IPC fuzzer child process component

tools/ipc_fuzzer/ipc_fuzzer_main.cc

Index: tools/ipc_fuzzer/ipc_fuzzer_main.cc
diff --git a/tools/ipc_fuzzer/ipc_fuzzer_main.cc b/tools/ipc_fuzzer/ipc_fuzzer_main.cc
new file mode 100644
index 0000000000000000000000000000000000000000..6911e857c0ad7637848208160ffeba0e846c4bf7
--- /dev/null
+++ b/tools/ipc_fuzzer/ipc_fuzzer_main.cc
@@ -0,0 +1,204 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <limits.h>
+#include <stdio.h>
+#include <vector>
+
+#include "base/bind.h"
+#include "base/command_line.h"
+#include "base/files/memory_mapped_file.h"
+#include "base/logging.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/message_loop/message_loop.h"
+#include "base/posix/global_descriptors.h"
+#include "base/synchronization/waitable_event.h"
+#include "base/threading/thread.h"
+#include "base/timer/timer.h"
+#include "chrome/common/chrome_switches.h"
+#include "ipc/ipc_channel_proxy.h"
+#include "ipc/ipc_descriptors.h"
+#include "ipc/ipc_listener.h"
+#include "ipc/ipc_message.h"
+#include "ipc/ipc_platform_file.h"
+#include "ipc/ipc_switches.h"
+
+namespace {
+
+class IpcFuzzerProcess : public IPC::Listener {
+ public:
+  IpcFuzzerProcess();
+  virtual ~IpcFuzzerProcess();
+  void Initialize(int argc, const char **argv);

[jochen (gone - plz use gerrit), 2013/10/31 10:47:00]

please add comments explaining what the methods do

[aedla, 2013/11/26 17:09:50]

Done.

+  void OpenChannel();
+  bool OpenTestcase();
+  void StartSendingMessages();
+
+  virtual bool OnMessageReceived(const IPC::Message& message) OVERRIDE;

[jochen (gone - plz use gerrit), 2013/10/31 10:47:00]

nit. add // IPC::Listener implementation. comment before this line

[aedla, 2013/11/26 17:09:50]

Done.

+  virtual void OnChannelError() OVERRIDE;
+
+ private:
+  bool ExtractMessages(const char *data, size_t len);
+  IPC::Message* GetNextMessage();
+  void SendNextMessage();
+
+  scoped_ptr<IPC::ChannelProxy> channel_;
+  base::MessageLoop main_loop_;
+  base::Thread io_thread_;

[jochen (gone - plz use gerrit), 2013/10/31 10:47:00]

during shutdown, the io thread will die before that channel..

[aedla, 2013/11/26 17:09:50]

Nice catch. I added channel_.reset() to the destructor.

