Currently, `PrivateAggregationBudgeter` defers storage initialization by
binding a callback to a private method in the constructor and lazily
running the callback the first time storage is needed.
Subjectively, it's a little confusing for the reader because they have
to untangle this indirect control flow. This CL removes the callback and
instead calls the private method directly. The tradeoff is that we now
have to explicitly store the method's parameters as private fields.
Another benefit of this more explicit control flow is that it eliminates
the `WeakPtr` bound to the callback. I found that `WeakPtr` a little
confusing because it implied that there's a chance that we'd initialize
storage after destroying `this`.
Change-Id: I8925196fe3b7762d5e4ebd8918c44f449b357eb2
Bug: 398173022
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6287446
Commit-Queue: Dan McArdle <dmcardle@chromium.org>
Reviewed-by: Alex Turner <alexmt@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1423293}
Adds support for the kPrivateAggregationApiErrorReporting feature,
including its ContributeToHistogramOnEvent() method. When the feature is
enabled, delegates triggering those conditional contributions (as well
as general merging and truncation) to the
PrivateAggregationPendingContributions object. Also allows debug keys to
be set on null reports.
When the feature is disabled (which it is by default), this cl should
have no effect.
Bug: 381788013
Change-Id: If10f2236a54ab08f916ed02c7bc92b74a2d1f435
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6207481
Reviewed-by: Dan McArdle <dmcardle@chromium.org>
Commit-Queue: Alex Turner <alexmt@chromium.org>
Reviewed-by: mmenke <mmenke@chromium.org>
Reviewed-by: Ken Buchanan <kenrb@chromium.org>
Reviewed-by: Yao Xiao <yaoxia@chromium.org>
Reviewed-by: Charlie Harrison <csharrison@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1423164}
These histograms measure important situations in the object. This will
help inform whether certain memory limits are appropriate as well as
monitoring other behavior. One of these metrics
(NumContributionMergeKeys) approximately matches an existing metric,
with the old metric being recorded when the aggregate error reporting
feature is disabled, and the new metric when the feature is enabled.
Bug: 381788013
Change-Id: Id01ad8ddcbe9bb7a37263e50658d6be1005adeb1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6242562
Reviewed-by: Dan McArdle <dmcardle@chromium.org>
Reviewed-by: Charlie Harrison <csharrison@chromium.org>
Commit-Queue: Alex Turner <alexmt@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1423163}
Adds support for making contributions conditional on an error event (in
PrivateAggregationPendingContributions). Also adds support for ordinary
(unconditional) contributions to the same class. Additionally defines
the list of error events. While this definition is in a mojo file, it
is not yet used in the mojo interface. (This will be added in a future
cl.) This support is gated behind a (disabled by default) feature flag.
So, this cl is a no-op.
Bug: 381788013
Change-Id: Ia3a603b0e8e8971a26fca8cfa350f0fb36fa9f93
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6086115
Reviewed-by: Dan McArdle <dmcardle@chromium.org>
Reviewed-by: Joe Mason <joenotcharles@google.com>
Commit-Queue: Alex Turner <alexmt@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1415635}
DatabaseOptions is getting too large for the "explicit out of line
constructor for complex types" presubmit. Adding a constructor to it
prevents it from being an aggregate type, which is how most of the
callers currently use it.
This Cl makes DatabaseOptions members private and adds builder-type
setters for each member. It also updates all callers, and adds an out of
line constructor.
A future improvement could be to add a passkey to the setters for
discouraged options.
Bug: None
Change-Id: I63562f43c8b290247878d194039487b240e958c2
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6216099
Reviewed-by: Gabriel Charette <gab@chromium.org>
Reviewed-by: Greg Thompson <grt@chromium.org>
Owners-Override: Gabriel Charette <gab@chromium.org>
Commit-Queue: Anthony Vallée-Dubois <anthonyvd@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1414974}
We plan to use the new class to support the new
`kPrivateAggregationApiErrorReporting` feature, which is currently
disabled by default (and not yet implemented). In this cl, the main
class is empty, with a TODO to implement the logic.
