Adding upstream version 1:115.7.0.upstream/1%115.7.0upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 1317 insertions, 0 deletions

diff --git a/ipc/chromium/src/chrome/common/ipc_channel_posix.cc b/ipc/chromium/src/chrome/common/ipc_channel_posix.cc
new file mode 100644
index 0000000000..8b6fc3349a
--- /dev/null
+++ b/ipc/chromium/src/chrome/common/ipc_channel_posix.cc
@@ -0,0 +1,1317 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+// Copyright (c) 2008 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/common/ipc_channel_posix.h"
+
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include "mozilla/Mutex.h"
+#if defined(OS_MACOSX)
+#  include <mach/message.h>
+#  include <mach/port.h>
+#  include "mozilla/UniquePtrExtensions.h"
+#  include "chrome/common/mach_ipc_mac.h"
+#endif
+#if defined(OS_MACOSX) || defined(OS_NETBSD)
+#  include <sched.h>
+#endif
+#include <stddef.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/un.h>
+#include <sys/uio.h>
+
+#include <string>
+#include <map>
+
+#include "base/command_line.h"
+#include "base/eintr_wrapper.h"
+#include "base/logging.h"
+#include "base/process_util.h"
+#include "base/string_util.h"
+#include "chrome/common/chrome_switches.h"
+#include "chrome/common/ipc_channel_utils.h"
+#include "chrome/common/ipc_message_utils.h"
+#include "mozilla/ipc/Endpoint.h"
+#include "mozilla/ipc/ProtocolUtils.h"
+#include "mozilla/Atomics.h"
+#include "mozilla/StaticMutex.h"
+#include "mozilla/UniquePtr.h"
+#include "mozilla/Unused.h"
+
+// Use OS specific iovec array limit where it's possible.
+#if defined(IOV_MAX)
+static const size_t kMaxIOVecSize = IOV_MAX;
+#elif defined(ANDROID)
+static const size_t kMaxIOVecSize = 256;
+#else
+static const size_t kMaxIOVecSize = 16;
+#endif
+
+using namespace mozilla::ipc;
+
+namespace IPC {
+
+// IPC channels on Windows use named pipes (CreateNamedPipe()) with
+// channel ids as the pipe names.  Channels on POSIX use anonymous
+// Unix domain sockets created via socketpair() as pipes.  These don't
+// quite line up.
+//
+// When creating a child subprocess, the parent side of the fork
+// arranges it such that the initial control channel ends up on the
+// magic file descriptor gClientChannelFd in the child.  Future
+// connections (file descriptors) can then be passed via that
+// connection via sendmsg().
+//
+// On Android, child processes are created as a service instead of
+// forking the parent process. The Android Binder service is used to
+// transport the IPC channel file descriptor to the child process.
+// So rather than re-mapping the file descriptor to a known value,
+// the received channel file descriptor is set by calling
+// SetClientChannelFd before gecko has been initialized and started
+// in the child process.
+
+//------------------------------------------------------------------------------
+namespace {
+
+// This is the file descriptor number that a client process expects to find its
+// IPC socket.
+static int gClientChannelFd =
+#if defined(MOZ_WIDGET_ANDROID)
+    // On android the fd is set at the time of child creation.
+    -1
+#else
+    3
+#endif  // defined(MOZ_WIDGET_ANDROID)
+    ;
+
+//------------------------------------------------------------------------------
+
+bool ErrorIsBrokenPipe(int err) { return err == EPIPE || err == ECONNRESET; }
+
+// Some Android ARM64 devices appear to have a bug where sendmsg
+// sometimes returns 0xFFFFFFFF, which we're assuming is a -1 that was
+// incorrectly truncated to 32-bit and then zero-extended.
+// See bug 1660826 for details.
+//
+// This is a workaround to detect that value and replace it with -1
+// (and check that there really was an error), because the largest
+// amount we'll ever write is Channel::kMaximumMessageSize (256MiB).
+//
+// The workaround is also enabled on x86_64 Android on debug builds,
+// although the bug isn't known to manifest there, so that there will
+// be some CI coverage of this code.
