Refactor params of NaClProcessMsg_Start.

components/nacl/browser/nacl_process_host.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/nacl/browser/nacl_process_host.h"
 
 #include <algorithm>
 #include <string>
 #include <vector>
 
 #include "base/base_switches.h"
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/files/file_util.h"
+#include "base/macros.h"
 #include "base/message_loop/message_loop.h"
 #include "base/metrics/histogram.h"
 #include "base/path_service.h"
 #include "base/process/launch.h"
 #include "base/process/process_iterator.h"
 #include "base/rand_util.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_split.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
@@ skipping 162 matching lines @@
 
 void SetCloseOnExec(NaClHandle fd) {
 #if defined(OS_POSIX)
   int flags = fcntl(fd, F_GETFD);
   CHECK_NE(flags, -1);
   int rc = fcntl(fd, F_SETFD, flags | FD_CLOEXEC);
   CHECK_EQ(rc, 0);
 #endif
 }
 
-bool ShareHandleToSelLdr(
-    base::ProcessHandle processh,
-    NaClHandle sourceh,
-    bool close_source,
-    std::vector<nacl::FileDescriptor> *handles_for_sel_ldr) {
-#if defined(OS_WIN)
-  HANDLE channel;
-  int flags = DUPLICATE_SAME_ACCESS;
-  if (close_source)
-    flags |= DUPLICATE_CLOSE_SOURCE;
-  if (!DuplicateHandle(GetCurrentProcess(),
-                       reinterpret_cast<HANDLE>(sourceh),
-                       processh,
-                       &channel,
-                       0,  // Unused given DUPLICATE_SAME_ACCESS.
-                       FALSE,
-                       flags)) {
-    LOG(ERROR) << "DuplicateHandle() failed";
-    return false;
+// The maximum number of resource file handles NaClProcessMsg_Start message
+// can have. Currently IPC::MessageAttachmentSet::kMaxDescriptorsPerMessage
+// is 128 and NaCl sends 5 handles for other purposes, hence 123.
+const size_t kMaxPreOpenResourceFiles = 123;
+
+#if defined(OS_POSIX)
+static_assert(kMaxPreOpenResourceFiles ==
+              IPC::MessageAttachmentSet::kMaxDescriptorsPerMessage - 5,
+              "kMaxPreOpenResourceFiles is not up to date");
+#endif
+
+void BatchOpenResourceFiles(
+    const std::vector<NaClResourcePrefetchInfo>& resource_prefetch_info_list,
+    const base::FilePath& profile_directory,
+    base::ProcessHandle target_process,
+    std::vector<NaClResourceFileInfo>* prefetched_resource_files) {
+  // If output buffer is null, which means there is no resource info to be
+  // opened, do nothing.
+  if (!prefetched_resource_files) {
+    DCHECK(resource_prefetch_info_list.empty());
+    return;
   }
-  handles_for_sel_ldr->push_back(
-      reinterpret_cast<nacl::FileDescriptor>(channel));
-#else
-  nacl::FileDescriptor channel;
-  channel.fd = sourceh;
-  channel.auto_close = close_source;
-  handles_for_sel_ldr->push_back(channel);
-#endif
-  return true;
+
+  NaClBrowserDelegate* browser_delegate = NaClBrowser::GetDelegate();
+  for (size_t i = 0;
+       i < resource_prefetch_info_list.size() &&
+           prefetched_resource_files->size() < kMaxPreOpenResourceFiles;
+       ++i) {
+    base::FilePath filepath;
+    if (!browser_delegate->MapUrlToLocalFilePath(
+            GURL(resource_prefetch_info_list[i].resource_url),
+            true,  // use blocking api.
+            profile_directory,
+            &filepath)) {
+      continue;
+    }
+
+    base::File file = nacl::OpenNaClReadExecImpl(
+        filepath, true /* executable */);
+    if (!file.IsValid())
+      continue;
+
+    // Note: this runs only in Non-SFI mode. So, do not pass the file path;
+    // there's no validation caching in that case, so it's unnecessary, moreover
+    // it would expose the file path to the plugin.
+    prefetched_resource_files->push_back(NaClResourceFileInfo(
+        IPC::TakeFileHandleForProcess(file.Pass(), target_process),
+        base::FilePath(),
+        resource_prefetch_info_list[i].manifest_key));
+  }
 }
 