However, the nested Wrapper class is a fairly basic union type that
conditionally contains either the main class (if the error reporting
feature is enabled) or a vector of contributions (if the feature is
disabled). This cl also switches some plumbing to use this new Wrapper
class, which will simplify future implementation work. It also moves the
definition of ContributionMergeKey to the new class to reflect the new
class's intended (eventual) role.
This cl should be a no-op, given the disabled feature.
Bug: 381788013
Change-Id: I92e4dcebfa786e0327cd12c9104b4dbc9760dc1f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6079892
Reviewed-by: Avi Drissman <avi@chromium.org>
Commit-Queue: Alex Turner <alexmt@chromium.org>
Reviewed-by: Dan McArdle <dmcardle@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1414416}
This CL deletes the base::Feature that increased Protected Audience
callers' default number of contributions per report from 20 to 100:
PrivateAggregationApi100ContributionsForProtectedAudience.
Fixed: 389897604
Change-Id: I50f444696207944e6b5b52cb662d793215771718
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6218025
Reviewed-by: Alex Turner <alexmt@chromium.org>
Commit-Queue: Dan McArdle <dmcardle@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1414066}
This CL implements an optimization for per-context limits, which are
still gated by a feature and disabled by default.
We're making `ShouldSendReportDeterministically()` a little more clever,
with the goal of enabling Private Aggregation to send fewer null reports
without loss of privacy. Rather than requiring determinism whenever the
`std::optional<size_t> max_contributions` parameter has a value, we will
now additionally require that it would make the aggregatable report
stick out. This resembles the semantics of the `filtering_id_max_bytes`
parameter.
This CL should not contain any web-visible behavior changes, primarily
because none of the calling APIs have defined the `maxContributions`
field yet.
Bug: 376707230
Change-Id: Iee0d849170e728fd9cdc540daa83881ce96a21dc
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6183147
Commit-Queue: Dan McArdle <dmcardle@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Alex Turner <alexmt@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1412280}
This CL takes the following steps towards implementing per-context
contribution limits:
* Adds `blink::features::kPrivateAggregationApiMaxContributions`,
disabled by default.
* Implements the Private Aggregation logic for the `maxContributions`
config field and adds unit tests.
* Hardcodes `maxContributions` as `std::nullopt` in Shared Storage and
Protected Audience.
This should not contain any web-visible behavior changes, primarily
because none of the calling APIs have defined the `maxContributions`
field yet.
Bug: 376707230
Change-Id: I0b065ab8fb2383ec502cd018e6e66862ebba1ba1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6172853
Reviewed-by: Mike Taylor <miketaylr@chromium.org>
Commit-Queue: Dan McArdle <dmcardle@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Alex Turner <alexmt@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1410414}
Currently, `pipes_with_timeout_count_` is an int, so there's a very
theoretical possibility of overflowing the int when there are MAX_INT
open pipes.
This CL skirts the issue entirely by just deleting the field. We can
achieve the same results by iterating over the contexts in the
`receiver_set_`.
Change-Id: I3b73d842c6f59ba9a4b03501503aa3962260b891
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6169078
Commit-Queue: Dan McArdle <dmcardle@chromium.org>
Reviewed-by: Alex Turner <alexmt@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1406265}
This CL adds facilities to assert at compile-time that a database tag
passed to the `sql::Database` constructors is specified in the
DatabaseTag variant list in the corresponding `histograms.xml` file.
For many users of `Database`, this change is a no-op. That said, some
create databases with `make_unique()`, and the mechanism for forwarding arguments used by that function is incompatible with the
implicit invocation of the consteval constructor this CL introduces.
For this reason, these callers are also updated to explicitly create
the tag object.
Finally, 19 databases were using tags not defined in the histograms
file, so this CL adds these tags as variants.
Change-Id: I7aa6fdc4b923325cc41038fef72b239b5c19e4bd
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6055279
Reviewed-by: Robert Liao <robliao@chromium.org>
Commit-Queue: Anthony Vallée-Dubois <anthonyvd@chromium.org>
Reviewed-by: Maks Orlovich <morlovich@chromium.org>
Reviewed-by: Robert Kaplow <rkaplow@chromium.org>
Reviewed-by: Steven Valdez <svaldez@chromium.org>
Reviewed-by: Ayu Ishii <ayui@chromium.org>
Reviewed-by: Bo Majewski <majewski@chromium.org>
Reviewed-by: Sylvain Defresne <sdefresne@chromium.org>
Reviewed-by: Greg Thompson <grt@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1398280}
This CL removes the default value of the `tag` argument on the 2
`sql::Database` constructors, and updates all callers that didn't
explicitly pass a tag to do so.
