For Win32k lockdown, we need to remove the content processes' ability to
call GetICMProfileW(). Since it needs this to retrieve the output color
profile, a new synchronous call is added that allows it to request the
parent process to read this file on its behalf.
The contents of the file are now being cached as well, as this should help
ease some of the increased parent process I/O caused by the children not
being able to do this in their process anymore.
For performance reasons, during launch this information is passed directly
to the child through the SetXPCOMProcessAttributes call
Differential Revision: https://phabricator.services.mozilla.com/D66126
--HG--
extra : moz-landing-system : lando
Before this patch, PSM would register content type handlers to handle certain
certificate types. This was an easy way to install a client certificate after
generating a key with <keygen>, but keygen has been removed. This was also an
easy way to install root certificates, but that's actually a considerable
security risk. We kept this functionality for so long because it was the only
way to add a 3rd-party root certificate to Fennec's certificate store. Now that
Fennec is EOL, we can remove it. (Fenix will need a way to trust 3rd party root
certificates, but the path forward there is to implement the enterprise roots
feature for Android.)
Differential Revision: https://phabricator.services.mozilla.com/D66118
--HG--
extra : moz-landing-system : lando
For Win32k lockdown, we need to remove the content processes' ability to
call GetICMProfileW(). Since it needs this to retrieve the output color
profile, a new synchronous call is added that allows it to request the
parent process to read this file on its behalf.
The contents of the file are now being cached as well, as this should help
ease some of the increased parent process I/O caused by the children not
being able to do this in their process anymore.
Differential Revision: https://phabricator.services.mozilla.com/D66126
--HG--
extra : moz-landing-system : lando
We were using the wrong Accessible method to get the level. We also need to swap IPDL methods to use the right one.
Differential Revision: https://phabricator.services.mozilla.com/D65645
--HG--
extra : moz-landing-system : lando
WalkHistoryEntries function gets called by nsSHistory::CloneAndReplaceChild
and nsSHistory::SetChildHistoryEntry recursively, so those have to be moved
into the parent process. This eliminates many sync IPC calls.
To facilitate transition to a new session history design,
we are mirroring mOSHE and mLSHE SH entries from docshell to browsing context.
Whenever we update those entries in docshell, we will also update those in BC,
and vice versa.
Differential Revision: https://phabricator.services.mozilla.com/D56201
--HG--
extra : moz-landing-system : lando
We want to be able to send IPC messages from the translation in the parent. So
the simplest thing it move the top level actor parts of CanvasParent into
CanvasTranslator.
This patch also moves the canvas thread management parts out into a new
CanvasThreadHolder class and hopefully makes the lifecycle management of these
much more robust. This includes the use of a TaskQueue per CanvasTranslator to
manage serial processing on the canvas workers, instead of a boolean.
Differential Revision: https://phabricator.services.mozilla.com/D60887
--HG--
rename : gfx/layers/ipc/CanvasParent.cpp => gfx/layers/ipc/CanvasThread.cpp
rename : gfx/layers/ipc/CanvasParent.h => gfx/layers/ipc/CanvasThread.h
rename : gfx/layers/CanvasTranslator.cpp => gfx/layers/ipc/CanvasTranslator.cpp
rename : gfx/layers/CanvasTranslator.h => gfx/layers/ipc/CanvasTranslator.h
extra : moz-landing-system : lando
This removes the need for explicit #ifdef NS_BUILD_REFCNT_LOGGING without
introducing user-defined destructors when it is not defined.
Also, some uses of virtual for declaring destructors are replaced by the
appropriate override declaration through these changes.
Differential Revision: https://phabricator.services.mozilla.com/D62604
--HG--
extra : moz-landing-system : lando
This removes the need for explicit #ifdef NS_BUILD_REFCNT_LOGGING without
introducing user-defined destructors when it is not defined.
Also, some uses of virtual for declaring destructors are replaced by the
appropriate override declaration through these changes.
Differential Revision: https://phabricator.services.mozilla.com/D62604
--HG--
extra : moz-landing-system : lando
The default method implementations cause problems when trying to
override them with different types in a direct call class.
