Refactor IPC fuzzer.

1. New directory structure to accomodate replay, mutate and an upcoming message_lib components. 2. Break ipc_fuzzer_main.cc into replay.cc + replay_process.[cc|h]. BUG=260848 Review URL: https://codereview.chromium.org/106163003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@239206 0039d316-1c4b-4281-b951-d872f2087c98

Refactor IPC fuzzer.
1. New directory structure to accomodate replay, mutate and an upcoming message_lib components. 2. Break ipc_fuzzer_main.cc into replay.cc + replay_process.[cc|h]. BUG=260848 Review URL: https://codereview.chromium.org/106163003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@239206 0039d316-1c4b-4281-b951-d872f2087c98
e90d0f33 · aedla@chromium.org · 2d9f4513 · e90d0f33 · e90d0f33 · e90d0f33
Commit e90d0f33 authored Dec 06, 2013 by aedla@chromium.org
9 changed files
--- a/tools/ipc_fuzzer/ipc_fuzzer.gyp
+++ b/tools/ipc_fuzzer/ipc_fuzzer.gyp
@@ -9,19 +9,11 @@
  'targets': [
    {
      'target_name': 'ipc_fuzzer',
-      'type': 'executable',
+      'type': 'none',
      'dependencies': [
-        '../../base/base.gyp:base',
-        '../../ipc/ipc.gyp:ipc',
-        '../../chrome/chrome.gyp:common',
-      ],
-      'sources': [
-        'ipc_fuzzer_main.cc',
-      ],
-      'include_dirs': [
-        '../..',
+        'mutate/mutate.gyp:ipc_fuzzer_mutate',
+        'replay/replay.gyp:ipc_fuzzer_replay',
      ],
    },
  ],
 }
-
--- a/tools/ipc_fuzzer/mutate/mutate.cc
+++ b/tools/ipc_fuzzer/mutate/mutate.cc
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stdlib.h>
+
+int main(int argc, const char** argv) {
+  // TODO(aedla): Implement mutator.
+  return EXIT_SUCCESS;
+}
--- a/tools/ipc_fuzzer/mutate/mutate.gyp
+++ b/tools/ipc_fuzzer/mutate/mutate.gyp
+# Copyright 2013 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+{
+  'variables': {
+    'chromium_code': 1,
+  },
+  'targets': [
+    {
+      'target_name': 'ipc_fuzzer_mutate',
+      'type': 'executable',
+      'dependencies': [
+      ],
+      'sources': [
+        'mutate.cc',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+    },
+  ],
+}
--- a/tools/ipc_fuzzer/play_testcase.py
+++ b/tools/ipc_fuzzer/play_testcase.py
@@ -40,7 +40,7 @@ def main():
    print 'chrome executable not found.'
    return 1

-  fuzzer_path = os.path.join(build_dir, 'ipc_fuzzer')
+  fuzzer_path = os.path.join(build_dir, 'ipc_fuzzer_replay')
  if not os.path.exists(fuzzer_path):
    print fuzzer_path + ' not found.'
    print ('Please use enable_ipc_fuzzer=1 GYP define and '
@@ -59,6 +59,7 @@ def main():
    chrome_path,
    '--ipc-fuzzer-testcase=' + sys.argv[-1],
    '--no-sandbox',
+    '--disable-kill-after-bad-ipc',
  ]