-void CloseFile(base::File file) {
-  // The base::File destructor will close the file for us.
+base::File ReopenNexeFile(
+    base::File nexe_file, base::FilePath* nexe_file_path) {
+  // If no path is specified, use the original |nexe_file|.
+  if (!nexe_file_path || nexe_file_path->empty())
+    return nexe_file.Pass();
+
+  // Reopen the nexe file.
+  base::File reopened_file = nacl::OpenNaClReadExecImpl(
+      *nexe_file_path, true /* executable */);
+  if (!reopened_file.IsValid()) {
+    // On fail, clear the path, which will eventually passed to the loader.
+    nexe_file_path->clear();
+    return nexe_file.Pass();
+  }
+
+  // Note that, the original |nexe_file| will be closed automatically.
+  return reopened_file.Pass();
+}
+
+// StartNaClExecution needs file operations. This function takes it, and should
+// run on blocking pool.
+base::File ResolveNaClFile(
+    base::FilePath* nexe_file_path,
+    base::File nexe_file,
+    const std::vector<NaClResourcePrefetchInfo>& resource_prefetch_info_list,
+    const base::FilePath& profile_directory,
+    base::ProcessHandle target_process,
+    std::vector<NaClResourceFileInfo>* prefetched_resource_files) {
+  BatchOpenResourceFiles(resource_prefetch_info_list,
+                         profile_directory,
+                         target_process,
+                         prefetched_resource_files);
+  return ReopenNexeFile(nexe_file.Pass(), nexe_file_path);
 }
 
 }  // namespace
 
 unsigned NaClProcessHost::keepalive_throttle_interval_milliseconds_ =
     ppapi::kKeepaliveThrottleIntervalDefaultMilliseconds;
 
 NaClProcessHost::NaClProcessHost(
     const GURL& manifest_url,
     base::File nexe_file,
     const NaClFileToken& nexe_token,
-    const std::vector<
-      nacl::NaClResourceFileInfo>& prefetched_resource_files_info,
+    const std::vector<NaClResourcePrefetchInfo>& resource_prefetch_info_list,
     ppapi::PpapiPermissions permissions,
     int render_view_id,
     uint32 permission_bits,
     bool uses_nonsfi_mode,
     bool off_the_record,
     NaClAppProcessType process_type,
     const base::FilePath& profile_directory)
     : manifest_url_(manifest_url),
       nexe_file_(nexe_file.Pass()),
       nexe_token_(nexe_token),
-      prefetched_resource_files_info_(prefetched_resource_files_info),
+      resource_prefetch_info_list_(resource_prefetch_info_list),
       permissions_(permissions),
 #if defined(OS_WIN)
       process_launched_by_broker_(false),
 #endif
       reply_msg_(NULL),
 #if defined(OS_WIN)
       debug_exception_handler_requested_(false),
 #endif
       uses_nonsfi_mode_(uses_nonsfi_mode),
       enable_debug_stub_(false),
@@ skipping 12 matching lines @@
   // for this use case.
   process_->SetName(net::FormatUrl(manifest_url_, std::string()));
 
   enable_debug_stub_ = base::CommandLine::ForCurrentProcess()->HasSwitch(
       switches::kEnableNaClDebug);
   DCHECK(process_type_ != kUnknownNaClProcessType);
   enable_crash_throttling_ = process_type_ != kNativeNaClProcessType;
 }
 
 NaClProcessHost::~NaClProcessHost() {
+  // Release the file received from the renderer. This has to be done on a
+  // thread where IO is permitted, though.
+  content::BrowserThread::GetBlockingPool()->PostTask(
+      FROM_HERE,
+      base::Bind(&ignore_result<base::File>, base::Passed(nexe_file_.Pass())));
+
   // Report exit status only if the process was successfully started.
   if (process_->GetData().handle != base::kNullProcessHandle) {
     int exit_code = 0;
     process_->GetTerminationStatus(false /* known_dead */, &exit_code);
     std::string message =
         base::StringPrintf("NaCl process exited with status %i (0x%x)",
                            exit_code, exit_code);
     if (exit_code == 0) {
       VLOG(1) << message;
     } else {
       LOG(ERROR) << message;
     }
     NaClBrowser::GetInstance()->OnProcessEnd(process_->GetData().id);
   }
 
