NOTREACHED() and NOTREACHED_IN_MIGRATION() are both CHECK-fatal now.
The former is [[noreturn]] so this CL also performs dead-code removal
after the NOTREACHED().
This CL does not attempt to do additional rewrites of any surrounding
code, like:
if (!foo) {
NOTREACHED();
}
to CHECK(foo);
Those transforms take a non-trivial amount of time (and there are
thousands of instances). Cleanup can be left as an exercise for the
reader.
This does clean up kCrashOnDanglingBrowserContext as both paths of the
kill switch are currently fatal. This has been rolled out for a long
time.
Bug: 40580068, 40062641
Change-Id: Ib88e710d003e2e48df3fc502ca54d2341d157a0e
Cq-Include-Trybots: luci.chromium.try:linux-dcheck-off-rel
Low-Coverage-Reason: OTHER Should-be-unreachable code
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5974816
Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org>
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Reviewed-by: Rakina Zata Amni <rakina@chromium.org>
Auto-Submit: Peter Boström <pbos@chromium.org>
Reviewed-by: Sam McNally <sammc@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1376522}
This was generated by replacing " NOTREACHED()" with
" NOTREACHED_IN_MIGRATION()" and running git cl format.
This prepares for making NOTREACHED() [[noreturn]] alongside
NotReachedIsFatal migration of existing inventory.
Bug: 40580068
Change-Id: I3b48b89911ac5e9ffcb211622992f917f8f9e8d9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5539619
Auto-Submit: Peter Boström <pbos@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Owners-Override: Lei Zhang <thestig@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Peter Boström <pbos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1301096}
The canonical bug format is TODO(crbug.com/<id>). TODOs of the
following forms will all be migrated to the new format:
- TODO(crbug.com/<old id>)
- TODO(https://crbug.com/<old id>)
- TODO(crbug/<old id>)
- TODO(crbug/monorail/<old id>)
- TODO(<old id>)
- TODO(issues.chromium.org/<old id>)
- TODO(https://issues.chromium.org/<old id>)
- TODO(https://issues.chromium.org/u/1/issues/<old id>)
- TODO(bugs.chromium.org/<old id>)
Bug id mapping is sourced from go/chrome-on-buganizer-prod-issues.
See go/crbug-todo-migration for details.
#crbug-todo-migration
Bug: b/321899722
Change-Id: Iebe070b9ed793ecdfc43c3a3570f1808b7ddd221
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5470014
Reviewed-by: Darryl James <dljames@chromium.org>
Owners-Override: Alison Gale <agale@chromium.org>
Commit-Queue: Alison Gale <agale@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1290677}
While switching usage of Pickle to new creation factories, some usages
were switched to owning the data. This might not have been completely
clear to those OKing the switch, so this CL moves those invocations to
use the non-owning varieties, which matches the behavior of the code
before.
This leaves all the clipboard usage alone, though. That usage was the
driver for the ability to create a Pickle that owns its data in the
first place.
Bug: 330028190
Change-Id: Id2f24db06fb43fdc70e32e7b008a463956b8ed46
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5392265
Auto-Submit: Avi Drissman <avi@chromium.org>
Owners-Override: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Owners-Override: Avi Drissman <avi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1278427}
This removes dead code as a result of making sure that the compiler
knows that LOG(FATAL) is [[noreturn]] directly within the translation
unit.
LOG(DFATAL) and DLOG(FATAL) are intentionally not [[noreturn]] as they
can't be in the release build.
Except for invariants already split out in crrev.com/c/5195484 it's not
trivial to me that any of the the remaining FATALs are invariant
failures within our code, so they were not updated to use CHECKs.
Bug: 1409729
Change-Id: I59e44a5bb53d69ae44600f833146b72c07edf81f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5191363
Reviewed-by: Lei Zhang <thestig@chromium.org>
Code-Coverage: findit-for-me@appspot.gserviceaccount.com <findit-for-me@appspot.gserviceaccount.com>
Owners-Override: Lei Zhang <thestig@chromium.org>
Commit-Queue: Peter Boström <pbos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1247836}
This CL adjust the return type of Pickle::data() to be more friendly to
base::span. It also offers are casting helper, called data_as(), to
allow users of data to consume it as different types, in a more
ergonomic way.
