Change the Mac GMP process launch to include sandboxing params on the command line to allow the sandbox to be started earlier during GMP process launch. Content, extension, and RDD processes have already been changed to start the sandbox earlier.
Update GMPProcessParent to override GeckoChildProcessHost methods used to construct sandboxing parameters. Pass the plugin path as a sandbox parameter so that the sandbox rules can whitelist the plugin directory which is now read after the sandbox is enabled in the plugin process. On development builds, pass "testingReadPath" params so directories needed during automated tests can be whitelisted.
Update Mac sandboxing code to detect GMP sandbox params on the command line and enable the sandbox with additional arguments needed for early sandbox start.
Allow reverting to the old implementation by setting security.sandbox.gmp.mac.earlyinit to false.
Differential Revision: https://phabricator.services.mozilla.com/D34085
--HG--
extra : moz-landing-system : lando
Will also silence static analysis in phabricator whenever a caller of this code is used.
Differential Revision: https://phabricator.services.mozilla.com/D33419
--HG--
extra : moz-landing-system : lando
The vast majority of the virtual methods which were used on ProtocolState were
actually methods which only had meaningful implementations on the toplevel
protocol. This patch adds a new field to IProtocol holding a direct pointer to
the protocol's `IToplevelProtocol`, and the methods formerly implemented with
ProtocolState now directly call the corresponding method on IToplevelProtocol.
IToplevelProtocol then shadows these methods with the toplevel protocol
implementation, meaning that the right code is run in the right places.
In addition, some state was maintained for protocols inside of the separate
ProtocolState allocation, and this patch moves that state back into the actor
itself.
Differential Revision: https://phabricator.services.mozilla.com/D32044
--HG--
extra : moz-landing-system : lando
Make nsIWebBrowserPrint included unconditionally for addressing nsIDocShell.rs build failure.
Remove direct_call of PPrinting and PRemotePrintJob. Their ipdl are built unconditionally, but their derived classes are not built with --disable-printing.
Differential Revision: https://phabricator.services.mozilla.com/D33391
--HG--
extra : moz-landing-system : lando
This patch includes multiple changes cleaning up various aspects of the crash
reporter client and exception handler:
* Some Unix-specific code was moved out from the base crashreporter client
code and into the appropriate platform implementation
* Functions used to open files in the crashreporter client now accept C++
`std::ios` flags instead of unreadable booleans
* Useless character conversion routines were removed from the
minidump-analyzer
* Crash annotations are not serialized into a huge string anymore every time
they change. They are all written out individually during an exception.
* `WriteEscapedMozCrashReason()` uses the exception-safe `my_strlen()` instead
of plain `strlen()`
* The Windows-specific DLL-blocklist shutdown was removed from the Linux &
macOS Breakpad callbacks
* The `CrashReporterHost`, `CrashReporterClient` and
`CrashReporterMetadataShmem` classes now take `nsACString` references
instead of `nsCString` ones since they never modify their contents
Differential Revision: https://phabricator.services.mozilla.com/D33267
--HG--
extra : moz-landing-system : lando
The current situation is suboptimal, where we have the same goop
repeated in multiple files, and where things kinda sorta work out fine
thanks to the linker for files that would have been forbidden, except
when the linker doesn't do its job, which apparently happen on
mingwclang builds.
This change only really covers C++ code using operator new/delete, and
not things that would be using malloc/free, because it's easier.
malloc/free is left for a followup.
Differential Revision: https://phabricator.services.mozilla.com/D32119
--HG--
extra : moz-landing-system : lando
Currently the Android implementation of process launch signals failure by
returning pid 0 through an out-parameter; we don't check for that, so we
report success and then the bad pid spreads through IPC until it sets off
an assertion somewhere else. This patch adds the missing check and
strengthens an assertion that would have caught the problem more directly.
Differential Revision: https://phabricator.services.mozilla.com/D32875
--HG--
extra : moz-landing-system : lando
This allows for the getter to be used in IProtocol's destructor, and generally
brings IProtocol more in line with IToplevelProtocol.
