Adding upstream version 86.0.1.upstream/86.0.1upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

3 files changed, 178 insertions, 0 deletions

diff --git a/tools/fuzzing/ipc/ProtocolFuzzer.cpp b/tools/fuzzing/ipc/ProtocolFuzzer.cpp
new file mode 100644
index 0000000000..e2d7aae96d
--- /dev/null
+++ b/tools/fuzzing/ipc/ProtocolFuzzer.cpp
@@ -0,0 +1,37 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "mozilla/layers/CompositorBridgeParent.h"
+
+#include "ProtocolFuzzer.h"
+
+namespace mozilla {
+namespace ipc {
+
+nsTArray<nsCString> LoadIPCMessageBlacklist(const char* aPath) {
+  nsTArray<nsCString> blacklist;
+  if (aPath) {
+    nsresult result = Faulty::ReadFile(aPath, blacklist);
+    MOZ_RELEASE_ASSERT(result == NS_OK);
+  }
+  return blacklist;
+}
+
+mozilla::dom::ContentParent* ProtocolFuzzerHelper::CreateContentParent(
+    const nsACString& aRemoteType) {
+  auto* cp = new mozilla::dom::ContentParent(aRemoteType);
+  // TODO: this duplicates MessageChannel::Open
+  cp->GetIPCChannel()->mWorkerThread = GetCurrentSerialEventTarget();
+  cp->GetIPCChannel()->mMonitor = new RefCountedMonitor();
+  return cp;
+}
+
+void ProtocolFuzzerHelper::CompositorBridgeParentSetup() {
+  mozilla::layers::CompositorBridgeParent::Setup();
+}
+
+}  // namespace ipc
+}  // namespace mozilla
diff --git a/tools/fuzzing/ipc/ProtocolFuzzer.h b/tools/fuzzing/ipc/ProtocolFuzzer.h
new file mode 100644
index 0000000000..f57852038a
--- /dev/null
+++ b/tools/fuzzing/ipc/ProtocolFuzzer.h
@@ -0,0 +1,114 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_ipc_ProtocolFuzzer_h
+#define mozilla_ipc_ProtocolFuzzer_h
+
+#include "chrome/common/ipc_message.h"
+
+#include "mozilla/RefPtr.h"
+#include "mozilla/UniquePtrExtensions.h"
+#include "mozilla/dom/ContentParent.h"
+
+namespace mozilla {
+namespace ipc {
+
+class ProtocolFuzzerHelper {
+ public:
+  static mozilla::dom::ContentParent* CreateContentParent(
+      const nsACString& aRemoteType);
+
+  static void CompositorBridgeParentSetup();
+
+  static void AddShmemToProtocol(IToplevelProtocol* aProtocol,
+                                 Shmem::SharedMemory* aSegment, int32_t aId) {
+    MOZ_ASSERT(!aProtocol->mShmemMap.Contains(aId),
+               "Don't insert with an existing ID");
+    aProtocol->mShmemMap.Put(aId, aSegment);
+  }
+
+  static void RemoveShmemFromProtocol(IToplevelProtocol* aProtocol,
+                                      int32_t aId) {
+    aProtocol->mShmemMap.Remove(aId);
+  }
+};
+
+template <typename T>
+void FuzzProtocol(T* aProtocol, const uint8_t* aData, size_t aSize,
+                  const nsTArray<nsCString>& aIgnoredMessageTypes) {
+  while (true) {
+    uint32_t msg_size =
+        IPC::Message::MessageSize(reinterpret_cast<const char*>(aData),
+                                  reinterpret_cast<const char*>(aData) + aSize);
+    if (msg_size == 0 || msg_size > aSize) {
+      break;
+    }
+    IPC::Message m(reinterpret_cast<const char*>(aData), msg_size);
+    aSize -= msg_size;
+    aData += msg_size;
+
+    // We ignore certain message types
+    if (aIgnoredMessageTypes.Contains(m.name())) {
+      continue;
+    }
+
+    uint8_t num_shmems = 0;
+    if (aSize) {
+      num_shmems = *aData;
+      aData++;
+      aSize--;
+
+      for (uint32_t i = 0; i < num_shmems; i++) {
+        if (aSize < sizeof(uint16_t)) {
+          break;
+        }
+        size_t shmem_size = *reinterpret_cast<const uint16_t*>(aData);
+        aData += sizeof(uint16_t);
+        aSize -= sizeof(uint16_t);
+
+        if (shmem_size > aSize) {
+          break;
+        }
+        RefPtr<Shmem::SharedMemory> segment(
+            Shmem::Alloc(Shmem::PrivateIPDLCaller(), shmem_size,
+                         SharedMemory::TYPE_BASIC, false));
+        if (!segment) {
+          break;
+        }
+
+        Shmem shmem(Shmem::PrivateIPDLCaller(), segment.get(), i + 1);
+        memcpy(shmem.get<uint8_t>(), aData, shmem_size);
+        ProtocolFuzzerHelper::AddShmemToProtocol(
+            aProtocol, segment.forget().take(), i + 1);
+
+        aData += shmem_size;
+        aSize -= shmem_size;
+      }
+    }
+    // TODO: attach |m.header().num_fds| file descriptors to |m|. MVP can be
+    // empty files, next implementation maybe read a length header from |data|
+    // and then that many bytes.
+
+    if (m.is_sync()) {
+      UniquePtr<IPC::Message> reply;
+      aProtocol->OnMessageReceived(m, *getter_Transfers(reply));
+    } else {
+      aProtocol->OnMessageReceived(m);
+    }
+    for (uint32_t i = 0; i < num_shmems; i++) {
+      Shmem::SharedMemory* segment = aProtocol->LookupSharedMemory(i + 1);
+      Shmem::Dealloc(Shmem::PrivateIPDLCaller(), segment);
+      ProtocolFuzzerHelper::RemoveShmemFromProtocol(aProtocol, i + 1);
+    }
+  }
+}
+
+nsTArray<nsCString> LoadIPCMessageBlacklist(const char* aPath);
+
+}  // namespace ipc
+}  // namespace mozilla
+
+#endif
diff --git a/tools/fuzzing/ipc/moz.build b/tools/fuzzing/ipc/moz.build
new file mode 100644
index 0000000000..fce506a227
--- /dev/null
+++ b/tools/fuzzing/ipc/moz.build
@@ -0,0 +1,27 @@
+# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+Library("fuzzer-ipc-protocol")
+
+LOCAL_INCLUDES += [
+    "/dom/base",
+    "/dom/ipc",
+]
+
+SOURCES += [
+    "ProtocolFuzzer.cpp",
+]
+
+EXPORTS += [
+    "ProtocolFuzzer.h",
+]
+
+include("/ipc/chromium/chromium-config.mozbuild")
+
+FINAL_LIBRARY = "xul"
+
+# Add libFuzzer configuration directives
+include("/tools/fuzzing/libfuzzer-config.mozbuild")