For the `Recv__delete__` case there's a simple solution: omit it if
there are any arguments, because it doesn't make much sense to specify
arguments and then completely ignore them, and the no-arg case isn't a
problem for overriding.
Differential Revision: https://phabricator.services.mozilla.com/D62977
--HG--
extra : moz-landing-system : lando
This change adds new "remote backbuffer" logic when compositing without
HW acceleration on Windows (IE compositing through Cairo using the Win32
GDI)
A new piece of shared memory is created between the GPU process and the UI
process, and the GPU process sends requests to the UI process to first "borrow"
a properly-sized buffer to draw into, and then sends a "present" request to
tell the UI process to actually blit the buffer to the Win32 window.
This is needed for the GPU sandbox to work, since Windows rightly doesn't
allow the untrusted GPU process to directly draw the contents of a window
owned by the trusted UI process.
Differential Revision: https://phabricator.services.mozilla.com/D61370
--HG--
extra : moz-landing-system : lando
This change adds new "remote backbuffer" logic when compositing without
HW acceleration on Windows (IE compositing through Cairo using the Win32
GDI)
A new piece of shared memory is created between the GPU process and the UI
process, and the GPU process sends requests to the UI process to first "borrow"
a properly-sized buffer to draw into, and then sends a "present" request to
tell the UI process to actually blit the buffer to the Win32 window.
This is needed for the GPU sandbox to work, since Windows rightly doesn't
allow the untrusted GPU process to directly draw the contents of a window
owned by the trusted UI process.
Differential Revision: https://phabricator.services.mozilla.com/D61370
--HG--
extra : moz-landing-system : lando
Replace all implicit copies by moves, or explicit clone operations.
Fixed a bug in /home/simon/work/ipdl/ipc/ipdl/ipdl/lower.py _cxxConstRefType,
which caused the const accessor to miss const on its return type for a moveonly
struct member.
Removed unused using directives for SerializedStructuredCloneBuffer in ipdl files.
Differential Revision: https://phabricator.services.mozilla.com/D59742
--HG--
extra : moz-landing-system : lando
Replace all implicit copies by moves, or explicit clone operations.
Fixed a bug in /home/simon/work/ipdl/ipc/ipdl/ipdl/lower.py _cxxConstRefType,
which caused the const accessor to miss const on its return type for a moveonly
struct member.
Removed unused using directives for SerializedStructuredCloneBuffer in ipdl files.
Differential Revision: https://phabricator.services.mozilla.com/D59742
--HG--
extra : moz-landing-system : lando
Splits WebGLContext into ClientWebGLContext and HostWebGLContext. The Client enables the JS-control of a WebGL context in a content procecss while the Host executes the WebGL graphics operations (via a WebGLContext that maintains much of the existing code) in the compositor process. At this point, the cross-process behavior is disabled -- this series of patches is an incremental step toward that final goal.
Differential Revision: https://phabricator.services.mozilla.com/D54018
--HG--
extra : moz-landing-system : lando
The inclusions were removed with the following very crude script and the
resulting breakage was fixed up by hand. The manual fixups did either
revert the changes done by the script, replace a generic header with a more
specific one or replace a header with a forward declaration.
find . -name "*.idl" | grep -v web-platform | grep -v third_party | while read path; do
interfaces=$(grep "^\(class\|interface\).*:.*" "$path" | cut -d' ' -f2)
if [ -n "$interfaces" ]; then
if [[ "$interfaces" == *$'\n'* ]]; then
regexp="\("
for i in $interfaces; do regexp="$regexp$i\|"; done
regexp="${regexp%%\\\|}\)"
else
regexp="$interfaces"
fi
interface=$(basename "$path")
rg -l "#include.*${interface%%.idl}.h" . | while read path2; do
hits=$(grep -v "#include.*${interface%%.idl}.h" "$path2" | grep -c "$regexp" )
if [ $hits -eq 0 ]; then
echo "Removing ${interface} from ${path2}"
grep -v "#include.*${interface%%.idl}.h" "$path2" > "$path2".tmp
mv -f "$path2".tmp "$path2"
fi
done
fi
done
Differential Revision: https://phabricator.services.mozilla.com/D55443
--HG--
extra : moz-landing-system : lando
Previously, we created TextureD3D11 objects in the content process to back surfaces created for the plugin process. Those objects were then composited by the async ImageBridge. In order to remove Win32 kernel operations from content (including DX/GDI operations), this patch bounces the requests from content to the compositor process. The compositor process maintains 2 textures to be used for all plugin composition -- one for the plugin process and one for display. The plugin process can freely write to its texture and request composition when it is done, which triggers a blit to the display texture. This mirrors pre-existing behavior.