+  base::WaitableEvent shutdown_event_;
+  scoped_ptr<base::Timer> timer_;
+  scoped_ptr<base::MemoryMappedFile> testcase_map_;
+  std::vector<scoped_ptr<IPC::Message>> messages_;
+  size_t current_message_;
+
+  DISALLOW_COPY_AND_ASSIGN(IpcFuzzerProcess);
+};
+
+IpcFuzzerProcess::IpcFuzzerProcess()
+    : main_loop_(base::MessageLoop::TYPE_DEFAULT),
+      io_thread_("Chrome_ChildIOThread"),
+      shutdown_event_(true, false),
+      current_message_(0) {
+}
+
+IpcFuzzerProcess::~IpcFuzzerProcess() {
+}
+
+void IpcFuzzerProcess::Initialize(int argc, const char **argv) {
+  CommandLine::Init(argc, argv);
+
+  // Log to default destination.
+  logging::SetMinLogLevel(logging::LOG_ERROR);
+  logging::InitLogging(logging::LoggingSettings());
+
+  io_thread_.StartWithOptions(
+      base::Thread::Options(base::MessageLoop::TYPE_IO, 0));
+
+#if defined(OS_POSIX)
+  base::GlobalDescriptors* g_fds = base::GlobalDescriptors::GetInstance();
+  g_fds->Set(kPrimaryIPCChannel,
+             kPrimaryIPCChannel + base::GlobalDescriptors::kBaseDescriptor);
+#endif
+}
+
+void IpcFuzzerProcess::OpenChannel() {
+  std::string channel_name =
+      CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
+          switches::kProcessChannelID);
+
+  channel_.reset(
+      new IPC::ChannelProxy(channel_name,
+                            IPC::Channel::MODE_CLIENT,
+                            this,
+                            io_thread_.message_loop_proxy()));
+}
+
+bool IpcFuzzerProcess::ExtractMessages(const char *data, size_t len) {
+  const char* end = data + len;
+
+  while (data < end) {
+    const char* message_tail = IPC::Message::FindNext(data, end);
+    if (!message_tail)
+      break;
+
+    size_t len = message_tail - data;
+    if (len > INT_MAX)
+      break;
+
+    IPC::Message* message = new IPC::Message(data, len);
+    data = message_tail;
+
+    messages_.resize(messages_.size() + 1);
+    messages_.back().reset(message);
+  }
+
+  if (data < end) {
+    unsigned long left = end - data;
+    LOG(ERROR) << left << " bytes left while extracting messages";
+    return false;
+  }
+
+  return true;
+}
+
+bool IpcFuzzerProcess::OpenTestcase() {
+  const CommandLine& command_line = *CommandLine::ForCurrentProcess();
+
+  if (!command_line.HasSwitch(switches::kIpcFuzzerTestcase)) {
+    LOG(ERROR) << "No IPC fuzzer testcase specified";
+    return false;
+  }
+
+  base::FilePath path =
+      command_line.GetSwitchValuePath(switches::kIpcFuzzerTestcase);
+  testcase_map_.reset(new base::MemoryMappedFile());
+  if (!testcase_map_->Initialize(path)) {
+    LOG(ERROR) << "Failed to map testcase: " << path.value();
+    return false;
+  }
+
+  const char* data = reinterpret_cast<const char *>(testcase_map_->data());
+  size_t len = testcase_map_->length();
+
+  return ExtractMessages(data, len);
+}
+
+IPC::Message* IpcFuzzerProcess::GetNextMessage() {
+  if (current_message_ == messages_.size())
+    return NULL;
+
+  LOG(INFO) << "Sending message "
+            << current_message_ << "/"
+            << messages_.size();
+
+  IPC::Message* const_message = messages_[current_message_].get();
+  IPC::Message* message = new IPC::Message(*const_message);
+  static_cast<uint16*>(const_cast<void*>(message->data()))[8] = 0;

[jochen (gone - plz use gerrit), 2013/10/31 10:47:00]

what if data is too small?

[aedla, 2013/11/26 17:09:50]

It will actually be large enough, IPC::Message::FindNext() requires data length
to be >= header length. Header is 10 * uint16 on POSIX, which is the only
supported platform. But yeah, it is difficult to verify and ugly. Also the
header could change. I removed it. It is now up to the testcase generator to
clear the num_fds field.

+  ++current_message_;
+
+  return message;
+}
+
+void IpcFuzzerProcess::SendNextMessage() {
+  IPC::Message* message = GetNextMessage();
+  if (!message) {
+    base::MessageLoop::current()->Quit();
+    return;
+  }
+
+  channel_->Send(message);
+}
+
+void IpcFuzzerProcess::StartSendingMessages() {
+  timer_.reset(new base::Timer(false, true));
+  timer_->Start(FROM_HERE,
+               base::TimeDelta::FromMilliseconds(1),

[jochen (gone - plz use gerrit), 2013/10/31 10:47:00]

nit. indentation

[aedla, 2013/11/26 17:09:50]

Done.

+               base::Bind(&IpcFuzzerProcess::SendNextMessage,
+                          base::Unretained(this)));
+}
+
+bool IpcFuzzerProcess::OnMessageReceived(const IPC::Message& msg) {
+  return true;
+}
+
+void IpcFuzzerProcess::OnChannelError() {
+  LOG(ERROR) << "Channel error, quitting";
+  base::MessageLoop::current()->Quit();
+}
+
+}  // namespace
+
+int main(int argc, const char **argv) {
+  IpcFuzzerProcess fuzzer;
+  fuzzer.Initialize(argc, argv);
+  fuzzer.OpenChannel();
+
+  if (!fuzzer.OpenTestcase())
+    return 0;
+
+  fuzzer.StartSendingMessages();
+
+  base::MessageLoop::current()->Run();
+  return 0;
+}