Kill child processes on bad Mojo messages

content/browser/child_process_launcher.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CONTENT_BROWSER_CHILD_PROCESS_LAUNCHER_H_
 #define CONTENT_BROWSER_CHILD_PROCESS_LAUNCHER_H_
 
 #include "base/files/scoped_file.h"
 #include "base/macros.h"
 #include "base/memory/weak_ptr.h"
 #include "base/process/kill.h"
 #include "base/process/launch.h"
 #include "base/process/process.h"
 #include "base/threading/non_thread_safe.h"
 #include "build/build_config.h"
 #include "content/common/content_export.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/common/sandboxed_process_launcher_delegate.h"
+#include "mojo/edk/embedder/embedder.h"
 #include "mojo/edk/embedder/scoped_platform_handle.h"
 
 #if defined(OS_WIN)
 #include "sandbox/win/src/sandbox_types.h"
 #endif
 
 namespace base {
 class CommandLine;
 }
 
@@ skipping 33 matching lines @@
 
    protected:
     virtual ~Client() {}
   };
 
   // Launches the process asynchronously, calling the client when the result is
   // ready.  Deleting this object before the process is created is safe, since
   // the callback won't be called.  If the process is still running by the time
   // this object destructs, it will be terminated.
   // Takes ownership of cmd_line.
+  //
+  // If |process_error_callback| is provided, it will be called if a Mojo error
+  // is encountered when processing messages from the child process. This
+  // callback must be safe to call from any thread.
   ChildProcessLauncher(
       SandboxedProcessLauncherDelegate* delegate,
       base::CommandLine* cmd_line,
       int child_process_id,
       Client* client,
       const std::string& mojo_child_token,
+      const mojo::edk::ProcessErrorCallback& process_error_callback,
       bool terminate_on_shutdown = true);
   ~ChildProcessLauncher();
 
   // True if the process is being launched and so the handle isn't available.
   bool IsStarting();
 
   // Getter for the process.  Only call after the process has started.
   const base::Process& GetProcess() const;
 
   // Call this when the child process exits to know what happened to it.
@@ skipping 57 matching lines @@
                               int child_process_id);
 #endif
 
   Client* client_;
   BrowserThread::ID client_thread_id_;
   base::Process process_;
   base::TerminationStatus termination_status_;
   int exit_code_;
   ZygoteHandle zygote_;
   bool starting_;
+  const mojo::edk::ProcessErrorCallback process_error_callback_;
+
   // Controls whether the child process should be terminated on browser
   // shutdown. Default behavior is to terminate the child.
   const bool terminate_child_on_shutdown_;
 
   // Host side platform handle to establish Mojo IPC.
   mojo::edk::ScopedPlatformHandle mojo_host_platform_handle_;
   const std::string mojo_child_token_;
 
   base::WeakPtrFactory<ChildProcessLauncher> weak_factory_;
 
   DISALLOW_COPY_AND_ASSIGN(ChildProcessLauncher);
 };
 
 }  // namespace content
 
 #endif  // CONTENT_BROWSER_CHILD_PROCESS_LAUNCHER_H_