  launchers = {}

--- a/tools/ipc_fuzzer/DEPS
+++ b/tools/ipc_fuzzer/DEPS
--- a/tools/ipc_fuzzer/replay/replay.cc
+++ b/tools/ipc_fuzzer/replay/replay.cc
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stdlib.h>
+#include "tools/ipc_fuzzer/replay/replay_process.h"
+
+int main(int argc, const char** argv) {
+  ipc_fuzzer::ReplayProcess replay;
+  if (!replay.Initialize(argc, argv))
+    return EXIT_FAILURE;
+
+  replay.OpenChannel();
+
+  if (!replay.OpenTestcase())
+    return EXIT_FAILURE;
+
+  replay.Run();
+  return EXIT_SUCCESS;
+}
--- a/tools/ipc_fuzzer/replay/replay.gyp
+++ b/tools/ipc_fuzzer/replay/replay.gyp
+# Copyright 2013 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+{
+  'variables': {
+    'chromium_code': 1,
+  },
+  'targets': [
+    {
+      'target_name': 'ipc_fuzzer_replay',
+      'type': 'executable',
+      'dependencies': [
+        '../../../base/base.gyp:base',
+        '../../../chrome/chrome.gyp:common',
+        '../../../ipc/ipc.gyp:ipc',
+      ],
+      'sources': [
+        'replay.cc',
+        'replay_process.cc',
+        'replay_process.h',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+    },
+  ],
+}
--- a/tools/ipc_fuzzer/ipc_fuzzer_main.cc
+++ b/tools/ipc_fuzzer/ipc_fuzzer_main.cc
@@ -2,80 +2,43 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

-#include <limits.h>
-#include <list>
+#include "tools/ipc_fuzzer/replay/replay_process.h"

+#include <limits.h>
+#include <string>
 #include "base/bind.h"
 #include "base/command_line.h"
-#include "base/files/memory_mapped_file.h"
+#include "base/files/file_path.h"
 #include "base/logging.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/message_loop/message_loop.h"
 #include "base/posix/global_descriptors.h"
 #include "base/stl_util.h"
-#include "base/synchronization/waitable_event.h"
-#include "base/threading/thread.h"
-#include "base/timer/timer.h"
 #include "chrome/common/chrome_switches.h"
-#include "ipc/ipc_channel_proxy.h"
 #include "ipc/ipc_descriptors.h"
-#include "ipc/ipc_listener.h"
-#include "ipc/ipc_message.h"
-#include "ipc/ipc_platform_file.h"
 #include "ipc/ipc_switches.h"

-namespace {
-
-class IpcFuzzerProcess : public IPC::Listener {
- public:
-  IpcFuzzerProcess();
-  virtual ~IpcFuzzerProcess();
-
-  // Set up command line, logging, IO thread.
-  void Initialize(int argc, const char **argv);
-
-  // Open a channel to the browser process. It will think we are a renderer.
-  void OpenChannel();
-
-  // Extract messages from a file specified by --ipc-fuzzer-testcase=.
-  bool OpenTestcase();
-
-  // Trigger the sending of messages to the browser.
-  void StartSendingMessages();
-
-  // IPC::Listener implementation.
-  virtual bool OnMessageReceived(const IPC::Message& message) OVERRIDE;
-  virtual void OnChannelError() OVERRIDE;
+namespace ipc_fuzzer {

- private:
-  bool ExtractMessages(const char *data, size_t len);
-  void SendNextMessage();
-
-  scoped_ptr<IPC::ChannelProxy> channel_;
-  base::MessageLoop main_loop_;
-  base::Thread io_thread_;
-  base::WaitableEvent shutdown_event_;
-  scoped_ptr<base::Timer> timer_;
-  scoped_ptr<base::MemoryMappedFile> testcase_map_;
-  std::list<IPC::Message*> messages_;
-
-  DISALLOW_COPY_AND_ASSIGN(IpcFuzzerProcess);
-};
-
-IpcFuzzerProcess::IpcFuzzerProcess()
+ReplayProcess::ReplayProcess()
    : main_loop_(base::MessageLoop::TYPE_DEFAULT),
      io_thread_("Chrome_ChildIOThread"),
      shutdown_event_(true, false) {
 }

-IpcFuzzerProcess::~IpcFuzzerProcess() {
+ReplayProcess::~ReplayProcess() {
  channel_.reset();
  STLDeleteElements(&messages_);
 }

-void IpcFuzzerProcess::Initialize(int argc, const char **argv) {
+bool ReplayProcess::Initialize(int argc, const char** argv) {
  CommandLine::Init(argc, argv);

