Add UMA histograms and logging for bad IPC message handling

content/browser/frame_host/render_frame_host_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/frame_host/render_frame_host_impl.h"
 
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/containers/hash_tables.h"
 #include "base/lazy_instance.h"
 #include "base/metrics/histogram.h"
-#include "base/metrics/user_metrics_action.h"
 #include "base/process/kill.h"
 #include "base/time/time.h"
 #include "content/browser/accessibility/accessibility_mode_helper.h"
 #include "content/browser/accessibility/browser_accessibility_manager.h"
 #include "content/browser/accessibility/browser_accessibility_state_impl.h"
 #include "content/browser/child_process_security_policy_impl.h"
 #include "content/browser/frame_host/cross_process_frame_connector.h"
 #include "content/browser/frame_host/cross_site_transferring_request.h"
 #include "content/browser/frame_host/frame_accessibility.h"
 #include "content/browser/frame_host/frame_tree.h"
@@ skipping 18 matching lines @@
 #include "content/browser/renderer_host/render_widget_host_view_base.h"
 #include "content/browser/transition_request_manager.h"
 #include "content/common/accessibility_messages.h"
 #include "content/common/frame_messages.h"
 #include "content/common/input_messages.h"
 #include "content/common/inter_process_time_ticks_converter.h"
 #include "content/common/navigation_params.h"
 #include "content/common/render_frame_setup.mojom.h"
 #include "content/common/swapped_out_messages.h"
 #include "content/public/browser/ax_event_notification_details.h"
+#include "content/public/browser/bad_message.h"
 #include "content/public/browser/browser_accessibility_state.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/browser_plugin_guest_manager.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/content_browser_client.h"
 #include "content/public/browser/render_process_host.h"
 #include "content/public/browser/render_widget_host_view.h"
 #include "content/public/browser/stream_handle.h"
 #include "content/public/browser/user_metrics.h"
 #include "content/public/common/content_constants.h"
@@ skipping 744 matching lines @@
   }
 
   RenderProcessHost* process = GetProcess();
 
   // Attempts to commit certain off-limits URL should be caught more strictly
   // than our FilterURL checks below.  If a renderer violates this policy, it
   // should be killed.
   if (!CanCommitURL(validated_params.url)) {
     VLOG(1) << "Blocked URL " << validated_params.url.spec();
     validated_params.url = GURL(url::kAboutBlankURL);
-    RecordAction(base::UserMetricsAction("CanCommitURL_BlockedAndKilled"));
     // Kills the process.
-    process->ReceivedBadMessage();
+    process->ReceivedBadMessage(BadMessage::RFH_CAN_COMMIT_URL_BLOCKED);
   }
 
   // Without this check, an evil renderer can trick the browser into creating
   // a navigation entry for a banned URL.  If the user clicks the back button
   // followed by the forward button (or clicks reload, or round-trips through
   // session restore, etc), we'll think that the browser commanded the
   // renderer to load the URL and grant the renderer the privileges to request
   // the URL.  To prevent this attack, we block the renderer from inserting
   // banned URLs into the navigation controller in the first place.
   process->FilterURL(false, &validated_params.url);
   process->FilterURL(true, &validated_params.referrer.url);
   for (std::vector<GURL>::iterator it(validated_params.redirects.begin());
       it != validated_params.redirects.end(); ++it) {
     process->FilterURL(false, &(*it));
   }
   process->FilterURL(true, &validated_params.searchable_form_url);
 
   // Without this check, the renderer can trick the browser into using
   // filenames it can't access in a future session restore.
   if (!render_view_host_->CanAccessFilesOfPageState(
           validated_params.page_state)) {
-    GetProcess()->ReceivedBadMessage();
+    GetProcess()->ReceivedBadMessage(
+        BadMessage::RFH_CAN_ACCESS_FILES_OF_PAGE_STATE);
     return;
   }
 
   accessibility_reset_count_ = 0;
   frame_tree_node()->navigator()->DidNavigate(this, validated_params);
 }
 
 void RenderFrameHostImpl::OnDidDropNavigation() {
   // At the end of Navigate(), the delegate's DidStartLoading is called to force
   // the spinner to start, even if the renderer didn't yet begin the load. If it
@@ skipping 360 matching lines @@
   FrameTree* frame_tree = frame_tree_node()->frame_tree();
   FrameTreeNode* child =
       frame_tree->FindByRoutingID(GetProcess()->GetID(), frame_routing_id);
   if (!child)
     return;
 
   // Ensure that a frame can only update sandbox flags for its immediate
   // children.  If this is not the case, the renderer is considered malicious
   // and is killed.
   if (child->parent() != frame_tree_node()) {
-    RecordAction(base::UserMetricsAction("BadMessageTerminate_RFH"));
-    GetProcess()->ReceivedBadMessage();
+    GetProcess()->ReceivedBadMessage(BadMessage::RFH_SANDBOX_FLAGS);
     return;
   }
 
   child->set_sandbox_flags(flags);
 
   // Notify the RenderFrame if it lives in a different process from its
   // parent. The frame's proxies in other processes also need to learn about
   // the updated sandbox flags, but these notifications are sent later in
   // RenderFrameHostManager::CommitPendingSandboxFlags(), when the frame
   // navigates and the new sandbox flags take effect.
@@ skipping 36 matching lines @@
 }
 
 void RenderFrameHostImpl::OnDispatchLoad() {
   CHECK(base::CommandLine::ForCurrentProcess()->HasSwitch(
       switches::kSitePerProcess));
   // Only frames with an out-of-process parent frame should be sending this
   // message.
   RenderFrameProxyHost* proxy =
       frame_tree_node()->render_manager()->GetProxyToParent();
   if (!proxy) {
-    GetProcess()->ReceivedBadMessage();
+    GetProcess()->ReceivedBadMessage(BadMessage::RFH_NO_PROXY_TO_PARENT);
     return;
   }
 
   proxy->Send(new FrameMsg_DispatchLoad(proxy->GetRoutingID()));
 }
 
 void RenderFrameHostImpl::OnAccessibilityEvents(
     const std::vector<AccessibilityHostMsg_EventParams>& params,
     int reset_token) {
   // Don't process this IPC if either we're waiting on a reset and this
@@ skipping 670 matching lines @@
 void RenderFrameHostImpl::DidUseGeolocationPermission() {
   RenderFrameHost* top_frame = frame_tree_node()->frame_tree()->GetMainFrame();
   GetContentClient()->browser()->RegisterPermissionUsage(
       PERMISSION_GEOLOCATION,
       delegate_->GetAsWebContents(),
       GetLastCommittedURL().GetOrigin(),
       top_frame->GetLastCommittedURL().GetOrigin());
 }
 
 }  // namespace content