Differential Revision: https://phabricator.services.mozilla.com/D46086
--HG--
extra : moz-landing-system : lando
These operations report whether certain async plugin drawing modes are supported on the host architecture. They use kernel graphics operations to decide this so they need to be removed from the content process for sandboxing. We just bounce the requests to the gpu process (or main process on systems without a GPU process).
Differential Revision: https://phabricator.services.mozilla.com/D46085
--HG--
extra : moz-landing-system : lando
`windowUtils.setCompositionRecording()` now returns a promise that is resolved
when the composition recorder is enabled (if given `true`) or when frames are
written to disk (if given `false`). To accomplish this, the
`WebRenderCompositionRecorder` now returns a `MozPromise` when writing frames
to disk begins that is resolved when that process finishes.
Differential Revision: https://phabricator.services.mozilla.com/D47300
--HG--
extra : moz-landing-system : lando
`windowUtils.setCompositionRecording()` now returns a promise that is resolved
when the composition recorder is enabled (if given `true`) or when frames are
written to disk (if given `false`). To accomplish this, the
`WebRenderCompositionRecorder` now returns a `MozPromise` when writing frames
to disk begins that is resolved when that process finishes.
Differential Revision: https://phabricator.services.mozilla.com/D47300
--HG--
extra : moz-landing-system : lando
Inside of nsDocShell::UpdateURLAndHistory, there are 4 sync IPC calls to
nsSHistory plus 1 static call, which contains at least one nsSHEntry::GetParent
sync IPC call. All of these calls can be moved inside of a new method
EvictContentViewersOrReplaceEntry on nsSHEntry, resulting in just 1 sync IPC
call.
Differential Revision: https://phabricator.services.mozilla.com/D32729
--HG--
extra : rebase_source : ad09a9061cd6fe8eb6796b2809ea191aceb3ac73
extra : source : 2cd5cd24763ff320719aedb2142a79822efd6de4
extra : histedit_source : fdc4f80cfd8807e46c2dc02e6ab82f2bd3acc391
Currently, nsDocShell::GetChildSHEntry calls 3 sync IPC calls on nsISHEntry,
and the method GetChildSHEntry only has one caller. By moving GetChildSHEntry
method to parent process for nsISHEntry, resulting in a new method
nsISHEntry::GetChildSHEntry, 3 sync IPC calls can be reduced to 1.
Differential Revision: https://phabricator.services.mozilla.com/D27633
--HG--
extra : rebase_source : 1e76a1b07d827b35bae7ed6acca25aa8732c9ed0
extra : source : 34d91f82faa36dd8d8ed721de365122d831f7b25
extra : histedit_source : 86592bc747d506c546ec660e57087e78b9719cf7
Inside of nsDocShell::OnNewURI there are 4 sync IPC calls
to nsSHistory that can be replaced with 1 sync IPC call
by adding a new method EnsureCorrectEntryAtCurrIndex to nsSHistory.
Differential Revision: https://phabricator.services.mozilla.com/D31539
--HG--
extra : rebase_source : 09d7738b2f2dc2334c8f6186e5918b9d0ea3e618
extra : source : 82a41bffcbbca24ad3e84b045d75e4cb01ae1445
extra : histedit_source : 96eb7d2dbed2ad8fe4cc2d37358ec2358f696442
In nsDocShell::LoadHistoryEntry method, when it gets called
from parent process, there are 13 sync IPC calls on nsISHEntry
that retrieve information from the session history entry and
create a doc shell load state object using the retrieved
information. By adding a new method 'CreateLoadInfo'on nsISHEntry,
inside of which the doc shell load state object will be
created (with appropriate data filled out) and returned,
we eliminate 12 sync IPC call, resulting in just 1 IPC call
to nsISHEntry::CreateLoadInfo.