Differential Revision: https://phabricator.services.mozilla.com/D32042
--HG--
extra : moz-landing-system : lando
Don't hold gMutex when calling HandleSharePortsMessage() from PortServerThread to avoid deadlock.
Differential Revision: https://phabricator.services.mozilla.com/D31694
--HG--
extra : moz-landing-system : lando
These values were only being used for assertions within IPDL send
methods. They had no positive impact beyond causing crashes when sending
a message over a dead actor.
Differential Revision: https://phabricator.services.mozilla.com/D30235
--HG--
extra : moz-landing-system : lando
Historically we've failed very loudly when receiving a message which was
destined for an actor which had already been destroyed. This had the
effect of requiring manual teardown for most actors, as work would need
to be done to ensure messages weren't sent when the target actor might
be about to tear itself down.
In addition, due to this teardown work being done outside of IPDL, this
work would have to manually be checked in subactors, and involved the
addition of new flags, such as `mIPCOpen`, in order to track whether IPC
had begun to be shut down, and discard messages manually if it had.
It is an ongoing issue that we occasionally miss places where we need to
discard messages, and it is easy to not remember to perform async
destruction when building a new actor, meaning that extra work is
required to correctly discard messages when the actor is being torn
down. Due to the correct decision, almost all of the time, being to
discard the message, this patch takes the approach of transforming the
crash which was previously performed into a message discard.
The hope is that this will reduce the burden on actor implementors, by
allowing the use of `Send__delete__` without first synchronizing with
the remote actor, as well as reduce unintentional crashes.
Differential Revision: https://phabricator.services.mozilla.com/D28892
--HG--
extra : moz-landing-system : lando
Upon a content process crash or hang crash annotations were incrementally
written into the .extra file starting with the exception handler callback and
then in a number of different places before the file was ready for submission.
This had a number of downsides: since the annotations were directly added to
the file it was impossible to tell which ones were already written at a
certain point in time, additionally some were written twice or even thrice.
The code doing the writing would also behave differently depending on the
contents of the file, the parameters passed to it and the contents of global
variables.
This change overhauls the whole process by keeping the annotations into a
temporary per-crash annotation table which is filled with all the required
annotations before being written out in a single pass when they are ready.
The annotations are gathered from the main process annotation table, the
per-process one (held by the CrashReporterHost) and exception-time specific
ones.
The resulting annotations are slightly different than before the patch: first
of all there are no more duplicate entries in the .extra file and secondly all
content/plugin process hangs annotations are properly filtered, before
annotations that were main process-only would leak into them.
Differential Revision: https://phabricator.services.mozilla.com/D31069
--HG--
extra : moz-landing-system : lando
This removes the XRE_TakeMinidumpForChild() which does not need to be
exposed anymore in the XUL API as well as
IToplevelProtocol::TakeMinidump() which was simply unused.
Differential Revision: https://phabricator.services.mozilla.com/D31062
--HG--
extra : moz-landing-system : lando
This patch changes the way how we handle sync ctor send errors. They are now
ignored and treated like messages which successfully were queued to send, but
got lost due to the other side hanging up.
For more details, see bug 1509362 which originally did it for async ctors.
The main differences here are that we destroy the actor and we return null when
the send fails.
Differential Revision: https://phabricator.services.mozilla.com/D31517
This isn't needed now that BrowserParent has the same name
as the protocol.
Differential Revision: https://phabricator.services.mozilla.com/D30151
--HG--
extra : rebase_source : dbfc1722a43e1f8fbbe01f1766a397b570fa7d6a
extra : source : 792b49f269bb6308e152290ed0dfa03efbffa536
extra : histedit_source : e001669549af547f5387a3b010ad52ebee6eea3f
ContentVerifier has been dead code since bug 1355166 (which, incidentally, means
it has no tests). Its presence is preventing improvements to
ContentSignatureVerifier (see e.g. bug 1534600), so this patch removes it.