-  for (size_t i = 0; i < prefetched_resource_files_info_.size(); ++i) {
-    // The process failed to launch for some reason. Close resource file
-    // handles.
-    base::File file(IPC::PlatformFileForTransitToFile(
-        prefetched_resource_files_info_[i].file));
-    content::BrowserThread::GetBlockingPool()->PostTask(
-        FROM_HERE,
-        base::Bind(&CloseFile, base::Passed(file.Pass())));
-  }
-
   if (reply_msg_) {
     // The process failed to launch for some reason.
     // Don't keep the renderer hanging.
     reply_msg_->set_reply_error();
     nacl_host_message_filter_->Send(reply_msg_);
   }
 #if defined(OS_WIN)
   if (process_launched_by_broker_) {
     NaClBrokerService::GetInstance()->OnLoaderDied();
   }
@@ skipping 496 matching lines @@
 bool NaClProcessHost::StartNaClExecution() {
   NaClBrowser* nacl_browser = NaClBrowser::GetInstance();
 
   NaClStartParams params;
 
   // Enable PPAPI proxy channel creation only for renderer processes.
   params.enable_ipc_proxy = enable_ppapi_proxy();
   params.process_type = process_type_;
   bool enable_nacl_debug = enable_debug_stub_ &&
       NaClBrowser::GetDelegate()->URLMatchesDebugPatterns(manifest_url_);
+
+#if defined(OS_MACOSX)
+  base::ScopedFD memory_fd;
+#endif  // defined(OS_MACOSX)
+#if defined(OS_POSIX)
+  base::ScopedFD debug_stub_server_bound_socket;
+#endif  // defined(OS_POSIX)
+
   if (uses_nonsfi_mode_) {
     // Currently, non-SFI mode is supported only on Linux.
 #if defined(OS_LINUX)
     // In non-SFI mode, we do not use SRPC. Make sure that the socketpair is
     // not created.
     DCHECK(!socket_for_sel_ldr_.IsValid());
 #endif
     if (enable_nacl_debug) {
       base::ProcessId pid = base::GetProcId(process_->GetData().handle);
       LOG(WARNING) << "nonsfi nacl plugin running in " << pid;
     }
   } else {
     params.validation_cache_enabled = nacl_browser->ValidationCacheIsEnabled();
     params.validation_cache_key = nacl_browser->GetValidationCacheKey();
     params.version = NaClBrowser::GetDelegate()->GetVersionString();
     params.enable_debug_stub = enable_nacl_debug;
     params.enable_mojo = base::CommandLine::ForCurrentProcess()->HasSwitch(
         switches::kEnableNaClMojo);
 
-    const ChildProcessData& data = process_->GetData();
-    if (!ShareHandleToSelLdr(data.handle,
-                             socket_for_sel_ldr_.TakePlatformFile(),
-                             true,
-                             &params.handles)) {
-      return false;
-    }
-
-    const base::File& irt_file = nacl_browser->IrtFile();
-    CHECK(irt_file.IsValid());
-    // Send over the IRT file handle.  We don't close our own copy!
-    if (!ShareHandleToSelLdr(data.handle, irt_file.GetPlatformFile(), false,
-                             &params.handles)) {
-      return false;
-    }
-
 #if defined(OS_MACOSX)
     // For dynamic loading support, NaCl requires a file descriptor that
     // was created in /tmp, since those created with shm_open() are not
     // mappable with PROT_EXEC.  Rather than requiring an extra IPC
     // round trip out of the sandbox, we create an FD here.
     base::SharedMemory memory_buffer;
     base::SharedMemoryCreateOptions options;
     options.size = 1;
     options.executable = true;
     if (!memory_buffer.Create(options)) {
       DLOG(ERROR) << "Failed to allocate memory buffer";
       return false;
     }
-    FileDescriptor memory_fd;
-    memory_fd.fd = dup(memory_buffer.handle().fd);
-    if (memory_fd.fd < 0) {
+    memory_fd.reset(dup(memory_buffer.handle().fd));
+    if (!memory_fd.is_valid()) {
       DLOG(ERROR) << "Failed to dup() a file descriptor";
       return false;
     }
-    memory_fd.auto_close = true;
-    params.handles.push_back(memory_fd);
 #endif
 