+  if (!CommandLine::ForCurrentProcess()->HasSwitch(
+      switches::kIpcFuzzerTestcase)) {
+    LOG(ERROR) << "This binary shouldn't be executed directly, "
+               << "please use tools/ipc_fuzzer/play_testcase.py";
+    return false;
+  }
+
  // Log to default destination.
  logging::SetMinLogLevel(logging::LOG_ERROR);
  logging::InitLogging(logging::LoggingSettings());
@@ -83,14 +46,13 @@ void IpcFuzzerProcess::Initialize(int argc, const char **argv) {
  io_thread_.StartWithOptions(
      base::Thread::Options(base::MessageLoop::TYPE_IO, 0));

-#if defined(OS_POSIX)
  base::GlobalDescriptors* g_fds = base::GlobalDescriptors::GetInstance();
  g_fds->Set(kPrimaryIPCChannel,
             kPrimaryIPCChannel + base::GlobalDescriptors::kBaseDescriptor);
-#endif
+  return true;
 }

-void IpcFuzzerProcess::OpenChannel() {
+void ReplayProcess::OpenChannel() {
  std::string channel_name =
      CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
          switches::kProcessChannelID);
@@ -102,18 +64,20 @@ void IpcFuzzerProcess::OpenChannel() {
                            io_thread_.message_loop_proxy()));
 }

-bool IpcFuzzerProcess::ExtractMessages(const char *data, size_t len) {
+bool ReplayProcess::ExtractMessages(const char *data, size_t len) {
  const char* end = data + len;

  while (data < end) {
    const char* message_tail = IPC::Message::FindNext(data, end);
-    if (!message_tail)
-      break;
+    if (!message_tail) {
+      LOG(ERROR) << "Failed to extract message";
+      return false;
+    }

    size_t len = message_tail - data;
    if (len > INT_MAX) {
      LOG(ERROR) << "Message too large";
-      break;
+      return false;
    }

    IPC::Message* message = new IPC::Message(data, len);
@@ -121,38 +85,25 @@ bool IpcFuzzerProcess::ExtractMessages(const char *data, size_t len) {
    data = message_tail;
  }

-  if (data < end) {
-    unsigned long left = end - data;
-    LOG(ERROR) << left << " bytes left while extracting messages";
-    return false;
-  }
-
  return true;
 }

-bool IpcFuzzerProcess::OpenTestcase() {
-  const CommandLine& command_line = *CommandLine::ForCurrentProcess();
-
-  if (!command_line.HasSwitch(switches::kIpcFuzzerTestcase)) {
-    LOG(ERROR) << "No IPC fuzzer testcase specified";
-    return false;
-  }
-
-  base::FilePath path =
-      command_line.GetSwitchValuePath(switches::kIpcFuzzerTestcase);
-  testcase_map_.reset(new base::MemoryMappedFile());
-  if (!testcase_map_->Initialize(path)) {
+bool ReplayProcess::OpenTestcase() {
+  base::FilePath path = CommandLine::ForCurrentProcess()->GetSwitchValuePath(
+      switches::kIpcFuzzerTestcase);
+  mapped_testcase_.reset(new base::MemoryMappedFile());
+  if (!mapped_testcase_->Initialize(path)) {
    LOG(ERROR) << "Failed to map testcase: " << path.value();
    return false;
  }

-  const char* data = reinterpret_cast<const char *>(testcase_map_->data());
-  size_t len = testcase_map_->length();
+  const char* data = reinterpret_cast<const char *>(mapped_testcase_->data());
+  size_t len = mapped_testcase_->length();

  return ExtractMessages(data, len);
 }

-void IpcFuzzerProcess::SendNextMessage() {
+void ReplayProcess::SendNextMessage() {
  if (messages_.empty()) {
    base::MessageLoop::current()->Quit();
    return;
@@ -161,38 +112,28 @@ void IpcFuzzerProcess::SendNextMessage() {
  IPC::Message* message = messages_.front();
  messages_.pop_front();