Additionally, Pickle::ReadData is being changed to avoid the use of out
params, and rather provide its data through the return type.
Bug: 1420355
Change-Id: I0bfba0be3537285e08c301ce1dd137c4b5d9a9b0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4298216
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Claudio DeSouza <cdesouza@igalia.com>
Owners-Override: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1112314}
base::size() has been moved to base/cxx17_backports.h, so .cc files that
use base::size(), but no other function from base/stl_util.h, can
directly include base/cxx17_backports.h and not base/stl_util.h.
Bug: 1210983
Change-Id: I42a598a9c2b8fcbfd1e225329109ae3308bd9518
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2915348
Reviewed-by: Camille Lamy <clamy@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Cr-Commit-Position: refs/heads/master@{#886358}
Originally the sandbox policies lived in //content, but with
servicification this would create unwanted dependencies between
//services and //content. Instead, create a new //sandbox/policy
library to hold the sandbox integration code. This library can depend
on the low-level //sandbox routines, but not nice versa.
Tbr: ajgo@chromium.org (mechanical change rule)
Bug: 1097376
Change-Id: I1ca9ac0015a625197f2d3aae104e8f7aa78dcfd9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2272609
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Ken Rockot <rockot@google.com>
Reviewed-by: Alex Gough <ajgo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#786385}
Add direct includes for things provided transitively by logging.h
(or by other headers including logging.h).
This is in preparation for cleaning up unnecessary includes of
logging.h in header files (so if something depends on logging.h,
it needs include it explicitly), and for when logging.h no longer
includes check.h, check_op.h, and notreached.h.
Bug: 1031540
Change-Id: I0c69dcf8d27d25b30d4e211bce41f80de70d110b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2248575
Auto-Submit: Hans Wennborg <hans@chromium.org>
Commit-Queue: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Cr-Commit-Position: refs/heads/master@{#779560}
The linux sandbox creates shared memory segments in
SandboxIPCHandler::HandleMakeSharedMemorySegment. The wrinkle is
that these segments may be created executable, which is done
nowhere else in chrome. NaCl appears to be the only consumer of
this feature, via NaClAppLoadModule / NaClAppLoadFile. The
platform file descriptor backing the shared memory is extracted
and shared via sendmsg() manually, rather than via a mojo or
legacy IPC mechanism.
This CL introduces a linux-only executable create for
base::subtle::PlatformSharedMemoryRegion to be used for this
purpose. The new create method has a stern comment, and is only
exposed through the base::subtle API, in order to discourage wide
usage.
Bug: 795291
Change-Id: I9753c74b74c30d9873eb13415f4084ccf9b3fa35
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1695405
Commit-Queue: Matthew Cary (CET) <mattcary@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Alex Ilin <alexilin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#676803}
This is a reland of
https://chromium-review.googlesource.com/c/chromium/src/+/1109964
Tbr'ing previous reviewers from that CL as the exact change has been
previously reviewed there.
The revert was done manually in response to flakiness of viz_browser
tests in MSAN. See issue https://crbug.com/860349 - my analysis is in
issue https://crbug.com/860445 where I disable this test. In short, I
believe my CL exposed a previously existing race condition in that test.
Instead of Chromium IPC macro-defined messages or Mojo, Chrome on Linux
uses hand-pickled IPC messages through a special purpose file descriptor
to send messages from the renderer to the browser host in order to
access FontConfig for font matching and font fallback. This system is
described in docs/linux_sandbox_ipc.md.
For the "Font Matching by Full Font Name / PS Name" effort, see issue
828317, additional out of process font methods are needed. Instead of
adding them to this legacy hand-written IPC, we modernize the Linux
Sandbox IPC mechanism and upgrade it to using Mojo interface definitions
and a service architecture, in which a font service running in an
unsandboxed utility process answers FontConfig requests from the
renderer.
Previous CLs [1], [2] prepared the Font Service to have testing and
additional font fallback and render-style-for-strike methods. Now we can
move Blink over to using this Mojo interface and remove the traditional
sandbox IPC handlers since we do not use the file descriptor based IPC
anymore for FontConfig acces.
For more details, please refer to the design doc in issue 839344.