As a result, the nsILoadInfo attributes verifySignedContent and enforceSRI are
also unused, so this patch removes those as well.
Differential Revision: https://phabricator.services.mozilla.com/D28885
--HG--
extra : moz-landing-system : lando
FileCreatorHelper creates a FileBlobImpl on the main-thread and, because of
this, we end up executing I/O operations on that thread, slowing down other
components. With this patch, FileCreatorHelper logic is moved to PBackground.
That the 'type' getter is still called on the main-thread because FileBlobImpl
uses nsIMIMEService which is a non thread-safe component.
Differential Revision: https://phabricator.services.mozilla.com/D27641
--HG--
extra : moz-landing-system : lando
FileCreatorHelper creates a FileBlobImpl on the main-thread and, because of
this, we end up executing I/O operations on that thread, slowing down other
components. With this patch, FileCreatorHelper logic is moved to PBackground.
That the 'type' getter is still called on the main-thread because FileBlobImpl
uses nsIMIMEService which is a non thread-safe component.
Differential Revision: https://phabricator.services.mozilla.com/D27641
--HG--
extra : moz-landing-system : lando
This consolidates array, maybe and unique ptrs in IPDL into a single
"has base type" qualifier, for types that wrap another type. I'm not
sure this patch fixes everything, but I think it is at least more
correct.
It also adds checking for the stuff inside the UniquePtr<>, because
the intent seems to be to allow things like protocol types in there.
Differential Revision: https://phabricator.services.mozilla.com/D28571
--HG--
extra : moz-landing-system : lando
Currently, when deserialization fails, the error message contains the base
name of the C++ type, without template parameters; this means we can get
unhelpfully vague errors about `RefPtr` or `Maybe` or `nsTArray`. (The
identical error cases are then merged by the compiler, so the execution
path can't be recovered from the crash dump.)
This patch uses the IPDL type instead. It would be possible to invoke
the code generator to use the full C++ type, but more complicated for no
real benefit.
Differential Revision: https://phabricator.services.mozilla.com/D28401
--HG--
extra : moz-landing-system : lando
In sandboxed processes with Win32k lockdown, when we initialize COM using an MTA
on a background thread, the main thread is automatically initialized by the COM
runtime as having an implicit MTA.
This is fine, except for the fact that if we want to enqueue any work that needs
to operate specifically on the EnsureMTA thread, it won't happen.
This patch adds a flag to EnsureMTA's constructor that ensures that, even if the
current thread is in an MTA (implicit or otherwise), we still forcibly enqueue
the closure specifically to the EnsureMTA thread.
Differential Revision: https://phabricator.services.mozilla.com/D28391
--HG--
extra : moz-landing-system : lando
FileCreatorHelper creates a FileBlobImpl on the main-thread and, because of
this, we end up executing I/O operations on that thread, slowing down other
components. With this patch, FileCreatorHelper logic is moved to PBackground.
That the 'type' getter is still called on the main-thread because FileBlobImpl
uses nsIMIMEService which is a non thread-safe component.
Differential Revision: https://phabricator.services.mozilla.com/D27641
--HG--
extra : moz-landing-system : lando
The maximum size of an IPC message is defined twice; IPC::Channel::kMaximumMessageSize = 256 MiB and IPC::MAX_MESSAGE_SIZE = 65 KiB . The latter one is used for Windows printing and its small size could cause errors.
I removed the small constant, and made changes to the files using it :
- The windows printing file now uses kMaximumMessageSize / 2
- nsWebBrowserPersist uses its old constant
Differential Revision: https://phabricator.services.mozilla.com/D24972
--HG--
extra : moz-landing-system : lando
Cmd-line params for the SharedPreferenceSerializer was
duplicated in ContentParent and
SocketProcessHost. Since we'll have a 3rd process (RDD)
using this same code, let's move the repsonsiblity for knowing how to add
these cmdline params into SharedPreferenceSerializer.