As a convenience, this CL also defines a common tag for unit tests.
This will allow the implementation and monitoring of per-database
performance metrics (time to open, statement execution time, VMSteps,
etc) without the possibility of having some of the databases
uninstrumented. This is useful for diagnosing issues such as crbug.com/369635654 in the wild, and required for some performance investigations that we have in the pipeline.
The last step of this work item (asserting that the tag is correctly defined in histograms.xml variants) is implemented in https://chromium-review.googlesource.com/c/chromium/src/+/6055279.
Bug: 40949392
Change-Id: I6dec0fb86a5e7b98cd42ac3a9db18e23eaf9e9bd
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6039025
Reviewed-by: manuk hovanesian <manukh@chromium.org>
Commit-Queue: Anthony Vallée-Dubois <anthonyvd@chromium.org>
Code-Coverage: findit-for-me@appspot.gserviceaccount.com <findit-for-me@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#1395446}
This CL speeds up WPTs by ignoring any remaining timeout when Private
Aggregation developer mode is enabled, i.e. when the command line flag
`--private-aggregation-developer-mode` is present. The effect is that
reports are scheduled nearly immediately after the isolated context
disconnects.
This change should make some of Private Aggregation's Shared Storage
WPTs run faster because reports will be sent with shorter delay. Note
that we will need to update the WPTs' hardcoded timeouts before we see
the full effect; some tests wait up to 6 seconds before concluding that
zero reports were received.
Here's a comparison of the individual test times (in milliseconds). This
may be a little noisy because I only ran the tests once with and once
without the changes. Unsurprisingly, only Shared Storage tests seem to
be affected.
.virtual
.private-aggregation-developer-mode
.wpt_internal
.private-aggregation
.fenced-frame-disallowed-fields.sub.https.html
6500 -> 6518 (100.28%)
.fenced-frame-network-revocation.sub.https.html
5606 -> 5545 (98.91%)
.protected-audience-aggregation-coordinator.https.window.html
25807 -> 25651 (99.40%)
.protected-audience-auction-report-buyers-debug-mode.https.window.html
23236 -> 23444 (100.90%)
.protected-audience-filtering-id-sends-report.https.window.html
13383 -> 13975 (104.42%)
.protected-audience-sends-report.https.window.html
8937 -> 8946 (100.10%)
.shared-storage-aggregation-coordinator.https.window.html
11334 -> 11401 (100.59%)
.shared-storage-context-id-sends-report.https.window.html
16370 -> 1388 (8.48%)
.shared-storage-filtering-id-sends-null-report.https.window.html
24555 -> 24573 (100.07%)
.shared-storage-filtering-id-sends-report.https.window.html
42315 -> 32508 (76.82%)
.shared-storage-sends-report.https.window.html
5440 -> 4777 (87.81%)
Bug: 362901607
Change-Id: I8d5381e8d914cd2d43dfcd4a39feba110be3227a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6068370
Reviewed-by: Alex Turner <alexmt@chromium.org>
Commit-Queue: Dan McArdle <dmcardle@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1392543}
This runtime enabled feature flag was enabled by default in M129. We no
longer need the kill switch and can have the feature enabled
indefinitely. This will also simplify implementation of future features.
Bug: 349980058
Change-Id: I27e7662b8ddb70d4da6529e315854a973ab0a138
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6048371
Reviewed-by: Nan Lin <linnan@chromium.org>
Commit-Queue: Alex Turner <alexmt@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1388900}
Now that the filtering ID features have all been removed (see
crrev.com/c/6011871, crrev.com/c/6019343 and crrev.com/c/6032178), this
is no longer a need to support the old format. This takes the form of
always requiring a filtering_id_max_bytes to be set (instead of it being
an optional type).
