Member fields are supposed to be initialized in the order they are
declared, but the constructor of GeckoChildProcessHost initialized
mDelegate prior to mSandboxLevel. This is probably harmless, but it
does cause a warning on clang-cl, so let's fix it.
Having HASH_NODE_ID_WITH_DEVICE_ID #defined is enough for GMPLoader to start
using the Mac version of GetRawMachineId.
Note: The stack (that may contain information gathered during GetRawMachineId)
is not erased, so it could theoretically be possible for a compromised GMP to
find out some sensitive user information. Another bug will deal with this.
The bulk of this commit was generated with a script, executed at the top
level of a typical source code checkout. The only non-machine-generated
part was modifying MFBT's moz.build to reflect the new naming.
CLOSED TREE makes big refactorings like this a piece of cake.
# The main substitution.
find . -name '*.cpp' -o -name '*.cc' -o -name '*.h' -o -name '*.mm' -o -name '*.idl'| \
xargs perl -p -i -e '
s/nsRefPtr\.h/RefPtr\.h/g; # handle includes
s/nsRefPtr ?</RefPtr</g; # handle declarations and variables
'
# Handle a special friend declaration in gfx/layers/AtomicRefCountedWithFinalize.h.
perl -p -i -e 's/::nsRefPtr;/::RefPtr;/' gfx/layers/AtomicRefCountedWithFinalize.h
# Handle nsRefPtr.h itself, a couple places that define constructors
# from nsRefPtr, and code generators specially. We do this here, rather
# than indiscriminantly s/nsRefPtr/RefPtr/, because that would rename
# things like nsRefPtrHashtable.
perl -p -i -e 's/nsRefPtr/RefPtr/g' \
mfbt/nsRefPtr.h \
xpcom/glue/nsCOMPtr.h \
xpcom/base/OwningNonNull.h \
ipc/ipdl/ipdl/lower.py \
ipc/ipdl/ipdl/builtin.py \
dom/bindings/Codegen.py \
python/lldbutils/lldbutils/utils.py
# In our indiscriminate substitution above, we renamed
# nsRefPtrGetterAddRefs, the class behind getter_AddRefs. Fix that up.
find . -name '*.cpp' -o -name '*.h' -o -name '*.idl' | \
xargs perl -p -i -e 's/nsRefPtrGetterAddRefs/RefPtrGetterAddRefs/g'
if [ -d .git ]; then
git mv mfbt/nsRefPtr.h mfbt/RefPtr.h
else
hg mv mfbt/nsRefPtr.h mfbt/RefPtr.h
fi
This commit was generated using the following script, executed at the
top level of a typical source code checkout.
# Don't modify select files in mfbt/ because it's not worth trying to
# tease out the dependencies currently.
#
# Don't modify anything in media/gmp-clearkey/0.1/ because those files
# use their own RefPtr, defined in their own RefCounted.h.
find . -name '*.cpp' -o -name '*.h' -o -name '*.mm' -o -name '*.idl'| \
grep -v 'mfbt/RefPtr.h' | \
grep -v 'mfbt/nsRefPtr.h' | \
grep -v 'mfbt/RefCounted.h' | \
grep -v 'media/gmp-clearkey/0.1/' | \
xargs perl -p -i -e '
s/mozilla::RefPtr/nsRefPtr/g; # handle declarations in headers
s/\bRefPtr</nsRefPtr</g; # handle local variables in functions
s#mozilla/RefPtr.h#mozilla/nsRefPtr.h#; # handle #includes
s#mfbt/RefPtr.h#mfbt/nsRefPtr.h#; # handle strange #includes
'
# |using mozilla::RefPtr;| is OK; |using nsRefPtr;| is invalid syntax.
find . -name '*.cpp' -o -name '*.mm' | xargs sed -i -e '/using nsRefPtr/d'
# RefPtr.h used |byRef| for dealing with COM-style outparams.
# nsRefPtr.h uses |getter_AddRefs|.
# Fixup that mismatch.
find . -name '*.cpp' -o -name '*.h'| \
xargs perl -p -i -e 's/byRef/getter_AddRefs/g'
A lot of existing code has variations on:
if (ManagedPFooChild().Length()) {
...(ManagedPFooChild()[0])...