Depends on D26567
Differential Revision: https://phabricator.services.mozilla.com/D26568
--HG--
extra : moz-landing-system : lando
The binary path type of a particular content process is useful information
outside of IPC. Given that `XRE_EnableSameExecutableForContentProc` already
exists, and given that the binary path type is closely related to
`GeckoProcessType`, I've added a new function, `XRE_GetContentProcBinPathType`.
The mapping of process type to binary type has been moved to the
`GeckoProcessTypes` definitions.
This patch also modifies `ipc::GeckoChildProcessHost` to call into the new
function.
Differential Revision: https://phabricator.services.mozilla.com/D25816
--HG--
extra : histedit_source : acdfd2357fd06551dff5286c6b7c56bd92dd347b
The binary path type of a particular content process is useful information
outside of IPC. Given that `XRE_EnableSameExecutableForContentProc` already
exists, and given that the binary path type is closely related to
`GeckoProcessType`, I've added a new function, `XRE_GetContentProcBinPathType`.
The mapping of process type to binary type has been moved to the
`GeckoProcessTypes` definitions.
This patch also modifies `ipc::GeckoChildProcessHost` to call into the new
function.
Differential Revision: https://phabricator.services.mozilla.com/D25816
--HG--
extra : moz-landing-system : lando
The binary path type of a particular content process is useful information
outside of IPC. Given that `XRE_EnableSameExecutableForContentProc` already
exists, and given that the binary path type is closely related to
`GeckoProcessType`, I've added a new function, `XRE_GetContentProcBinPathType`.
The mapping of process type to binary type has been moved to the
`GeckoProcessTypes` definitions.
This patch also modifies `ipc::GeckoChildProcessHost` to call into the new
function.
Differential Revision: https://phabricator.services.mozilla.com/D25816
--HG--
extra : moz-landing-system : lando
PPluginInstance's __delete__ was ported from rpc to intr, and is the
only non-async IPDL deletion in the codebase. We should be able to
align this with the rest of the IPDL interfaces and remove the need
for specialized intr __delete__ handling.
Differential Revision: https://phabricator.services.mozilla.com/D25674
--HG--
extra : moz-landing-system : lando
Mechanical change from Matcher::match(...) to Matcher::operator()(...).
This will now permit the use of generic lambdas, and facilitate the
implementation of multi-lambda match.
Differential Revision: https://phabricator.services.mozilla.com/D24889
--HG--
extra : moz-landing-system : lando
Start the RDD process earlier by changing RDDProcessHost to pass the necessary command line arguments for enabling the sandbox.
Per lsmp output on 10.14.3, starting the RDD process sandbox removes access to WindowServer, coreservicesd, lsd and distnoted.
Add a pref (defaulting to on) to control enabling starting the RDD process earlier.
Differential Revision: https://phabricator.services.mozilla.com/D23460
--HG--
extra : moz-landing-system : lando
Move sandbox early start logic to GeckoChildProcessHost.
Move sandbox CLI param logic into MacSandboxInfo.
Differential Revision: https://phabricator.services.mozilla.com/D22409
--HG--
extra : moz-landing-system : lando
Add a new nsExternalHelperAppService derived class named nsOSHelperAppServiceChild to be used for the MIME service, external helper app service, and external protocol service interfaces in child processes. nsOSHelperAppServiceChild overrides some methods used to get MIME and external protocol handler information from the OS and implements these methods by remoting the calls to the parent process.
This is necessary because, on Mac, querying the OS for helper application info from sandboxed content processes is unreliable and has buggy side effects.
For now, only use the new class on Mac.
Android and unix file changes r+ by gcp.
Windows files changes r+ by bobowen.
Sync messages review r+ by nfroyd.
MozReview-Commit-ID: 63BiS6VCxfn
Differential Revision: https://phabricator.services.mozilla.com/D15620
--HG--
extra : moz-landing-system : lando
Add a new nsExternalHelperAppService derived class named nsOSHelperAppServiceChild to be used for the MIME service, external helper app service, and external protocol service interfaces in child processes. nsOSHelperAppServiceChild overrides some methods used to get MIME and external protocol handler information from the OS and implements these methods by remoting the calls to the parent process.