This should be mostly a no-op, but if there are any reports scheduled
and saved to disk from before the features were enabled (M128), they
will now be upgraded to the new format instead of still using the old
one.
Bug: 330744610
Change-Id: I2a28352a778afa2e60f81cdbe5da02183b7c2f94
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6035826
Reviewed-by: Nan Lin <linnan@chromium.org>
Commit-Queue: Alex Turner <alexmt@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1387019}
This runtime enabled feature flag was enabled by default in M128. So, we
no longer need the kill switch and can have the feature enabled
indefinitely. See crrev.com/c/6011871 for the removal of the Aggregation
Service layer's flag.
Bug: 330744610
Change-Id: I97c9475ba78a5dc3c7278c5e93d970c431326bca
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6032178
Commit-Queue: Philip Rogers <pdr@chromium.org>
Reviewed-by: Nan Lin <linnan@chromium.org>
Reviewed-by: Yao Xiao <yaoxia@chromium.org>
Reviewed-by: Philip Rogers <pdr@chromium.org>
Reviewed-by: Qingxin Wu <qingxinwu@google.com>
Auto-Submit: Alex Turner <alexmt@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1385320}
Patchset 1 reapplies commit fb4fec6182,
which updates report determinism logic. It was reverted because it
caused the Private Aggregation WPTs to fail.
Patchset 2 reapplies commit 9c42cb3c9a,
which updates the timeout logic for Shared Storage. This was reverted
because it would be a privacy issue to leave it in the tree without the
changed report determinism logic.
Patchsets 3 and beyond attempt to fix the original issue with the WPTs.
* The main problem is that I forgot to update a few tests that should
now be expecting to receive null reports, e.g. because they set a
non-default filteringIdMaxBytes and made zero viable histogram
contributions.
* A secondary problem is that we're so close to the test-harness timeout
of 60 seconds that adding the test with zero contributions caused
shared-storage-filtering-id-sends-report.https.window.js to time out.
My workaround in this CL is to partition the tests from that .js file
into two smaller files.
Original change's description:
> PrivateAggregation: Update report determinism logic
>
> This CL aligns our Private Aggregation implementation with the spec.
>
> Non-default values of filtering_id_max_bytes are now sufficient cause to
> send null reports.
>
> This CL also adds a WPT to verify the new behavior.
>
> Bug: 375523829
> Change-Id: I495a63fb7563f7bc1c0e437e20dc9b99be5284a8
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5973057
> Reviewed-by: Alex Turner <alexmt@chromium.org>
> Commit-Queue: Dan McArdle <dmcardle@chromium.org>
> Reviewed-by: Yao Xiao <yaoxia@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#1376999}
Bug: 375523829
Change-Id: I62f352a73d6641db1cc3e1b90346ba94ad54cce1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5991030
Reviewed-by: Yao Xiao <yaoxia@chromium.org>
Commit-Queue: Alex Turner <alexmt@chromium.org>
Auto-Submit: Dan McArdle <dmcardle@chromium.org>
Reviewed-by: Alex Turner <alexmt@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1379134}
fenced storage read.
This CL renames fenced frame local unpartitioned data access API to
fenced storage read API. It does not change any behavior except the
error messages when the API is called without attestation or without
network revoked.
This CL also renames the proto enum for this API. It is safe to do so
because there has been no attestation list containing this API shipped.
Bug: 375607722
Change-Id: Iab24e4226fc698ff5b3c1afa6ad5f4da464914ac
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5966637
Reviewed-by: Avi Drissman <avi@chromium.org>
Reviewed-by: Shivani Sharma <shivanisha@chromium.org>
Reviewed-by: Fiona Macintosh <fmacintosh@google.com>
Reviewed-by: David Vallet <dvallet@chromium.org>
Commit-Queue: Xiaochen Zhou <xiaochenzh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1378084}
This CL aligns our Private Aggregation implementation with the spec.
Non-default values of filtering_id_max_bytes are now sufficient cause to
send null reports.
This CL also adds a WPT to verify the new behavior.