}
// Do something with nullptr, or some other action.
It's pretty reasonable to repeat this code when the managed protocols
are stored in an array; the code gets much less nice when managed
protocols are stored in a hashtable. Let's write a small utility
function to handle those details for us. Then when we change the
underlying storage, we only need to update this function, rather than a
bunch of callsites.
ProtocolUtils.h is included by all the generated IPDL headers, so
LoneManagedOrNull should be available everywhere the above pattern would
be encountered.
Similar to the last patch, we copy any sub-protocols a protocol owns
before destroying the sub-protocols. We do this to ensure a stable
iteration over the sub-protocols, as destroying a sub-protocol may
trigger other sub-protocol deletions. Let's permit an existing
interface method to do the copying for us, so if the details of how we
store sub-protocols change, this call site is insulated from the
details.
In $PROTOCOL::CloneManages, we reach directly into the other protocol's
sub-protocol arrays to copy them. It would be better, from a
fewer-places-to-modify-when-things-change point of view if we used the
$PROTOCOL::Managed$SUBPROTOCOL array getter that already exists for this
purpose. A good compiler should be able to remove the function call
overhead...but cloning managees is probably expensive anyway, so a
function call here doesn't matter much.
It's not immediately obvious to me why we clone and then iterate over
the clone, rather than iterating directly, but perhaps there are subtle
IPDL dragons lurking hereabouts.
The functions:
- _callCxxArrayInsertSorted
- _callCxxArrayRemoveSorted
- _callCxxArrayClear
- _cxxArrayHasElementSorted
are only ever used to touch the managed sub-protocol arrays of a
protocol. It would be better if they reflected the *intent* of what
they were doing, rather than what C++ function they were calling, since
we're about to change that.
Windows messages can trigger sync ipc messages to the child process. That
means if we handle windows messages while waiting for the response to a sync
a11y ipc message we can end up reentering the code to send ipc messages which
is bad. Try and avoid this situation by not handling windows messages while
waiting for a sync a11y message.
Like the last patch, the motivation is to remove a GetVersionEx() call which
triggers deprecation warnings.
Because Windows XP SP2 is the earliest Windows version we support, two of the
existing uses of GetWinVersion() could be removed, because they were checking
for XP or earlier. One other Vista check could be replaced with
mozilla::IsVistaOrLater().
The motivation here is to remove the GetVersionEx() calls in the
Windows-specific code, because that function is deprecated and causes warnings.
The non-Windows versions come along for the ride.
Two parts.
- Most of the common stuff goes into the new libeventcommon.mozbuild file.
- A little bit of common bsd/linux stuff factored out in
ipc/chromium/moz.build.
I originally tried putting it in ipc/chromium/src/third_party/libevent/, but
that directory already has a Makefile.in file, which caused problems, so I
moved it down one directory.
We get the following warnings with clang.
> ipc/chromium/src/base/time_posix.cc:103:57: error: overflow in expression; result is 0 with type 'long' [-Werror,-Winteger-overflow]
> ipc/chromium/src/base/time_posix.cc:106:58: error: overflow in expression; result is -1000 with type 'long' [-Werror,-Winteger-overflow]
This is a genuine bug. The upstream code in Chromium has changed (commit
2a278516943eee02e0206506a4b907fc0b55f27b) and this patch changes our code to be
similar. I did tests and confirmed that instead of getting 0 or -1 for
|milliseconds|, we now get -2147483648000 or 2147483647999, which is much
better.
The code for packing and unpacking IPC messages does currently not
output detailed error message. This patch adds macros that display
information about the failed operation and arguments. The overhead
of the macros is small and the fast path can be inlined.
The patch removes 455 occurrences of FAIL_ON_WARNINGS from moz.build files, and
adds 78 instances of ALLOW_COMPILER_WARNINGS. About half of those 78 are in
code we control and which should be removable with a little effort.