Differential Revision: https://phabricator.services.mozilla.com/D26042
--HG--
extra : rebase_source : a4e1fa52932fd5caabb59bd133e9fbee7f4d0e4a
extra : amend_source : f4d9f01afac0337808ba347eb997ce83e6ae1488
extra : source : 6ad53b35c7b4be933a3db1e1d45fa3da8a57abad
extra : histedit_source : c08d0cebcc11a3a4f64d01566cb62d9a334a12ec
Currently, nsDocShell repeatedly calls nsISHEntry::GetChildAt and
nsISHEntry::RemoveChild in nsDocShell::AddToSessionHistory,
which results in twice as many IPC calls as the number of children
a session history entry has. Additionally, there is one extra
IPC sync call to nsISHEntry::AbandonBFCacheEntry after the loop.
With the proposed solution, there will only be 1 sync IPC call.
Differential Revision: https://phabricator.services.mozilla.com/D24978
--HG--
extra : rebase_source : ab98af417bcb28fdfcb1a115473b505fa8a70aa1
extra : source : 0270d6b952ffa1704690c777c55fcaed30125b38
extra : histedit_source : 9a031cb921ad8efa1bd96f7342e08337f3c0ca8a
Currently, nsDocShell repeatedly calls nsISHEntry::GetChildAt, which
results in as many IPC sync calls as the number of children
a session history entry has. Calling nsISHEntry::GetChildCount and
ChildSHistory::Index and incurs additional extra 2 sync IPC calls.
With the proposed solution, there will only be 1 sync IPC call.
Differential Revision: https://phabricator.services.mozilla.com/D24980
--HG--
extra : rebase_source : ffaaff5c9521fb4d3a53a85f4570bcb99f7317d1
extra : source : 3f4a092d8f6544a212ee8a80d9275ae68c6446d1
extra : histedit_source : b4166d997119092ba5657f9ca4216da62dc82d97
This takes the approach of directly tying the `AddRef()` and `Release()` calls
on the underlying actor object to the lifecycle of the ActorLifecycleProxy
object, by adding another virtual `ActorAlloc()` method as the counterpart to
`ActorDealloc()`.
The changes to the methods called from C++ are relatively minimal:
1. The `SendPFooConstructor(...)` methods have the same signature, but now will
AddRef() internally (through `ActorAlloc()`), so an `do_AddRef(foo).take()`
isn't needed. Same with the `{Bind,Open}PFooEndpoint` methods.
This was done to reduce the number of invasive internal changes in the
codegen which were required to pipe a passed-in `already_AddRefed` to the
underlying `ActorLifecycleProxy` which is created by generic code.
2. The `AllocPFoo{Parent,Child}` methods have been modified to return an
`already_AddRefed` by default, and the callsites will store the result in a
`RefPtr<T>` if the type is refcounted.
3. No `DeallocPFoo...` method is called anymore. Unfortunately due to
devirtualization, it won't be an error if an unused method is still present,
though it won't be called.
Differential Revision: https://phabricator.services.mozilla.com/D39502
--HG--
extra : moz-landing-system : lando
The syntax for the new construct looks like the following, and re-uses the
refcounted keyword from refcounted using statements:
async refcounted protocol PFoo { ... }
Differential Revision: https://phabricator.services.mozilla.com/D39501
--HG--
extra : moz-landing-system : lando
The previous behaviour of failing unconditionally was performed as, during
shutdown, the channel could become unable to send without worker threads having
a chance to react. This change keeps that behaviour, isolating async message
senders from impending IPC shutdown, while performing expected actor teardown if
the manager actor has already been destroyed, and should no longer send messages.
An alternate behaviour here could be to crash if !Manager()->CanSend(). That
behaviour may be preferable if a sufficient number of callsites don't check the
return value of the `SendPFooConstructor()` method.
