Fix appcache_fuzzer to register renderer process ID that it uses with CPSP.

When the fuzzer runs, it generates calls to create AppCacheHosts with a renderer process ID of 1 (passed via a call to CreateBackend()). After r736660, AppCacheHost's constructor creates a ChildProcessSecurityPolicyImpl::Handle for that process ID, but the handle ends up being invalid because there's no SecurityState registered for that process ID in the fuzzer's environment. That triggers DCHECKs when the fuzzer runs because the handle isn't valid. Fix this by registering the test process ID with ChildProcessSecurityPolicy during fuzzer initialization. Bug: 1047638 Change-Id: I72154b46e89ffa8fceea18757b966593a5452aaa Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2034085Reviewed-by: Marijn Kruisselbrink <mek@chromium.org> Commit-Queue: Alex Moshchuk <alexmos@chromium.org> Cr-Commit-Position: refs/heads/master@{#737842}

Fix appcache_fuzzer to register renderer process ID that it uses with CPSP.
When the fuzzer runs, it generates calls to create AppCacheHosts with a renderer process ID of 1 (passed via a call to CreateBackend()). After r736660, AppCacheHost's constructor creates a ChildProcessSecurityPolicyImpl::Handle for that process ID, but the handle ends up being invalid because there's no SecurityState registered for that process ID in the fuzzer's environment. That triggers DCHECKs when the fuzzer runs because the handle isn't valid. Fix this by registering the test process ID with ChildProcessSecurityPolicy during fuzzer initialization. Bug: 1047638 Change-Id: I72154b46e89ffa8fceea18757b966593a5452aaa Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2034085Reviewed-by: Marijn Kruisselbrink <mek@chromium.org> Commit-Queue: Alex Moshchuk <alexmos@chromium.org> Cr-Commit-Position: refs/heads/master@{#737842}
f5d536ed · Alex Moshchuk · Commit Bot · 3f6bfaa4 · f5d536ed
Commit f5d536ed authored Feb 03, 2020 by Alex Moshchuk Committed by Commit Bot Feb 03, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 1 deletion

content/browser/appcache/appcache_fuzzer.cc content/browser/appcache/appcache_fuzzer.cc +10 -1

No files found.
--- a/content/browser/appcache/appcache_fuzzer.cc
+++ b/content/browser/appcache/appcache_fuzzer.cc
@@ -12,6 +12,7 @@
 #include "base/test/test_timeouts.h"
 #include "content/browser/appcache/appcache_fuzzer.pb.h"
 #include "content/browser/appcache/chrome_appcache_service.h"
+#include "content/browser/child_process_security_policy_impl.h"
 #include "content/public/browser/browser_task_traits.h"
 #include "content/public/test/browser_task_environment.h"
 #include "content/public/test/test_browser_context.h"
@@ -41,6 +42,13 @@ struct Env {
    SetContentClient(test_content_client.get());
    SetBrowserClientForTesting(test_content_browser_client.get());
    CHECK(base::i18n::InitializeICU());
+    // Ensure the process ID that will be used for creating the appcache
+    // backend is registered with ChildProcessSecurityPolicy.  This avoids
+    // hitting DCHECKs that its associated
+    // ChildProcessSecurityPolicyImpl::Handle() is invalid.
+    ChildProcessSecurityPolicyImpl::GetInstance()->Add(kProcessId,
+                                                       &test_browser_context);
  }
  void InitializeAppCacheService(
@@ -61,6 +69,7 @@ struct Env {
  std::unique_ptr<TestContentClient> test_content_client;
  std::unique_ptr<TestContentBrowserClient> test_content_browser_client;
  TestBrowserContext test_browser_context;
+  const int kProcessId = 1;
  // used by ICU integration.
  base::AtExitManager at_exit_manager;
@@ -143,7 +152,7 @@ DEFINE_BINARY_PROTO_FUZZER(const fuzzing::proto::Session& session) {
  mojo::Remote<blink::mojom::AppCacheBackend> host;
  SingletonEnv().appcache_service->CreateBackend(
-      /*process_id=*/1, /*routing_id=*/MSG_ROUTING_NONE,
+      SingletonEnv().kProcessId, /*routing_id=*/MSG_ROUTING_NONE,
      host.BindNewPipeAndPassReceiver());
  std::map<int, mojo::Remote<blink::mojom::AppCacheHost>> registered_hosts;