[1] https://chromium-review.googlesource.com/c/chromium/src/+/1091754
[2] https://chromium-review.googlesource.com/c/chromium/src/+/1087951
Bug: 855021
Change-Id: I74663c5685a7797089e4d69354453146c245e20a
Tbr: skyostil@chromium.org, michaelpg@chromium.org, rsesek@chromium.org, halliwell@chromium.org, thestig@chromium.org, piman@chromium.org, eae@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/1127028
Commit-Queue: Dominik Röttsches <drott@chromium.org>
Reviewed-by: Dominik Röttsches <drott@chromium.org>
Cr-Commit-Position: refs/heads/master@{#572930}
This reverts commit b993e42cac.
Reason for revert: MSan bot failure and find-it suggested this might be the culprit. Please see crbug.com/860349 for detail.
Failing test: MaybeSetMetadata/SafeBrowsingServiceMetadataTest.MalwareImg/0
Original change's description:
> Move Blink Sandbox IPC to Mojo Calls
>
> Instead of Chromium IPC macro-defined messages or Mojo, Chrome on Linux
> uses hand-pickled IPC messages through a special purpose file descriptor
> to send messages from the renderer to the browser host in order to
> access FontConfig for font matching and font fallback. This system is
> described in docs/linux_sandbox_ipc.md.
>
> For the "Font Matching by Full Font Name / PS Name" effort, see issue
> 828317, additional out of process font methods are needed. Instead of
> adding them to this legacy hand-written IPC, we modernize the Linux
> Sandbox IPC mechanism and upgrade it to using Mojo interface definitions
> and a service architecture, in which a font service running in an
> unsandboxed utility process answers FontConfig requests from the
> renderer.
>
> Previous CLs [1], [2] prepared the Font Service to have testing and
> additional font fallback and render-style-for-strike methods. Now we can
> move Blink over to using this Mojo interface and remove the traditional
> sandbox IPC handlers since we do not use the file descriptor based IPC
> anymore for FontConfig acces.
>
> For more details, please refer to the design doc in issue 839344.
>
> [1] https://chromium-review.googlesource.com/c/chromium/src/+/1091754
> [2] https://chromium-review.googlesource.com/c/chromium/src/+/1087951
>
> Bug: 855021
> Change-Id: I0f30a726621026566f50402afed00c92940b702c
> Reviewed-on: https://chromium-review.googlesource.com/1109964
> Commit-Queue: Dominik Röttsches <drott@chromium.org>
> Reviewed-by: Sami Kyöstilä <skyostil@chromium.org>
> Reviewed-by: Michael Giuffrida <michaelpg@chromium.org>
> Reviewed-by: Robert Sesek <rsesek@chromium.org>
> Reviewed-by: Luke Halliwell <halliwell@chromium.org>
> Reviewed-by: Lei Zhang <thestig@chromium.org>
> Reviewed-by: Antoine Labour <piman@chromium.org>
> Reviewed-by: Emil A Eklund <eae@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#572540}
TBR=rkc@chromium.org,thestig@chromium.org,michaelpg@chromium.org,eae@chromium.org,skyostil@chromium.org,servolk@chromium.org,slan@chromium.org,drott@chromium.org,halliwell@chromium.org,rsesek@chromium.org,piman@chromium.org
Change-Id: I290a80ed3f36443d91ec7e082d42f01871ffdba9
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: 855021, 860349
Reviewed-on: https://chromium-review.googlesource.com/1126719
Reviewed-by: Makoto Shimazu <shimazu@chromium.org>
Commit-Queue: Makoto Shimazu <shimazu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#572709}
Instead of Chromium IPC macro-defined messages or Mojo, Chrome on Linux
uses hand-pickled IPC messages through a special purpose file descriptor
to send messages from the renderer to the browser host in order to
access FontConfig for font matching and font fallback. This system is
described in docs/linux_sandbox_ipc.md.
For the "Font Matching by Full Font Name / PS Name" effort, see issue
828317, additional out of process font methods are needed. Instead of
adding them to this legacy hand-written IPC, we modernize the Linux
Sandbox IPC mechanism and upgrade it to using Mojo interface definitions
and a service architecture, in which a font service running in an
unsandboxed utility process answers FontConfig requests from the
renderer.
Previous CLs [1], [2] prepared the Font Service to have testing and
additional font fallback and render-style-for-strike methods. Now we can
move Blink over to using this Mojo interface and remove the traditional
sandbox IPC handlers since we do not use the file descriptor based IPC
anymore for FontConfig acces.