When the parent process has trouble deserializing an IPC message from the content
process, it originally killed that content process. This doesn't result in us
creating a crash report (and doing so is difficult if the FatalError is hit
off main thread). We now crash the parent process if we hit such a FatalError
in the parent process. This will hopefully give us an idea of how frequent
these FatalErrors are, since up until now we've been getting no crash data
for them.
This is motivated by three separate but related problems:
1. Our concept of recursion depth is broken for things that run from AfterProcessNextEvent observers (e.g. Promises). We decrement the recursionDepth counter before firing observers, so a Promise callback running at the lowest event loop depth has a recursion depth of 0 (whereas a regular nsIRunnable would be 1). This is a problem because it's impossible to distinguish a Promise running after a sync XHR's onreadystatechange handler from a top-level event (since the former runs with depth 2 - 1 = 1, and the latter runs with just 1).
2. The nsIThreadObserver mechanism that is used by a lot of code to run "after" the current event is a poor fit for anything that runs script. First, the order the observers fire in is the order they were added, not anything fixed by spec. Additionally, running script can cause the event loop to spin, which is a big source of pain here (bholley has some nasty bug caused by this).
3. We run Promises from different points in the code for workers and main thread. The latter runs from XPConnect's nsIThreadObserver callbacks, while the former runs from a hardcoded call to run Promises in the worker event loop. What workers do is particularly problematic because it means we can't get the right recursion depth no matter what we do to nsThread.
The solve this, this patch does the following:
1. Consolidate some handling of microtasks and all handling of stable state from appshell and WorkerPrivate into CycleCollectedJSRuntime.
2. Make the recursionDepth counter only available to CycleCollectedJSRuntime (and its consumers) and remove it from the nsIThreadInternal and nsIThreadObserver APIs.
3. Adjust the recursionDepth counter so that microtasks run with the recursionDepth of the task they are associated with.
4. Introduce the concept of metastable state to replace appshell's RunBeforeNextEvent. Metastable state is reached after every microtask or task is completed. This provides the semantics that bent and I want for IndexedDB, where transactions autocommit at the end of a microtask and do not "spill" from one microtask into a subsequent microtask. This differs from appshell's RunBeforeNextEvent in two ways:
a) It fires between microtasks, which was the motivation for starting this.
b) It no longer ensures that we're at the same event loop depth in the native event queue. bent decided we don't care about this.
5. Reorder stable state to happen after microtasks such as Promises, per HTML. Right now we call the regular thread observers, including appshell, before the main thread observer (XPConnect), so stable state tasks happen before microtasks.
This allows us to send a sync fork request to the Nuwa process when we need one but there is no
spare process available. After an app is launched, the request to fork a spare process is still
handled asynchronously.
This also moves the initialization of the sandbox TargetServices to earlier in
plugin-container.cpp content_process_main, because it needs to happen before
xul.dll loads.
The current situation looks like this: Firefox launches the plugin-container
with two environment variables set:
LD_LIBRARY_PATH=$FIREFOX_DIR:$LD_LIBRARY_PATH
LD_PRELOAD=$FIREFOX_DIR/libmozgtk2.so:$LD_PRELOAD
libxul.so has a dependency on libmozgtk.so (without "2"), but libmozgtk2.so
has a SONAME of libmozgtk.so, so ld.so recognizes libmozgtk2.so as a
dependency of libxul.so, and uses it instead of the actual libmozgtk.so,
making the plugin-container use Gtk+2 instead of Gtk+3 to load Gtk+2 plugins.
Now, ASan sets things up in shared libraries such that they needs a symbol
from the executable binary. So in the case of plugin-container, the
plugin-container executable itself contains some ASan symbols such as
__asan_init_v3. libmozgtk2.so, OTOH, contains an undefined weak reference to
that symbol, like all other Firefox shared libraries.
Since libmozgtk2.so is LD_PRELOADed, it is loaded _before_ the
plugin-container executable, and __asan_init_v3 can't be resolved.
Disabling ASan for libmozgtk2.so would be a possibility, but the build system
doesn't really know how to do that, and filtering out -fsanitize=address
can be fragile.
