chrome/ipc_fuzzer/ipc_fuzzer_main.cc - Issue 18254010: IPC fuzzer child process component

Side by Side Diff: chrome/ipc_fuzzer/ipc_fuzzer_main.cc

Issue 18254010: IPC fuzzer child process component (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: remove unnecessary include Created 7 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
(Empty)
	1 // Copyright 2013 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include <limits.h>

	6 #include <stdio.h>

	7 #include <vector>

	8

	9 #include "base/bind.h"

	10 #include "base/command_line.h"

	11 #include "base/files/memory_mapped_file.h"

	12 #include "base/logging.h"

	13 #include "base/memory/scoped_ptr.h"

	14 #include "base/message_loop.h"

	15 #include "base/synchronization/waitable_event.h"

	16 #include "base/threading/thread.h"

	17 #include "base/timer/timer.h"

	18 #include "chrome/common/ipc_fuzzer_messages.h"

	19 #include "content/public/common/main_function_params.h"

	20 #include "ipc/ipc_channel_proxy.h"

	21 #include "ipc/ipc_listener.h"

	22 #include "ipc/ipc_message.h"

	23 #include "ipc/ipc_platform_file.h"

	24 #include "ipc/ipc_switches.h"

	25

	26 class IpcTestcaseRunner : public IPC::Listener {
	jochen (gone - plz use gerrit) 2013/07/16 09:07:58 this entire class can go into an anonymous namespa this entire class can go into an anonymous namespace, no? aedla 2013/07/16 20:42:47 Done. Show quoted text On 2013/07/16 09:07:58, jochen wrote: > this entire class can go into an anonymous namespace, no? Done.
	27 public:

	28 IpcTestcaseRunner();
	jochen (gone - plz use gerrit) 2013/07/16 09:07:58 should have a virtual destructor should have a virtual destructor aedla 2013/07/16 20:42:47 Done. Show quoted text On 2013/07/16 09:07:58, jochen wrote: > should have a virtual destructor Done.
	29 void OpenChannel();

	30

	31 virtual bool OnMessageReceived(const IPC::Message& message) OVERRIDE;

	32 virtual void OnChannelError() OVERRIDE;

	33

	34 private:

	35 void ExtractMessages(const char *data, size_t len);

	36 void OnRunTestcase(IPC::PlatformFileForTransit);

	37 void StartSendingMessages();

	38 IPC::Message* GetNextMessage();

	39 void SendNextMessage();

	40

	41 scoped_ptr<IPC::ChannelProxy> channel_;

	42 base::MessageLoop main_loop_;

	43 base::Thread io_thread_;

	44 base::WaitableEvent shutdown_event_;

	45 scoped_ptr<base::Timer> timer_;

	46 scoped_ptr<base::MemoryMappedFile> testcase_map_;

	47 std::vector<scoped_ptr<IPC::Message>> messages_;

	48 size_t current_message_;

	49 };
	jochen (gone - plz use gerrit) 2013/07/16 09:07:58 DISALLOW_COPY_AND_ASSIGN DISALLOW_COPY_AND_ASSIGN aedla 2013/07/16 20:42:47 Done. Show quoted text On 2013/07/16 09:07:58, jochen wrote: > DISALLOW_COPY_AND_ASSIGN Done.
	50

	51 IpcTestcaseRunner::IpcTestcaseRunner()

	52 : main_loop_(base::MessageLoop::TYPE_DEFAULT),

	53 io_thread_("Chrome_ChildIOThread"),

	54 shutdown_event_(true, false),

	55 current_message_(0) {

	56 }

	57

	58 void IpcTestcaseRunner::OpenChannel() {

	59 io_thread_.StartWithOptions(

	60 base::Thread::Options(base::MessageLoop::TYPE_IO, 0));

	61

	62 std::string channel_name =

	63 CommandLine::ForCurrentProcess()->GetSwitchValueASCII(

	64 switches::kProcessChannelID);

	65

	66 channel_.reset(

	67 new IPC::ChannelProxy(channel_name,

	68 IPC::Channel::MODE_CLIENT,

	69 this,

	70 io_thread_.message_loop_proxy()));

	71 }

	72

	73 void IpcTestcaseRunner::ExtractMessages(const char *data, size_t len) {

	74 const char* end = data + len;

	75

	76 while (data < end) {

	77 const char* message_tail = IPC::Message::FindNext(data, end);

