FUZZING_SNAPSHOT
+  fuzzing::IPCFuzzController::instance().OnActorDestroyed(this);
+#endif
+
  // If we're a managed actor, unregister from our manager
  if (Manager()) {
    Unregister(Id());
--- a/tools/fuzzing/ipc/IPCFuzzController.cpp
+++ b/tools/fuzzing/ipc/IPCFuzzController.cpp
@ -132,6 +132,39 @@ void IPCFuzzController::OnActorConnected(IProtocol* protocol) {
  }
 }

+void IPCFuzzController::OnActorDestroyed(IProtocol* protocol) {
+  if (!XRE_IsParentProcess()) {
+    return;
+  }
+
+  MOZ_FUZZING_NYX_PRINTF("INFO: [OnActorDestroyed] ActorID %d Protocol: %s\n",
+                         protocol->Id(), protocol->GetProtocolName());
+
+  MessageChannel* channel = protocol->ToplevelProtocol()->GetIPCChannel();
+
+  Maybe<PortName> portName = channel->GetPortName();
+  if (portName) {
+    MOZ_FUZZING_NYX_DEBUG(
+        "DEBUG: IPCFuzzController::OnActorDestroyed() Mutex try\n");
+    // Called on background threads and modifies `actorIds`.
+    MutexAutoLock lock(mMutex);
+    MOZ_FUZZING_NYX_DEBUG(
+        "DEBUG: IPCFuzzController::OnActorDestroyed() Mutex locked\n");
+
+    for (auto iter = actorIds[*portName].begin();
+         iter != actorIds[*portName].end();) {
+      if (iter->first == protocol->Id() &&
+          iter->second == protocol->GetProtocolId()) {
+        iter = actorIds[*portName].erase(iter);
+      } else {
+        ++iter;
+      }
+    }
+  } else {
+    MOZ_FUZZING_NYX_PRINT("WARNING: No port name on destroyed actor?!\n");
+  }
+}
+
 void IPCFuzzController::AddToplevelActor(PortName name, ProtocolId protocolId) {
  const char* protocolName = ProtocolIdToName(protocolId);
  auto result = portNameToIndex.find(protocolName);
--- a/tools/fuzzing/ipc/IPCFuzzController.h
+++ b/tools/fuzzing/ipc/IPCFuzzController.h
@ -89,6 +89,7 @@ class IPCFuzzController {
                          bool* is_cons, bool update = true);

  void OnActorConnected(mozilla::ipc::IProtocol* protocol);
+  void OnActorDestroyed(mozilla::ipc::IProtocol* protocol);
  void OnDropPeer(const char* reason, const char* file, int line);
  void OnMessageTaskStart();
  void OnMessageTaskStop();