Differential Revision: https://phabricator.services.mozilla.com/D39534
--HG--
extra : moz-landing-system : lando
The vast majority of the virtual methods which were used on ProtocolState were
actually methods which only had meaningful implementations on the toplevel
protocol. This patch adds a new field to IProtocol holding a direct pointer to
the protocol's `IToplevelProtocol`, and the methods formerly implemented with
ProtocolState now directly call the corresponding method on IToplevelProtocol.
IToplevelProtocol then shadows these methods with the toplevel protocol
implementation, meaning that the right code is run in the right places.
In addition, some state was maintained for protocols inside of the separate
ProtocolState allocation, and this patch moves that state back into the actor
itself.
Differential Revision: https://phabricator.services.mozilla.com/D32044
--HG--
extra : moz-landing-system : lando
Make nsIWebBrowserPrint included unconditionally for addressing nsIDocShell.rs build failure.
Remove direct_call of PPrinting and PRemotePrintJob. Their ipdl are built unconditionally, but their derived classes are not built with --disable-printing.
Differential Revision: https://phabricator.services.mozilla.com/D33391
--HG--
extra : moz-landing-system : lando
This allows for the getter to be used in IProtocol's destructor, and generally
brings IProtocol more in line with IToplevelProtocol.
Differential Revision: https://phabricator.services.mozilla.com/D32042
--HG--
extra : moz-landing-system : lando
These values were only being used for assertions within IPDL send
methods. They had no positive impact beyond causing crashes when sending
a message over a dead actor.
Differential Revision: https://phabricator.services.mozilla.com/D30235
--HG--
extra : moz-landing-system : lando
Historically we've failed very loudly when receiving a message which was
destined for an actor which had already been destroyed. This had the
effect of requiring manual teardown for most actors, as work would need
to be done to ensure messages weren't sent when the target actor might
be about to tear itself down.
In addition, due to this teardown work being done outside of IPDL, this
work would have to manually be checked in subactors, and involved the
addition of new flags, such as `mIPCOpen`, in order to track whether IPC
had begun to be shut down, and discard messages manually if it had.
It is an ongoing issue that we occasionally miss places where we need to
discard messages, and it is easy to not remember to perform async
destruction when building a new actor, meaning that extra work is
required to correctly discard messages when the actor is being torn
down. Due to the correct decision, almost all of the time, being to
discard the message, this patch takes the approach of transforming the
crash which was previously performed into a message discard.
The hope is that this will reduce the burden on actor implementors, by
allowing the use of `Send__delete__` without first synchronizing with
the remote actor, as well as reduce unintentional crashes.
Differential Revision: https://phabricator.services.mozilla.com/D28892
--HG--
extra : moz-landing-system : lando
This patch changes the way how we handle sync ctor send errors. They are now
ignored and treated like messages which successfully were queued to send, but
got lost due to the other side hanging up.
For more details, see bug 1509362 which originally did it for async ctors.
The main differences here are that we destroy the actor and we return null when
the send fails.
Differential Revision: https://phabricator.services.mozilla.com/D31517
This isn't needed now that BrowserParent has the same name
as the protocol.
Differential Revision: https://phabricator.services.mozilla.com/D30151
--HG--
extra : rebase_source : dbfc1722a43e1f8fbbe01f1766a397b570fa7d6a
extra : source : 792b49f269bb6308e152290ed0dfa03efbffa536
extra : histedit_source : e001669549af547f5387a3b010ad52ebee6eea3f
Chris Martin
Sylvestre Ledru
Mihai Alexandru Michis
Dana Keeler
Eitan Isaacson
Anny Gakhokidze
Jonathan Kew
Andrew McCreight
Ciure Andrei
Bob Owen
Tom Ritter
Simon Giesecke
Dorel Luca
Jed Davis
Csoregi Natalia
Nika Layzell
Oana Pop Rus
Nathan Froyd
David Parks
Olli Pettay
Gabriele Svelto
David Parks
Barret Rennie
Daniel Varga
Peter Van der Beken
Jim Porter
Aaron Klotz
Byron Campen [:bwc]
Andrea Marchesini
Bogdan Tara
Jonathan Kingston
Matt Woodrow
sotaro
Jan Varga
Ryan Hunt
Bas Schouten