IPC fuzzer child process component

Fuzzer child process takes messages from a testcase file specified by --ipc-fuzzer-testcase and sends them across IPC.

Renderer process is replaced by the fuzzer process using --renderer-cmd-prefix, which is only supported under POSIX.

BUG=260848

Review URL: https://codereview.chromium.org/18254010

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@237795 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 18 insertions, 2 deletions

diff --git a/content/browser/renderer_host/render_process_host_impl.cc b/content/browser/renderer_host/render_process_host_impl.cc
index 08e75cf..afcd81f 100644
--- a/content/browser/renderer_host/render_process_host_impl.cc
+++ b/content/browser/renderer_host/render_process_host_impl.cc
@@ -823,6 +823,10 @@ bool RenderProcessHostImpl::WaitForBackingStoreMsg(
 }
 
 void RenderProcessHostImpl::ReceivedBadMessage() {
+  CommandLine* command_line = CommandLine::ForCurrentProcess();
+  if (command_line->HasSwitch(switches::kDisableKillAfterBadIPC))
+    return;
+
   if (run_renderer_in_process()) {
     // In single process mode it is better if we don't suicide but just
     // crash.
diff --git a/content/public/browser/browser_message_filter.cc b/content/public/browser/browser_message_filter.cc
index bbc6b13..cca9d30 100644
--- a/content/public/browser/browser_message_filter.cc
+++ b/content/public/browser/browser_message_filter.cc
@@ -6,11 +6,13 @@
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
+#include "base/command_line.h"
 #include "base/logging.h"
 #include "base/process/kill.h"
 #include "base/process/process_handle.h"
 #include "base/task_runner.h"
 #include "content/public/browser/user_metrics.h"
+#include "content/public/common/content_switches.h"
 #include "content/public/common/result_codes.h"
 #include "ipc/ipc_sync_message.h"
 
@@ -177,8 +179,12 @@ bool BrowserMessageFilter::CheckCanDispatchOnUI(const IPC::Message& message,
 }
 
 void BrowserMessageFilter::BadMessageReceived() {
-  base::KillProcess(PeerHandle(), content::RESULT_CODE_KILLED_BAD_MESSAGE,
-                    false);
+  CommandLine* command_line = CommandLine::ForCurrentProcess();
+
+  if (!command_line->HasSwitch(switches::kDisableKillAfterBadIPC)) {
+    base::KillProcess(PeerHandle(), content::RESULT_CODE_KILLED_BAD_MESSAGE,
+                      false);
+  }
 }
 
 BrowserMessageFilter::~BrowserMessageFilter() {
diff --git a/content/public/common/content_switches.cc b/content/public/common/content_switches.cc
index 93f95c0..82aff47 100644
--- a/content/public/common/content_switches.cc
+++ b/content/public/common/content_switches.cc
@@ -245,6 +245,11 @@ const char kDisableJava[]                   = "disable-java";
 // Don't execute JavaScript (browser JS like the new tab page still runs).
 const char kDisableJavaScript[]             = "disable-javascript";
 
+// Don't kill a child process when it sends a bad IPC message.  Apart
+// from testing, it is a bad idea from a security perspective to enable
+// this switch.
+const char kDisableKillAfterBadIPC[]        = "disable-kill-after-bad-ipc";
+
 // Disables prefixed Encrypted Media API (e.g. webkitGenerateKeyRequest()).
 const char kDisablePrefixedEncryptedMedia[] =
     "disable-prefixed-encrypted-media";
diff --git a/content/public/common/content_switches.h b/content/public/common/content_switches.h
index e7ce1a9..3d08062 100644
--- a/content/public/common/content_switches.h
+++ b/content/public/common/content_switches.h
@@ -83,6 +83,7 @@ extern const char kDisableImageTransportSurface[];
 CONTENT_EXPORT extern const char kDisableJava[];
 CONTENT_EXPORT extern const char kDisableJavaScript[];
 extern const char kDisablePrefixedEncryptedMedia[];
+extern const char kDisableKillAfterBadIPC[];
 CONTENT_EXPORT extern const char kDisableLocalStorage[];
 CONTENT_EXPORT extern const char kDisableLogging[];
 extern const char kDisablePepper3d[];