Mojo EDK: Add safe process connection API

content/browser/renderer_host/render_process_host_impl.cc

 // Copyright 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // Represents the browser side of the browser <--> renderer communication
 // channel. There will be one RenderProcessHost per renderer process.
 
 #include "content/browser/renderer_host/render_process_host_impl.h"
 
 #include <algorithm>
@@ skipping 812 matching lines @@
   if (renderer_path.empty())
     return false;
 
   sent_render_process_ready_ = false;
 
   // We may reach Init() during process death notification (e.g.
   // RenderProcessExited on some observer). In this case the Channel may be
   // null, so we re-initialize it here.
   if (!channel_)
     InitializeChannelProxy();
+  DCHECK(pending_connection_);
 
   // Unpause the Channel briefly. This will be paused again below if we launch a
   // real child process. Note that messages may be sent in the short window
   // between now and then (e.g. in response to RenderProcessWillLaunch) and we
   // depend on those messages being sent right away.
   //
   // |channel_| must always be non-null here: either it was initialized in
   // the constructor, or in the most recent call to ProcessDied().
   channel_->Unpause(false /* flush */);
 
@@ skipping 60 matching lines @@
         base::MakeUnique<base::CommandLine>(renderer_path);
     if (!renderer_prefix.empty())
       cmd_line->PrependWrapper(renderer_prefix);
     AppendRendererCommandLine(cmd_line.get());
 
     // Spawn the child process asynchronously to avoid blocking the UI thread.
     // As long as there's no renderer prefix, we can use the zygote process
     // at this stage.
     child_process_launcher_.reset(new ChildProcessLauncher(
         base::MakeUnique<RendererSandboxedProcessLauncherDelegate>(),
-        std::move(cmd_line), GetID(), this, child_token_,
+        std::move(cmd_line), GetID(), this, std::move(pending_connection_),
         base::Bind(&RenderProcessHostImpl::OnMojoError, id_)));
     channel_->Pause();
 
     fast_shutdown_started_ = false;
   }
 
   if (!gpu_observer_registered_) {
     gpu_observer_registered_ = true;
     ui::GpuSwitchingManager::GetInstance()->AddObserver(this);
   }
 
   is_initialized_ = true;
   init_time_ = base::TimeTicks::Now();
   return true;
 }
 
 void RenderProcessHostImpl::EnableSendQueue() {
   if (!channel_)
     InitializeChannelProxy();
 }
 
 void RenderProcessHostImpl::InitializeChannelProxy() {
-  // Generate a token used to identify the new child process.
-  child_token_ = mojo::edk::GenerateRandomToken();
-
   scoped_refptr<base::SingleThreadTaskRunner> io_task_runner =
       BrowserThread::GetTaskRunnerForThread(BrowserThread::IO);
 
   // Acquire a Connector which will route connections to a new instance of the
   // renderer service.
   service_manager::Connector* connector =
       BrowserContext::GetConnectorFor(browser_context_);
   if (!connector) {
     // Note that some embedders (e.g. Android WebView) may not initialize a
     // Connector per BrowserContext. In those cases we fall back to the
     // browser-wide Connector.
     if (!ServiceManagerConnection::GetForProcess()) {
       // Additionally, some test code may not initialize the process-wide
       // ServiceManagerConnection prior to this point. This class of test code
       // doesn't care about render processes, so we can initialize a dummy
       // connection.
       service_manager::mojom::ServiceRequest request(&test_service_);
       ServiceManagerConnection::SetForProcess(ServiceManagerConnection::Create(
           std::move(request), io_task_runner));
     }
     connector = ServiceManagerConnection::GetForProcess()->GetConnector();
   }
 
   // Establish a ServiceManager connection for the new render service instance.
+  pending_connection_.reset(new mojo::edk::PendingProcessConnection);
   child_connection_.reset(new ChildConnection(
       mojom::kRendererServiceName,
-      base::StringPrintf("%d_%d", id_, instance_id_++), child_token_, connector,
-      io_task_runner));
+      base::StringPrintf("%d_%d", id_, instance_id_++),
+      pending_connection_.get(), connector, io_task_runner));
 
   // Send an interface request to bootstrap the IPC::Channel. Note that this
   // request will happily sit on the pipe until the process is launched and
   // connected to the ServiceManager. We take the other end immediately and
   // plug it into a new ChannelProxy.
   IPC::mojom::ChannelBootstrapPtr bootstrap;
   GetRemoteInterfaces()->GetInterface(&bootstrap);
   std::unique_ptr<IPC::ChannelFactory> channel_factory =
       IPC::ChannelMojo::CreateServerFactory(
           bootstrap.PassInterface().PassHandle(), io_task_runner);
@@ skipping 2099 matching lines @@
   LOG(ERROR) << "Terminating render process for bad Mojo message: " << error;
 
   // The ReceivedBadMessage call below will trigger a DumpWithoutCrashing.
   // Capture the error message in a crash key value.
   base::debug::ScopedCrashKey error_key_value("mojo-message-error", error);
   bad_message::ReceivedBadMessage(render_process_id,
                                   bad_message::RPH_MOJO_PROCESS_ERROR);
 }
 
 }  // namespace content