IPC fuzzer child process component

chrome/ipc_fuzzer/ipc_fuzzer_main.cc

Index: chrome/ipc_fuzzer/ipc_fuzzer_main.cc
diff --git a/chrome/ipc_fuzzer/ipc_fuzzer_main.cc b/chrome/ipc_fuzzer/ipc_fuzzer_main.cc
new file mode 100644
index 0000000000000000000000000000000000000000..72ef6655d9594827e07a10798455d202e7ca1642
--- /dev/null
+++ b/chrome/ipc_fuzzer/ipc_fuzzer_main.cc
@@ -0,0 +1,166 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <limits.h>
+#include <stdio.h>
+#include <vector>
+
+#include "base/bind.h"
+#include "base/command_line.h"
+#include "base/files/memory_mapped_file.h"
+#include "base/logging.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/message_loop.h"
+#include "base/synchronization/waitable_event.h"
+#include "base/threading/thread.h"
+#include "base/timer/timer.h"
+#include "chrome/common/ipc_fuzzer_messages.h"
+#include "content/public/common/main_function_params.h"
+#include "ipc/ipc_channel_proxy.h"
+#include "ipc/ipc_listener.h"
+#include "ipc/ipc_message.h"
+#include "ipc/ipc_platform_file.h"
+#include "ipc/ipc_switches.h"
+
+class IpcTestcaseRunner : public IPC::Listener {

[jochen (gone - plz use gerrit), 2013/07/16 09:07:58]

this entire class can go into an anonymous namespace, no?

[aedla, 2013/07/16 20:42:47]

Done.

+ public:
+  IpcTestcaseRunner();

[jochen (gone - plz use gerrit), 2013/07/16 09:07:58]

should have a virtual destructor

[aedla, 2013/07/16 20:42:47]

Done.

+  void OpenChannel();
+
+  virtual bool OnMessageReceived(const IPC::Message& message) OVERRIDE;
+  virtual void OnChannelError() OVERRIDE;
+
+ private:
+  void ExtractMessages(const char *data, size_t len);
+  void OnRunTestcase(IPC::PlatformFileForTransit);
+  void StartSendingMessages();
+  IPC::Message* GetNextMessage();
+  void SendNextMessage();
+
+  scoped_ptr<IPC::ChannelProxy> channel_;
+  base::MessageLoop main_loop_;
+  base::Thread io_thread_;
+  base::WaitableEvent shutdown_event_;
+  scoped_ptr<base::Timer> timer_;
+  scoped_ptr<base::MemoryMappedFile> testcase_map_;
+  std::vector<scoped_ptr<IPC::Message>> messages_;
+  size_t current_message_;
+};

[jochen (gone - plz use gerrit), 2013/07/16 09:07:58]

DISALLOW_COPY_AND_ASSIGN

[aedla, 2013/07/16 20:42:47]

Done.

+
+IpcTestcaseRunner::IpcTestcaseRunner()
+    : main_loop_(base::MessageLoop::TYPE_DEFAULT),
+      io_thread_("Chrome_ChildIOThread"),
+      shutdown_event_(true, false),
+      current_message_(0) {
+}
+
+void IpcTestcaseRunner::OpenChannel() {
+  io_thread_.StartWithOptions(
+      base::Thread::Options(base::MessageLoop::TYPE_IO, 0));
+
+  std::string channel_name =
+      CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
+          switches::kProcessChannelID);
+
+  channel_.reset(
+      new IPC::ChannelProxy(channel_name,
+                            IPC::Channel::MODE_CLIENT,
+                            this,
+                            io_thread_.message_loop_proxy()));
+}
+
+void IpcTestcaseRunner::ExtractMessages(const char *data, size_t len) {
+  const char* end = data + len;
+
+  while (data < end) {
+    const char* message_tail = IPC::Message::FindNext(data, end);
+    if (!message_tail)
+      break;
+
+    size_t len = message_tail - data;
+    if (len > INT_MAX)

[jochen (gone - plz use gerrit), 2013/07/16 09:07:58]

how can this happen?

[aedla, 2013/07/16 20:42:47]

By having a >= 2GB message in the testcase file, I think.

+      break;
+
+    IPC::Message* message = new IPC::Message(data, len);
+    data = message_tail;
+
+    messages_.resize(messages_.size() + 1);
+    messages_.back().reset(message);
+  }
+
+  if (data < end) {
+    unsigned long left = end - data;
+    LOG(ERROR) << left << " bytes left while extracting messages";
+  }
+}
+
+void IpcTestcaseRunner::OnRunTestcase(
+    IPC::PlatformFileForTransit testcase_file) {
+  base::PlatformFile file =
+      IPC::PlatformFileForTransitToPlatformFile(testcase_file);
+
+  testcase_map_.reset(new base::MemoryMappedFile());
+  if (!testcase_map_->Initialize(file)) {
+    LOG(ERROR) << "Failed to map IPC fuzzer testcase";
+    return;
+  }
+
+  const char* data = reinterpret_cast<const char *>(testcase_map_->data());
+  size_t len = testcase_map_->length();
+
+  ExtractMessages(data, len);
+  StartSendingMessages();
+}
+
+IPC::Message* IpcTestcaseRunner::GetNextMessage() {
+  if (current_message_ == messages_.size())
+    return NULL;
+
+  printf("Sending message %lu/%lu\n", current_message_, messages_.size());

[jochen (gone - plz use gerrit), 2013/07/16 09:07:58]

Why not LOG(INFO) ?

[aedla, 2013/07/16 20:42:47]

Done.

+
+  IPC::Message* const_message = messages_[current_message_].get();
+  IPC::Message* message = new IPC::Message(*const_message);
+  current_message_++;

[jochen (gone - plz use gerrit), 2013/07/16 09:07:58]

++current_message_;

[aedla, 2013/07/16 20:42:47]

Done.

+
+  return message;
+}
+
+void IpcTestcaseRunner::SendNextMessage() {
+  IPC::Message* message = GetNextMessage();
+  if (!message) {
+    base::MessageLoop::current()->Quit();
+    return;
+  }
+
+  channel_->Send(message);
+}
+
+void IpcTestcaseRunner::StartSendingMessages() {
+  timer_.reset(new base::Timer(false, true));
+  timer_->Start(FROM_HERE,
+               base::TimeDelta::FromMilliseconds(1),
+               base::Bind(&IpcTestcaseRunner::SendNextMessage,
+                          base::Unretained(this)));
+}
+
+bool IpcTestcaseRunner::OnMessageReceived(const IPC::Message& msg) {
+  IPC_BEGIN_MESSAGE_MAP(IpcTestcaseRunner, msg)
+      IPC_MESSAGE_HANDLER(IpcFuzzerMsg_RunTestcase, OnRunTestcase)
+  IPC_END_MESSAGE_MAP()
+
+  return true;
+}
+
+void IpcTestcaseRunner::OnChannelError() {
+  LOG(INFO) << "Channel error, quitting";
+  base::MessageLoop::current()->Quit();
+}
+
+int IpcFuzzerMain(const content::MainFunctionParams& parameters) {
+  IpcTestcaseRunner runner;
+  runner.OpenChannel();
+
+  base::MessageLoop::current()->Run();
+  return 0;
+}