For more details, please refer to the design doc in issue 839344.
[1] https://chromium-review.googlesource.com/c/chromium/src/+/1091754
[2] https://chromium-review.googlesource.com/c/chromium/src/+/1087951
Bug: 855021
Change-Id: I0f30a726621026566f50402afed00c92940b702c
Reviewed-on: https://chromium-review.googlesource.com/1109964
Commit-Queue: Dominik Röttsches <drott@chromium.org>
Reviewed-by: Sami Kyöstilä <skyostil@chromium.org>
Reviewed-by: Michael Giuffrida <michaelpg@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Luke Halliwell <halliwell@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: Antoine Labour <piman@chromium.org>
Reviewed-by: Emil A Eklund <eae@chromium.org>
Cr-Commit-Position: refs/heads/master@{#572540}
The device scale factor that is configured in the browser process, for example
through Gtk environment settings, or through the command line flag
--force-scale-factor is not always identical with the one in the renderer
process. The renderer process DSF can be configures als through TestingInternals
and other configuration mechanisms. So these two can go out of sync and do not
have the same semantics. As a solution, pass the DSF from Blink via IPC to
identify the intended rasterization settings for a system font.
Rebaselines are needed for those tests where the DSF settings in browser and
renderer went out of sync.
Overall, this CL is preparation for moving the Sandbox IPC functions to Mojo
instead of the current filedescriptor communication approach. Also, addressing
an older TODO about not passing size and is_bold, is_italic in one variable.
Bug: 845468
Change-Id: I6fbe5c906f31f2e8872296404ffa269fbeb652f0
Reviewed-on: https://chromium-review.googlesource.com/1071512
Commit-Queue: Dominik Röttsches <drott@chromium.org>
Reviewed-by: Antoine Labour <piman@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#565068}
These are required when a namespace sandbox is engaged, so put this code
adjacent to the namespace sandbox. Put both the client and server code
for the interceptor into the same file.
A few symbols have to move lower down to avoid a
/sandbox -> /services/service_manager dependency.
Pass the result of GetSandboxFD() at init time to avoid a
/sandbox -> /content dependency.
Duplicate a small bit of code to write a reply.
Bug: 781334
Change-Id: I0ddaba96cc7feea3d78612219b24370e43dc90f7
Reviewed-on: https://chromium-review.googlesource.com/882281
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Antoine Labour <piman@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#531803}
The sandbox_linux.cc in service_manager is not the same as in content,
so move it into the deprecated:: namespace to avoid conflicts. A subsequent
CL will replace the old one with the new one, but requires some effort
since the APIs have diverged.
Bug: 708738
Change-Id: I3534090b1b245fd96659ce494d559d8ac8f74aab
Reviewed-on: https://chromium-review.googlesource.com/738317
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Cr-Commit-Position: refs/heads/master@{#511863}
This is for consistency with classes SandboxWin and SandboxMac.
Also rename
services/service_manager/public/cpp/standalone_service/linux_sandbox.h
services/service_manager/public/cpp/standalone_service/linux_sandbox.cc
to match the convention. These are files duplicated from content that will
become obsolete once the real content files are moved to service manager.
Bug: 708738
Change-Id: I4a376c8e1d63987bc298df4c0b0a3dccb4301b2f
Reviewed-on: https://chromium-review.googlesource.com/734323
Reviewed-by: Mark Seaborn <mseaborn@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#511265}
This patch does the following:
- Renames render_sandbox_host_linux to sandbox_host_linux
- Moves it from content/browser/renderer_host/ to content/browser/
- Moves sandbox_ipc_linux from content/browser/renderer_host/ to content/browser/
- Updates names in those classes to refer to "sandboxed process" instead of "renderer"
This patch does not affect any behavior.
The motivation for this is the development of out of process rasterization, which
will start rasterizing content on the gpu process. This means that similar access
will be needed from the gpu process as is now required from the renderer process
(specifically font access via FontConfigIPC). Renaming these classes makes it
more clear that there are other processes other than the renderer that use it.
Change-Id: I4d78f3f186f03cc7ad72dab41a7065cc97827180
Reviewed-on: https://chromium-review.googlesource.com/656063
Commit-Queue: Vladimir Levin <vmpstr@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Antoine Labour <piman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#501084}
