Add an IPC to force renderer crash from IO thread

Amends an existing IO-thread-bound interface in child processes to obey
a new Crash() message when received. This is to help debug child process
hangs on platforms where we don't get hang crash reports yet.

The message is used by the renderer hang monitor if it detects a hung
renderer and the user agrees to kill it. Crashes resulting from this
change should provide some insight into why renderers are hanging on
Chrome OS.

Bug: 938647
Change-Id: Ifb5dc8c2f755c4a25f3f712145e4ddb9e32a584a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1505832
Commit-Queue: Ken Rockot <rockot@google.com>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#638250}

chrome/browser/ui/views/hung_renderer_view.cc

@@ -389,9 +389,15 @@ bool HungRendererDialogView::Cancel() {
   content::RenderProcessHost* rph =
       hung_pages_table_model_->GetRenderWidgetHost()->GetProcess();
   if (rph) {
+#if defined(OS_LINUX)
+    // A generic |CrashDumpHungChildProcess()| is not implemented for Linux.
+    // Instead we send an explicit IPC to crash on the renderer's IO thread.
+    rph->ForceCrash();
+#else
     // Try to generate a crash report for the hung process.
     CrashDumpHungChildProcess(rph->GetProcess().Handle());
     rph->Shutdown(content::RESULT_CODE_HUNG);
+#endif
   }
   return true;
 }

content/browser/renderer_host/render_process_host_impl.cc

@@ -1989,6 +1989,10 @@ void RenderProcessHostImpl::BindIndexedDB(
                                 std::move(request), origin));
 }
 
+void RenderProcessHostImpl::ForceCrash() {
+  child_connection_->ForceCrash();
+}
+
 void RenderProcessHostImpl::BindFileSystemManager(
     blink::mojom::FileSystemManagerRequest request) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);

content/browser/renderer_host/render_process_host_impl.h

@@ -237,6 +237,7 @@ class CONTENT_EXPORT RenderProcessHostImpl
                         const url::Origin& origin) override;
   void BindIndexedDB(blink::mojom::IDBFactoryRequest request,
                      const url::Origin& origin) override;
+  void ForceCrash() override;
   void CleanupCorbExceptionForPluginUponDestruction() override;
 
   mojom::RouteProvider* GetRemoteRouteProvider();

content/common/child.mojom

@@ -6,4 +6,8 @@ module content.mojom;
 
 // This interface encapsulates a pipe between a child and browser processes
 // that each side uses to monitor the lifetime of the connection.
-interface Child {};
+interface Child {
+  // Force the child process to crash immediately (i.e. a hard crash, no
+  // cleanup, generating a crash report).
+  Crash();
+};

content/common/service_manager/child_connection.cc

@@ -72,6 +72,13 @@ class ChildConnection::IOThreadContext
                                   std::move(process)));
   }
 
+  void ForceCrash() {
+    DCHECK(io_task_runner_);
+    io_task_runner_->PostTask(
+        FROM_HERE,
+        base::BindOnce(&IOThreadContext::ForceCrashOnIOThread, this));
+  }
+
  private:
   friend class base::RefCountedThreadSafe<IOThreadContext>;
 
@@ -104,6 +111,8 @@ class ChildConnection::IOThreadContext
     process_ = std::move(process);
   }
 
+  void ForceCrashOnIOThread() { child_->Crash(); }
+
   scoped_refptr<base::SequencedTaskRunner> io_task_runner_;
   // Usable from the IO thread only.
   std::unique_ptr<service_manager::Connector> connector_;
@@ -146,4 +155,8 @@ void ChildConnection::SetProcess(base::Process process) {
   context_->SetProcess(std::move(process));
 }
 
+void ChildConnection::ForceCrash() {
+  context_->ForceCrash();
+}
+
 }  // namespace content

content/common/service_manager/child_connection.h

@@ -59,6 +59,9 @@ class CONTENT_EXPORT ChildConnection {
   // functional until this is called.
   void SetProcess(base::Process process);
 
+  // Instructs the child process to crash immediately.
+  void ForceCrash();
+
  private:
   class IOThreadContext;
 

content/common/service_manager/service_manager_connection_impl.cc

@@ -300,6 +300,9 @@ class ServiceManagerConnectionImpl::IOThreadContext
     }
   }
 
+  // mojom::Child:
+  void Crash() override { IMMEDIATE_CRASH(); }
+
   base::ThreadChecker io_thread_checker_;
   bool started_ = false;
 

content/public/browser/render_process_host.h

@@ -486,6 +486,9 @@ class CONTENT_EXPORT RenderProcessHost : public IPC::Sender,
   // be posted back on the UI thread).
   void PostTaskWhenProcessIsReady(base::OnceClosure task);
 
+  // Forces the renderer process to crash ASAP.
+  virtual void ForceCrash() {}
+
   // Controls whether the destructor of RenderProcessHost*Impl* will end up
   // cleaning the memory used by the exception added via
   // RenderProcessHostImpl::AddCorbExceptionForPlugin.