This is necessary because, on Mac, querying the OS for helper application info from sandboxed content processes is unreliable and has buggy side effects.
For now, only use the new class on Mac.
Android and unix file changes r+ by gcp.
Windows files changes r+ by bobowen.
Sync messages review r+ by nfroyd.
MozReview-Commit-ID: 63BiS6VCxfn
Differential Revision: https://phabricator.services.mozilla.com/D15620
--HG--
extra : moz-landing-system : lando
This patch adds two things:
1. An optional fixed_address argument to SharedMemoryBasic::Map, which
is the address to map the shared memory at.
2. A FindFreeAddressSpace function that callers can use to find a
contiguous block of free address space, which can then be used to
determine an address to pass in to Map that is likely to be free.
Patches in bug 1474793 will use these to place the User Agent style
sheets in a shared memory buffer in the parent process at an address
that is also likely to be free in content processes.
Differential Revision: https://phabricator.services.mozilla.com/D15057
--HG--
extra : moz-landing-system : lando
Replaced instances of callers in both C++ and JS files to query the state from the principal directly.
Differential Revision: https://phabricator.services.mozilla.com/D22532
--HG--
extra : moz-landing-system : lando
Added assert to check if the id is exceeding bounds of signed 32 bit integer.
```
x < (1<<29)
x+1 <= (1<<29)
((x+1)<<2) <= (1<<31)
((x+1)<<2) | (two bit tag t)<= (1<<31)
```
Differential Revision: https://phabricator.services.mozilla.com/D23808
--HG--
extra : moz-landing-system : lando
I'd like to move an ipc::ByteBuf member of a struct into a Maybe,
and in order for that to work IPDLParamTraits<Maybe> needs to support
the rvalue Write.
Differential Revision: https://phabricator.services.mozilla.com/D23986
--HG--
extra : moz-landing-system : lando
I'd like to move an ipc::ByteBuf member of a struct into a Maybe,
and in order for that to work IPDLParamTraits<Maybe> needs to support
the rvalue Write.
Differential Revision: https://phabricator.services.mozilla.com/D23986
--HG--
extra : moz-landing-system : lando
Now that fields are packed nicely, we can take advantage of the
contiguous layout of POD fields and read/write all the POD fields of a
given size in a single read/write call. For many structs, this should
have little or no effect, but for large structs such as LoadInfoArgs,
this reduces the number of function calls by ~50%.
Differential Revision: https://phabricator.services.mozilla.com/D22001
--HG--
extra : moz-landing-system : lando
We're about to start depending on how the fields are packed in a future
patch, so we should add some compile-time checking that our assertions
are correct.
Differential Revision: https://phabricator.services.mozilla.com/D22000
--HG--
extra : moz-landing-system : lando
We're going to read and write sentinels slightly differently for
bulk-writing adjacent fields, so let's factor out some reusable code for
doing so.
Differential Revision: https://phabricator.services.mozilla.com/D21999
--HG--
extra : moz-landing-system : lando
This patch changes the layout of IPDL-defined structs to order the POD
members by decreasing size, which ensures everything is packed well.
This optimization is only applied to the internal representation; the
external interface (e.g. constructors) is entirely unchaged.
Differential Revision: https://phabricator.services.mozilla.com/D21998
--HG--
extra : moz-landing-system : lando
This patch computes an ordering for the fields of an IPDL structure decl
such that they are packed well in memory. We'll take advantage of this
ordering in future patches.
Differential Revision: https://phabricator.services.mozilla.com/D21997
--HG--
extra : moz-landing-system : lando
By allowing the creation of StrongWorkerRefs in the Canceling state we
ensure that IPC will not fail and lead to crashes.
Differential Revision: https://phabricator.services.mozilla.com/D21920
--HG--
extra : moz-landing-system : lando
This is needed to maintain full feature parity with the existing
nsIPrincipal serializer while switching to using the PrincipalInfo-based
one.
