NaCl: enable meta-based validation for shared libraries.

chrome/browser/nacl_host/nacl_process_host.cc

Index: chrome/browser/nacl_host/nacl_process_host.cc
diff --git a/chrome/browser/nacl_host/nacl_process_host.cc b/chrome/browser/nacl_host/nacl_process_host.cc
index 26a1df5673dc7053c09b04a6747a045e8aaa1c6d..ddcc17492685136d7a960a22f4ff0d80a16a134e 100644
--- a/chrome/browser/nacl_host/nacl_process_host.cc
+++ b/chrome/browser/nacl_host/nacl_process_host.cc
@@ -623,6 +623,8 @@ bool NaClProcessHost::OnMessageReceived(const IPC::Message& msg) {
                         OnQueryKnownToValidate)
     IPC_MESSAGE_HANDLER(NaClProcessMsg_SetKnownToValidate,
                         OnSetKnownToValidate)
+    IPC_MESSAGE_HANDLER_DELAY_REPLY(NaClProcessMsg_ResolveFileToken,
+                                    OnResolveFileToken)
 #if defined(OS_WIN)
     IPC_MESSAGE_HANDLER_DELAY_REPLY(NaClProcessMsg_AttachDebugExceptionHandler,
                                     OnAttachDebugExceptionHandler)
@@ -761,7 +763,6 @@ bool NaClProcessHost::StartNaClExecution() {
   if (params.uses_irt) {
     base::PlatformFile irt_file = nacl_browser->IrtFile();
     CHECK_NE(irt_file, base::kInvalidPlatformFileValue);
-
     // Send over the IRT file handle.  We don't close our own copy!
     if (!ShareHandleToSelLdr(data.handle, irt_file, false, &params.handles))
       return false;
@@ -930,6 +931,69 @@ void NaClProcessHost::OnSetKnownToValidate(const std::string& signature) {
   NaClBrowser::GetInstance()->SetKnownToValidate(signature, off_the_record_);
 }
 
+void NaClProcessHost::FileResolved(
+    base::PlatformFile* file,
+    const base::FilePath& file_path,
+    IPC::Message* reply_msg) {
+  if (*file != base::kInvalidPlatformFileValue) {
+    IPC::PlatformFileForTransit handle = IPC::GetFileHandleForProcess(
+        *file,
+        process_->GetData().handle,
+        true /* close_source */);
+    NaClProcessMsg_ResolveFileToken::WriteReplyParams(
+        reply_msg,
+        handle,
+        file_path);
+  } else {
+    NaClProcessMsg_ResolveFileToken::WriteReplyParams(
+        reply_msg,
+        IPC::InvalidPlatformFileForTransit(),
+        base::FilePath(FILE_PATH_LITERAL("")));
+  }
+  Send(reply_msg);
+}
+
+void NaClProcessHost::OnResolveFileToken(uint64 file_token_lo,
+                                         uint64 file_token_hi,
+                                         IPC::Message* reply_msg) {
+  // Was the file registered?
+  // Note that the file path cache is of bounded size, and old entries can get
+  // evicted.  If a large number of NaCl modules are being launched at once,
+  // resolving the file_token may fail because the path cache was thrashed
+  // while the file_token was in flight.  In this case the query fails, and we
+  // need to fall back to the slower path.
+  base::FilePath file_path;
+  if (!NaClBrowser::GetInstance()->GetFilePath(file_token_lo, file_token_hi,
+                                               &file_path)) {

[jschuh, 2013/05/23 01:02:32]

This seems like unambiguously bad occurrence. At a minimum we should have a
NOTREACHED, but maybe we should actually terminate the child process?

[Nick Bray (chromium), 2013/05/23 16:44:11]

See the above comment.  Bounding the cache size implies that it may be valid for
the query to fail. :/

[bsy_cr, 2013/05/23 17:57:24]

Just because it's valid doesn't mean it's likely.  We should do (upper bound)
estimates of number of tabs -- hundreds? -- that might re-open when the browser
restarts, and the percentage of them that might involve NaCl -- 5%? 10%? -- and
the number of manifest entries -- 64? 128? -- to get an estimate for when the
cache might hit size limits.  Assume worse case behavior (not serial startup),
etc.

Furthermore, since the cache doesn't actually hold file descriptors (limited
global resources) any more and just hold file tokens, that argument for keeping
the cache really small no longer apply.  The only limit is memory, albeit still
a limited resource, but much less limiting.  So, I'd like to see at least a
ballpark analysis/discussion for the proper size for the cache, its cost in
memory usage, versus the likelihood of a valid cache miss.  If the probability
of a valid cache miss is low, then this could be a useful signal.  Even if it is
not super low, a sharp spike in the cache miss rate is a signal that there might
be something "interesting" going on in the wild.

Could we have UMA or other feedback statistics for this?  At least a comment
about the considerations, please.

[Nick Bray (chromium), 2013/05/24 16:54:28]

Done.

+    NaClProcessMsg_ResolveFileToken::WriteReplyParams(
+        reply_msg,
+        IPC::InvalidPlatformFileForTransit(),
+        base::FilePath(FILE_PATH_LITERAL("")));
+    Send(reply_msg);
+    return;
+  }
+
+  // Scratch space to share between the callbacks.
+  base::PlatformFile* data = new base::PlatformFile();
+
+  // Open the file.
+  if (!content::BrowserThread::PostBlockingPoolTaskAndReply(
+      FROM_HERE,
+      base::Bind(nacl::OpenNaClExecutableImpl,
+                 file_path, data),
+      base::Bind(&NaClProcessHost::FileResolved,
+                 weak_factory_.GetWeakPtr(),
+                 base::Owned(data),
+                 file_path,
+                 reply_msg))) {
+     NaClProcessMsg_ResolveFileToken::WriteReplyParams(
+         reply_msg,
+         IPC::InvalidPlatformFileForTransit(),
+         base::FilePath(FILE_PATH_LITERAL("")));
+     Send(reply_msg);
+  }
+}
+
 #if defined(OS_WIN)
 void NaClProcessHost::OnAttachDebugExceptionHandler(const std::string& info,
                                                     IPC::Message* reply_msg) {