Bug: 375523829
Change-Id: I495a63fb7563f7bc1c0e437e20dc9b99be5284a8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5973057
Reviewed-by: Alex Turner <alexmt@chromium.org>
Commit-Queue: Dan McArdle <dmcardle@chromium.org>
Reviewed-by: Yao Xiao <yaoxia@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1376999}
unpartitioned data access attestation check.
Implement the browser client layer check of the new attestation API.
Apply this check for shared storage get.
Browser tests for testing shared storage get with respect to the new
attestation check is added in:
chrome/browser/storage/shared_storage_browsertest.cc.
Update other existing tests to work with this check.
Please note other than the attestation, the local unpartitioned data
access is also gated on 3pc setting. See crrev.com/c/5860019.
Bug: 361375807
Change-Id: I338bb9fa756b9e2b793f3bf4a491281cd41409f6
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5854085
Reviewed-by: Avi Drissman <avi@chromium.org>
Commit-Queue: Xiaochen Zhou <xiaochenzh@chromium.org>
Reviewed-by: Shivani Sharma <shivanisha@chromium.org>
Reviewed-by: Eric Seckler <eseckler@chromium.org>
Reviewed-by: Cammie Smith Barnes <cammie@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1370560}
This CL enables the preexisting feature by default:
PrivateAggregationApiDynamicMaxContributionsPerCallingApi
It also updates WPT expectations for Private Aggregation's tests that
cover Protected Audience callers.
Bug: 360160864
Change-Id: I2f67f8cdbcc2932aac18c0a150c7c654c742a928
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5812290
Commit-Queue: Dan McArdle <dmcardle@chromium.org>
Reviewed-by: Alex Turner <alexmt@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1368287}
and feature.
This feature is obsolete and has never been enabled. It was added in
https://chromium-review.googlesource.com/c/chromium/src/+/4949771.
It is a temporary solution for an issue in post-impression beacon.
The problem is when an adtech needs to measure Protected Audience ads
via post-impression beacon, but is not using any of the ads personalization or targeting features of Protected Audiences. A
different approach was taken. This feature was implemented but never planned to ship.
Bug: 361119170
Change-Id: Ife04241f0e3a69fe36ad18236b29beb2617af8f0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5867036
Commit-Queue: Xiaochen Zhou <xiaochenzh@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Reviewed-by: Liam Brady <lbrady@google.com>
Reviewed-by: Avi Drissman <avi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1359962}
This CL creates a new header file to house PrivateAggregationCallerApi,
an enum that identifies which API is calling Private Aggregation.
The enum used to be PrivateAggregationBudgetKey::Api, but now we're
using it for things that aren't related to budgeting.
Fixed: 362431899
Change-Id: Ia0e7fbe9f19119557dc4e6bb7406206bde9cfc36
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5823744
Reviewed-by: Cammie Smith Barnes <cammie@chromium.org>
Auto-Submit: Dan McArdle <dmcardle@chromium.org>
Reviewed-by: Alex Turner <alexmt@chromium.org>
Reviewed-by: Maks Orlovich <morlovich@chromium.org>
Commit-Queue: Dan McArdle <dmcardle@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1350232}
Addresses ~14% of `-WUnsafe-buffer-usage` opt-out in `//content`.
This is a #cleanup.
The patch was initially partially generated by `./tool/clang/spanify`.
This patch applies conversions specifically to c-arrays in `//content`.
Although the `spanify` tool supports broader conversions, this change
intentionally focuses on c-arrays. Several manual fixes were made to
address anonymous struct issues and other edge cases encountered during
the conversion process.
Bug: 342213636, 40285824
Change-Id: I72666faa45a461ea27bb3608beeacc6c9fcd8a63
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5824992
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1349804}
NOTREACHED() has turned [[noreturn]] so the former macro isn't needed
anymore.
This does not attempt to do a rewrite of any surrounding code, like:
if (!foo) {
NOTREACHED();
}
to CHECK(foo);
Those transforms take a non-trivial amount of time (and there are
thousands of instances). Cleanup can be left as an exercise for the
reader.
NO_IFTTT=No-op-rename migration.
Bug: 40580068
Change-Id: I068c5fdce9dc4c352d8bdd62bb3cd2c0a2d59659
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5782602
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Owners-Override: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Peter Boström <pbos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1342096}