Depends on D14434
Differential Revision: https://phabricator.services.mozilla.com/D20854
--HG--
extra : moz-landing-system : lando
GMP shouldn't need them anyway, and this reduces the dependencies from the x86
build we need to package in the "i686" subdir.
Differential Revision: https://phabricator.services.mozilla.com/D19902
--HG--
extra : source : 72ef2d2e9429ddb00d423181e3f8c881db228889
extra : intermediate-source : 1481e243977a28f1e8bbc12641f9a44ecb0a3856
extra : histedit_source : 1eb8f04f329e2df8f92b85a884304fd89c616234
This patch assumes that "the build" places plugin-container.exe, xul.dll, and
their dependencies in the "i686" subdirectory of the aarch64 firefox package
directory.
Differential Revision: https://phabricator.services.mozilla.com/D19898
--HG--
extra : source : bcba2fa22c772ba7c17e0dbdb5a10e5bbfe900d6
extra : histedit_source : 4b7f79876b3e67d1c1c64d91e869c3ad1efc4913
This is needed to maintain full feature parity with the existing
nsIPrincipal serializer while switching to using the PrincipalInfo-based
one.
Depends on D20853
Differential Revision: https://phabricator.services.mozilla.com/D20854
--HG--
extra : moz-landing-system : lando
This patch tries to move them to `ContentParent` instead.
`ProcessPriorityManagerImpl::ObserveContentParentCreated` could not be moved
due to using `do_QueryInterface` to cast from a `nsISupports` down to the
`ContentParent` object. This could be fixed to remove the interfaces entirely,
but I left that for a follow-up.
Depends on D20549
Differential Revision: https://phabricator.services.mozilla.com/D20550
--HG--
extra : moz-landing-system : lando
This actor won't be being used anymore, and acts only as a maintenance burden
for people working on this code (which we're doing pretty often these days!).
Differential Revision: https://phabricator.services.mozilla.com/D20549
--HG--
extra : moz-landing-system : lando
This patch tries to move them to `ContentParent` instead.
`ProcessPriorityManagerImpl::ObserveContentParentCreated` could not be moved
due to using `do_QueryInterface` to cast from a `nsISupports` down to the
`ContentParent` object. This could be fixed to remove the interfaces entirely,
but I left that for a follow-up.
Depends on D20549
Differential Revision: https://phabricator.services.mozilla.com/D20550
--HG--
extra : moz-landing-system : lando
This actor won't be being used anymore, and acts only as a maintenance burden
for people working on this code (which we're doing pretty often these days!).
Differential Revision: https://phabricator.services.mozilla.com/D20549
--HG--
extra : moz-landing-system : lando
Haik Aftandilian
Jean-Yves Avenard
Matt Woodrow
Tarek Ziadé
Christoph Kerschbaumer
Bogdan Tara
Nika Layzell
sotaro
Gabriele Svelto
shindli
Mike Hommey
PHO
Jed Davis
Razvan Maries
Sylvestre Ledru
myfreeweb
Jan Varga
Ryan Hunt
Bas Schouten
Mihai Alexandru Michis
Andrea Marchesini
Cosmin Sabou
Aaron Klotz
Jonathan Kew
Dana Keeler
Honza Bambas
Brindusan Cristian
Andrew McCreight
Ciure Andrei
hafsa
Jeff Walden
Valentin Gosu
Michael Froman
Noemi Erli
Andreea Pavel
Boris Zbarsky
Csoregi Natalia
Narcis Beleuzu
Kyle Machulis
Khyati Agarwal
Gerald Squelart
Jim Mathies
Alex Gaynor
Oana Pop Rus
arthur.iakab
dOn'tReallycAre
Cameron McCormack
sakshaat
srujana
Doug Thayer
Dorel Luca
David Major
Chris Pearce
Coroiu Cristina
Nathan Froyd
Masatoshi Kimura
Yaron Tausky
Luke Wagner
Gurzau Raul