The alternative possibility, implemented here, is to change the library
loading strategy, renaming libmozgtk2.so to gtk2/libmozgtk.so, and setting
the following environment variable when Firefox launches the plugin-container:
LD_LIBRARY_PATH=$FIREFOX_DIR/gtk2:$FIREFOX_DIR:$LD_LIBRARY_PATH
There are a variety of ways that the parent and child process ensure that
the child process exits quickly in opt builds, but for AddressSanitizer
builds we want to let the child process to run to completion, so that we
can get a LeakSanitizer report.
This requires adding some addition LSan suppressions, because running
LSan in child processes detects some new leaks.
The new daemon runnables are generalized implementations of the
Bluetooth daemon runnables. The code is unchanged, except for name
changes and fixes to the coding style.
The new daemon runnables are generalized implementations of the
Bluetooth daemon runnables. The code is unchanged, except for name
changes and fixes to the coding style.
The shutdown procedure for socket classes ensures that the I/O class is
deleted independently from its socket class. If the socket class has been
deleted, no I/O is performed and no socket events are forwarded. The I/O
class therefore doesn't require a strong reference to its socket class.
This patch removes the remaining ref-counted pointers from the socket I/O
classes. The socket class clears the weak reference in its socket I/O class
when closing the socket.
This patch finally breaks up forwarding received RIL messages to the
main thread before they go to the RIL worker. Any RIL message that is
received on th I/O thread is forwarded directly to the RIL worker
thread and handed over to the RIL worker JS code.
The patch includes a number of changes. They all depend on each other,
so there's no good way of landing them one-by-one.
* |RilConsumer| now runs on the RIL worker thread.
* |RilWorker| uses tasks to register/unregister |RilConsumer| in the worker.
* |RilConsumer| uses |RilSocket| instead of |StreamSocket|.
* With |RilSocket|, received RIL messages do not go through main. They are
forwared to the RIL worker and handed over to JS immediately.
This patch separates the current interface of |RilConsumer| into
two distinct classes. |RilWorker| provides the public interface
and |RilConsumer| provides the internal implementation. Running
|RilConsumer| on a worker thread will be easier this way.
With this patch, |RilSocket| and it's helpers forward received data
via a WCTD. This will hand over the worker's JS context to the RIL
consumer.
In a later patch, the RIL consumer will be moved onto the RIL worker
thread and call the JS ril-worker code directly.
|RilSocket| and |RilSocketConsumer| are copies of the respective stream-
socket classes. Improvements to the RIL I/O code will be implemented on
top of the new classes.
This patch finally breaks up forwarding received RIL messages to the
main thread before they go to the RIL worker. Any RIL message that is
received on th I/O thread is forwarded directly to the RIL worker
thread and handed over to the RIL worker JS code.
The patch includes a number of changes. They all depend on each other,
so there's no good way of landing them one-by-one.
* |RilConsumer| now runs on the RIL worker thread.
* |RilWorker| uses tasks to register/unregister |RilConsumer| in the worker.
* |RilConsumer| uses |RilSocket| instead of |StreamSocket|.
* With |RilSocket|, received RIL messages do not go through main. They are
forwared to the RIL worker and handed over to JS immediately.
This patch separates the current interface of |RilConsumer| into
two distinct classes. |RilWorker| provides the public interface
and |RilConsumer| provides the internal implementation. Running
|RilConsumer| on a worker thread will be easier this way.
With this patch, |RilSocket| and it's helpers forward received data
via a WCTD. This will hand over the worker's JS context to the RIL
consumer.
In a later patch, the RIL consumer will be moved onto the RIL worker
thread and call the JS ril-worker code directly.
|RilSocket| and |RilSocketConsumer| are copies of the respective stream-
socket classes. Improvements to the RIL I/O code will be implemented on
top of the new classes.
The bulk of this commit was generated by running:
run-clang-tidy.py \
-checks='-*,llvm-namespace-comment' \
-header-filter=^/.../mozilla-central/.* \
-fix