 #if defined(OS_POSIX)
     if (params.enable_debug_stub) {
-      net::SocketDescriptor server_bound_socket = GetDebugStubSocketHandle();
-      if (server_bound_socket != net::kInvalidSocket) {
-        params.debug_stub_server_bound_socket =
-            FileDescriptor(server_bound_socket, true);
-      }
+      debug_stub_server_bound_socket.reset(GetDebugStubSocketHandle());
     }
 #endif
   }
 
-  if (!crash_info_shmem_.ShareToProcess(process_->GetData().handle,
-                                        &params.crash_info_shmem_handle)) {
-    DLOG(ERROR) << "Failed to ShareToProcess() a shared memory buffer";
-    return false;
+  // Transfer resources to |params|.
+  // Hereafter we should never return false, and should always send an IPC
+  // to NaCl plugin process. Otherwise, the resources passed to |params|
+  // may be leaked.
+  {
+    const ChildProcessData& data = process_->GetData();
+    if (!uses_nonsfi_mode_) {
+      params.imc_bootstrap_handle = IPC::TakeFileHandleForProcess(
+          socket_for_sel_ldr_.Pass(), data.handle);
+
+      const base::File& irt_file = nacl_browser->IrtFile();
+      CHECK(irt_file.IsValid());
+      // Send over the IRT file handle.  We don't close our own copy!
+      params.irt_handle = IPC::GetFileHandleForProcess(
+          irt_file.GetPlatformFile(), data.handle, false);
+
+#if defined(OS_MACOSX)
+      params.mac_shm_fd = IPC::GetFileHandleForProcess(
+          memory_fd.release(), data.handle, true);
+#endif
+
+#if defined(OS_POSIX)
+      params.debug_stub_server_bound_socket = IPC::GetFileHandleForProcess(
+          debug_stub_server_bound_socket.release(), data.handle, true);
+#endif
+    }
+
+    if (!crash_info_shmem_.ShareToProcess(data.handle,
+                                          &params.crash_info_shmem_handle)) {
+      DLOG(ERROR) << "Failed to ShareToProcess() a shared memory buffer";
+      // Do not return.
+    }
   }
 
-  base::FilePath file_path;
-  if (uses_nonsfi_mode_) {
+  // We have to reopen the file in the browser process; we don't want a
+  // compromised renderer to pass an arbitrary fd that could get loaded
+  // into the plugin process.
+  scoped_ptr<base::FilePath> nexe_file_path;
+  if (!uses_nonsfi_mode_) {
     // Don't retrieve the file path when using nonsfi mode; there's no
     // validation caching in that case, so it's unnecessary work, and would
     // expose the file path to the plugin.
-
-    // Pass the pre-opened resource files to the loader. For the same reason
-    // as above, use an empty base::FilePath.
-    for (size_t i = 0; i < prefetched_resource_files_info_.size(); ++i) {
-      params.prefetched_resource_files.push_back(
-          NaClResourceFileInfo(prefetched_resource_files_info_[i].file,
-                               base::FilePath(),
-                               prefetched_resource_files_info_[i].file_key));
+    nexe_file_path.reset(new base::FilePath);
+    if (!NaClBrowser::GetInstance()->GetFilePath(
+            nexe_token_.lo, nexe_token_.hi, nexe_file_path.get())) {
+      // Failed. Reset the pointer.
+      nexe_file_path.reset();
     }
-    prefetched_resource_files_info_.clear();
-  } else {
-    if (NaClBrowser::GetInstance()->GetFilePath(nexe_token_.lo,
-                                                nexe_token_.hi,
-                                                &file_path)) {
-      // We have to reopen the file in the browser process; we don't want a
-      // compromised renderer to pass an arbitrary fd that could get loaded
-      // into the plugin process.
-      if (base::PostTaskAndReplyWithResult(
-              content::BrowserThread::GetBlockingPool(),
-              FROM_HERE,
-              base::Bind(OpenNaClReadExecImpl,
-                         file_path,
-                         true /* is_executable */),
-              base::Bind(&NaClProcessHost::StartNaClFileResolved,
-                         weak_factory_.GetWeakPtr(),
-                         params,
-                         file_path))) {
-        return true;
-      }
-    }
-    // TODO(yusukes): Handle |prefetched_resource_files_info_| for SFI-NaCl.
-    DCHECK(prefetched_resource_files_info_.empty());
   }
 