	78 if (!message_tail)

	79 break;

	80

	81 size_t len = message_tail - data;

	82 if (len > INT_MAX)
	jochen (gone - plz use gerrit) 2013/07/16 09:07:58 how can this happen? how can this happen? aedla 2013/07/16 20:42:47 By having a >= 2GB message in the testcase file, I Show quoted text On 2013/07/16 09:07:58, jochen wrote: > how can this happen? By having a >= 2GB message in the testcase file, I think.
	83 break;

	84

	85 IPC::Message* message = new IPC::Message(data, len);

	86 data = message_tail;

	87

	88 messages_.resize(messages_.size() + 1);

	89 messages_.back().reset(message);

	90 }

	91

	92 if (data < end) {

	93 unsigned long left = end - data;

	94 LOG(ERROR) << left << " bytes left while extracting messages";

	95 }

	96 }

	97

	98 void IpcTestcaseRunner::OnRunTestcase(

	99 IPC::PlatformFileForTransit testcase_file) {

	100 base::PlatformFile file =

	101 IPC::PlatformFileForTransitToPlatformFile(testcase_file);

	102

	103 testcase_map_.reset(new base::MemoryMappedFile());

	104 if (!testcase_map_->Initialize(file)) {

	105 LOG(ERROR) << "Failed to map IPC fuzzer testcase";

	106 return;

	107 }

	108

	109 const char* data = reinterpret_cast<const char *>(testcase_map_->data());

	110 size_t len = testcase_map_->length();

	111

	112 ExtractMessages(data, len);

	113 StartSendingMessages();

	114 }

	115

	116 IPC::Message* IpcTestcaseRunner::GetNextMessage() {

	117 if (current_message_ == messages_.size())

	118 return NULL;

	119

	120 printf("Sending message %lu/%lu\n", current_message_, messages_.size());
	jochen (gone - plz use gerrit) 2013/07/16 09:07:58 Why not LOG(INFO) ? Why not LOG(INFO) ? aedla 2013/07/16 20:42:47 Done. Show quoted text On 2013/07/16 09:07:58, jochen wrote: > Why not LOG(INFO) ? Done.
	121

	122 IPC::Message* const_message = messages_[current_message_].get();

	123 IPC::Message* message = new IPC::Message(*const_message);

	124 current_message_++;
	jochen (gone - plz use gerrit) 2013/07/16 09:07:58 ++current_message_; ++current_message_; aedla 2013/07/16 20:42:47 Done. Show quoted text On 2013/07/16 09:07:58, jochen wrote: > ++current_message_; Done.
	125

	126 return message;

	127 }

	128

	129 void IpcTestcaseRunner::SendNextMessage() {

	130 IPC::Message* message = GetNextMessage();

	131 if (!message) {

	132 base::MessageLoop::current()->Quit();

	133 return;

	134 }

	135

	136 channel_->Send(message);

	137 }

	138

	139 void IpcTestcaseRunner::StartSendingMessages() {

	140 timer_.reset(new base::Timer(false, true));

	141 timer_->Start(FROM_HERE,

	142 base::TimeDelta::FromMilliseconds(1),

	143 base::Bind(&IpcTestcaseRunner::SendNextMessage,

	144 base::Unretained(this)));

	145 }

	146

	147 bool IpcTestcaseRunner::OnMessageReceived(const IPC::Message& msg) {

	148 IPC_BEGIN_MESSAGE_MAP(IpcTestcaseRunner, msg)

	149 IPC_MESSAGE_HANDLER(IpcFuzzerMsg_RunTestcase, OnRunTestcase)

	150 IPC_END_MESSAGE_MAP()

	151

	152 return true;

	153 }

	154

	155 void IpcTestcaseRunner::OnChannelError() {

	156 LOG(INFO) << "Channel error, quitting";

	157 base::MessageLoop::current()->Quit();

	158 }

	159

	160 int IpcFuzzerMain(const content::MainFunctionParams& parameters) {

	161 IpcTestcaseRunner runner;

	162 runner.OpenChannel();

	163

	164 base::MessageLoop::current()->Run();

	165 return 0;

	166 }

OLD	NEW

« chrome/browser/ipc_fuzzer_host.cc ('K') | « chrome/ipc_fuzzer.gypi ('k') | content/browser/renderer_host/render_process_host_impl.cc » ('j') | no next file with comments »