-  channel_->Send(message);
+  if (!channel_->Send(message)) {
+    LOG(ERROR) << "ChannelProxy::Send() failed";
+    base::MessageLoop::current()->Quit();
+  }
 }

-void IpcFuzzerProcess::StartSendingMessages() {
+void ReplayProcess::Run() {
  timer_.reset(new base::Timer(false, true));
  timer_->Start(FROM_HERE,
                base::TimeDelta::FromMilliseconds(1),
-                base::Bind(&IpcFuzzerProcess::SendNextMessage,
+                base::Bind(&ReplayProcess::SendNextMessage,
                           base::Unretained(this)));
+  base::MessageLoop::current()->Run();
 }

-bool IpcFuzzerProcess::OnMessageReceived(const IPC::Message& msg) {
+bool ReplayProcess::OnMessageReceived(const IPC::Message& msg) {
  return true;
 }

-void IpcFuzzerProcess::OnChannelError() {
+void ReplayProcess::OnChannelError() {
  LOG(ERROR) << "Channel error, quitting";
  base::MessageLoop::current()->Quit();
 }

-}  // namespace
-
-int main(int argc, const char **argv) {
-  IpcFuzzerProcess fuzzer;
-  fuzzer.Initialize(argc, argv);
-  fuzzer.OpenChannel();
-
-  if (!fuzzer.OpenTestcase())
-    return 0;
-
-  fuzzer.StartSendingMessages();
-
-  base::MessageLoop::current()->Run();
-  return 0;
-}
+}  // namespace ipc_fuzzer
--- a/tools/ipc_fuzzer/replay/replay_process.h
+++ b/tools/ipc_fuzzer/replay/replay_process.h
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef TOOLS_IPC_FUZZER_REPLAY_REPLAY_PROCESS_H_
+#define TOOLS_IPC_FUZZER_REPLAY_REPLAY_PROCESS_H_
+
+#include <list>
+
+#include "base/files/memory_mapped_file.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/message_loop/message_loop.h"
+#include "base/synchronization/waitable_event.h"
+#include "base/threading/thread.h"
+#include "base/timer/timer.h"
+#include "ipc/ipc_channel_proxy.h"
+#include "ipc/ipc_listener.h"
+#include "ipc/ipc_message.h"
+
+namespace ipc_fuzzer {
+
+class ReplayProcess : public IPC::Listener {
+ public:
+  ReplayProcess();
+  virtual ~ReplayProcess();
+
+  // Set up command line, logging, IO thread. Returns true on success, false
+  // otherwise.
+  bool Initialize(int argc, const char** argv);
+
+  // Open a channel to the browser process. It will think we are a renderer.
+  void OpenChannel();
+
+  // Extract messages from a file specified by --ipc-fuzzer-testcase=
+  // Returns true on success, false otherwise.
+  bool OpenTestcase();
+
+  // Send messages to the browser.
+  void Run();
+
+  // IPC::Listener implementation.
+  virtual bool OnMessageReceived(const IPC::Message& message) OVERRIDE;
+  virtual void OnChannelError() OVERRIDE;
+
+ private:
+  bool ExtractMessages(const char *data, size_t len);
+  void SendNextMessage();
+
+  scoped_ptr<IPC::ChannelProxy> channel_;
+  base::MessageLoop main_loop_;
+  base::Thread io_thread_;
+  base::WaitableEvent shutdown_event_;
+  scoped_ptr<base::Timer> timer_;
+  scoped_ptr<base::MemoryMappedFile> mapped_testcase_;
+  std::list<IPC::Message*> messages_;
+
+  DISALLOW_COPY_AND_ASSIGN(ReplayProcess);
+};
+
+}  // namespace ipc_fuzzer
+
+#endif  // TOOLS_IPC_FUZZER_REPLAY_REPLAY_PROCESS_H_