-  params.nexe_file = IPC::TakeFileHandleForProcess(nexe_file_.Pass(),
-                                                   process_->GetData().handle);
-  process_->Send(new NaClProcessMsg_Start(params));
+  // Pass the pre-opened resource files to the loader.
+  scoped_ptr<std::vector<NaClResourceFileInfo> > resource_info_list;
+  if (!resource_prefetch_info_list_.empty()) {
+    // TODO(yusukes): Handle |prefetched_resource_files_info_| for SFI-NaCl.
+    DCHECK(uses_nonsfi_mode_);
+    resource_info_list.reset(new std::vector<NaClResourceFileInfo>);
+  }
+
+  // If file operation is necessary, run it on a blocking pool, where file
+  // operations are allowed.
+  if (nexe_file_path.get() || resource_info_list.get()) {
+    if (base::PostTaskAndReplyWithResult(
+            content::BrowserThread::GetBlockingPool(),
+            FROM_HERE,
+            base::Bind(&ResolveNaClFile,
+                       nexe_file_path.get(),
+                       base::Passed(&nexe_file_),
+                       resource_prefetch_info_list_,
+                       profile_directory_,
+                       process_->GetData().handle,
+                       resource_info_list.get()),
+            base::Bind(&NaClProcessHost::StartNaClExecutionAfterFileResolved,
+                       weak_factory_.GetWeakPtr(),
+                       params,
+                       base::Passed(&nexe_file_path),
+                       base::Passed(&resource_info_list)))) {
+      return true;
+    }
+  }
+
+  StartNaClExecutionAfterFileResolved(
+      params,
+      scoped_ptr<base::FilePath>(),
+      scoped_ptr<std::vector<NaClResourceFileInfo> >(),
+      nexe_file_.Pass());
   return true;
 }
 
-void NaClProcessHost::StartNaClFileResolved(
+void NaClProcessHost::StartNaClExecutionAfterFileResolved(
     NaClStartParams params,
-    const base::FilePath& file_path,
-    base::File checked_nexe_file) {
-  if (checked_nexe_file.IsValid()) {
-    // Release the file received from the renderer. This has to be done on a
-    // thread where IO is permitted, though.
-    content::BrowserThread::GetBlockingPool()->PostTask(
-        FROM_HERE,
-        base::Bind(&CloseFile, base::Passed(nexe_file_.Pass())));
-    params.nexe_file_path_metadata = file_path;
-    params.nexe_file = IPC::TakeFileHandleForProcess(
-        checked_nexe_file.Pass(), process_->GetData().handle);
-  } else {
-    params.nexe_file = IPC::TakeFileHandleForProcess(
-        nexe_file_.Pass(), process_->GetData().handle);
+    scoped_ptr<base::FilePath> nexe_file_path,
+    scoped_ptr<std::vector<NaClResourceFileInfo> > prefetched_resource_files,
+    base::File nexe_file) {
+  // Pass the nexe file and its path to params.
+  params.nexe_file = IPC::TakeFileHandleForProcess(
+      nexe_file.Pass(), process_->GetData().handle);
+  if (nexe_file_path.get()) {
+    params.nexe_file_path_metadata = *nexe_file_path;
   }
+
+  // Pass prefetched resources to params.
+  if (prefetched_resource_files.get()) {
+    prefetched_resource_files->swap(params.prefetched_resource_files);
+  }
+
   process_->Send(new NaClProcessMsg_Start(params));
 }
 
 // This method is called when NaClProcessHostMsg_PpapiChannelCreated is
 // received.
 void NaClProcessHost::OnPpapiChannelsCreated(
     const IPC::ChannelHandle& browser_channel_handle,
     const IPC::ChannelHandle& ppapi_renderer_channel_handle,
     const IPC::ChannelHandle& trusted_renderer_channel_handle,
     const IPC::ChannelHandle& manifest_service_channel_handle) {
@@ skipping 234 matching lines @@
         process.Pass(), info,
         base::MessageLoopProxy::current(),
         base::Bind(&NaClProcessHost::OnDebugExceptionHandlerLaunchedByBroker,
                    weak_factory_.GetWeakPtr()));
     return true;
   }
 }
 #endif
 
 }  // namespace nacl