Renderers should immediately exit on failure to send an IPC to the browser.

Renderers should immediately exit on failure to send an IPC to the browser.

In the fast shutdown path, the browser kills the IPC channel without
informing the renderer. This means that any IPC message might fail. Either
every sender of any IPC message needs to gracefully handle failures, or
else the process needs to exit immediately. Since the renderer is no longer
expected to have any user-visible effects, or make any persistent changes,
exit immediately.

BUG=615121

[erikchen, 2016-06-02 18:24:14]

The CQ bit was checked by erikchen@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-06-02 18:25:23]

Dry run: CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/2038633002/1
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/2038633002/1

[erikchen, 2016-06-02 18:26:17]

erikchen@chromium.org changed reviewers:
+ avi@chromium.org, jam@chromium.org

[erikchen, 2016-06-02 18:26:18]

avi, jam: Please review.

This is the more generic version of
https://bugs.chromium.org/p/chromium/issues/detail?id=615121#c47, which was
added to fix a specific crash. We could theoretically broaden this by moving the
logic to ChildThreadImpl::Send instead.

[Avi (use Gerrit), 2016-06-02 18:40:02]

I'm actually kinda surprised we don't already do this.

LGTM from me; John's out this week but should be back on Monday. Let's see what
he thinks.

[commit-bot: I haz the power, 2016-06-02 19:52:56]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-06-02 19:52:57]

Dry run: Try jobs failed on following builders:
  mac_chromium_gn_rel on tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_gn_r...)
  win_chromium_x64_rel_ng on tryserver.chromium.win (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_x64_...)

[jam, 2016-06-06 20:25:52]

trying to understand this better:

So this only matters for sync IPCs, as async always return true from Send. The
other change (https://codereview.chromium.org/2028833003/) is happening because
the IPC sending is happening on different threads than the main/IO, so there is
a race condition between when the IO thread notices that the channel
disconnected and the main thread quitting (in ChildThreadImpl::OnChannelError()
). During that race, the other threads requesting memory will see the failed
sync send.

This change addresses the race condition on the main thread, in between the main
thread (on Windows; on POSIX the suicide listener sees it on IO thread) noticing
the connection error and doing a quit on idle on the message loop?

https://codereview.chromium.org/2038633002/diff/1/content/renderer/render_thr...
File content/renderer/render_thread_impl.cc (right):

https://codereview.chromium.org/2038633002/diff/1/content/renderer/render_thr...
content/renderer/render_thread_impl.cc:984: exit(EXIT_SUCCESS);
seems like this should match exit(0) in SuicideOnChannelErrorFilter . I realize
both are 0, but we should be consistent in both of them.

Why isn't this in ChildThreadImpl::Send so that it's done for all child
processes instead of just renderers?

With this change,
https://codereview.chromium.org/2028833003/diff/60001/content/child/child_sha...
should that move to thread_safe_sender.cc's Send method instead?