+
+static inline ssize_t corrected_sendmsg(int socket,
+                                        const struct msghdr* message,
+                                        int flags) {
+#if defined(ANDROID) && \
+    (defined(__aarch64__) || (defined(DEBUG) && defined(__x86_64__)))
+  static constexpr auto kBadValue = static_cast<ssize_t>(0xFFFFFFFF);
+  static_assert(kBadValue > 0);
+
+#  ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
+  errno = 0;
+#  endif
+  ssize_t bytes_written = sendmsg(socket, message, flags);
+  if (bytes_written == kBadValue) {
+    MOZ_DIAGNOSTIC_ASSERT(errno != 0);
+    bytes_written = -1;
+  }
+  MOZ_DIAGNOSTIC_ASSERT(bytes_written < kBadValue);
+  return bytes_written;
+#else
+  return sendmsg(socket, message, flags);
+#endif
+}
+
+}  // namespace
+//------------------------------------------------------------------------------
+
+#if defined(MOZ_WIDGET_ANDROID)
+void Channel::SetClientChannelFd(int fd) { gClientChannelFd = fd; }
+#endif  // defined(MOZ_WIDGET_ANDROID)
+
+Channel::ChannelImpl::ChannelImpl(const ChannelId& channel_id, Mode mode,
+                                  Listener* listener)
+    : chan_cap_("ChannelImpl::SendMutex",
+                MessageLoopForIO::current()->SerialEventTarget()) {
+  Init(mode, listener);
+
+  if (!CreatePipe(mode)) {
+    CHROMIUM_LOG(WARNING) << "Unable to create pipe in "
+                          << (mode == MODE_SERVER ? "server" : "client")
+                          << " mode error(" << strerror(errno) << ").";
+    return;
+  }
+
+  EnqueueHelloMessage();
+}
+
+Channel::ChannelImpl::ChannelImpl(ChannelHandle pipe, Mode mode,
+                                  Listener* listener)
+    : chan_cap_("ChannelImpl::SendMutex",
+                MessageLoopForIO::current()->SerialEventTarget()) {
+  Init(mode, listener);
+  SetPipe(pipe.release());
+
+  EnqueueHelloMessage();
+}
+
+void Channel::ChannelImpl::SetPipe(int fd) {
+  chan_cap_.NoteExclusiveAccess();
+
+  pipe_ = fd;
+  pipe_buf_len_ = 0;
+  if (fd >= 0) {
+    int buf_len;
+    socklen_t optlen = sizeof(buf_len);
+    if (getsockopt(fd, SOL_SOCKET, SO_SNDBUF, &buf_len, &optlen) != 0) {
+      CHROMIUM_LOG(WARNING)
+          << "Unable to determine pipe buffer size: " << strerror(errno);
+      return;
+    }
+    CHECK(optlen == sizeof(buf_len));
+    CHECK(buf_len > 0);
+    pipe_buf_len_ = static_cast<unsigned>(buf_len);
+  }
+}
+
+bool Channel::ChannelImpl::PipeBufHasSpaceAfter(size_t already_written) {
+  // If the OS didn't tell us the buffer size for some reason, then
+  // don't apply this limitation on the amount we try to write.
+  return pipe_buf_len_ == 0 ||
+         static_cast<size_t>(pipe_buf_len_) > already_written;
+}
+
+void Channel::ChannelImpl::Init(Mode mode, Listener* listener) {
+  // Verify that we fit in a "quantum-spaced" jemalloc bucket.
+  static_assert(sizeof(*this) <= 512, "Exceeded expected size class");
+
+  MOZ_RELEASE_ASSERT(kControlBufferHeaderSize >= CMSG_SPACE(0));
+  MOZ_RELEASE_ASSERT(kControlBufferSize >=
+                     CMSG_SPACE(sizeof(int) * kControlBufferMaxFds));
+
+  chan_cap_.NoteExclusiveAccess();
+
+  mode_ = mode;
+  is_blocked_on_write_ = false;
+  partial_write_.reset();
+  input_buf_offset_ = 0;
+  input_buf_ = mozilla::MakeUnique<char[]>(Channel::kReadBufferSize);
+  input_cmsg_buf_ = mozilla::MakeUnique<char[]>(kControlBufferSize);
+  SetPipe(-1);
+  client_pipe_ = -1;
+  listener_ = listener;
+  waiting_connect_ = true;
+#if defined(OS_MACOSX)
+  last_pending_fd_id_ = 0;
+  other_task_ = nullptr;
+#endif
+}
+
+bool Channel::ChannelImpl::CreatePipe(Mode mode) {
+  chan_cap_.NoteExclusiveAccess();
+
+  DCHECK(pipe_ == -1);
+
+  if (mode == MODE_SERVER) {
+    ChannelHandle server, client;
+    if (!Channel::CreateRawPipe(&server, &client)) {
+      return false;
+    }
+
+    SetPipe(server.release());
+    client_pipe_ = client.release();
+  } else {
+    static mozilla::Atomic<bool> consumed(false);
+    CHECK(!consumed.exchange(true))
+    << "child process main channel can be created only once";
+    SetPipe(gClientChannelFd);
+  }
+
+  return true;
+}
+
+bool Channel::ChannelImpl::EnqueueHelloMessage() {
+  mozilla::UniquePtr<Message> msg(
+      new Message(MSG_ROUTING_NONE, HELLO_MESSAGE_TYPE));
+  if (!msg->WriteInt(base::GetCurrentProcId())) {
+    CloseLocked();
+    return false;
+  }
+
+  OutputQueuePush(std::move(msg));
+  return true;
+}
+
+bool Channel::ChannelImpl::Connect() {
+  IOThread().AssertOnCurrentThread();
+  mozilla::MutexAutoLock lock(SendMutex());
+  return ConnectLocked();
+}
+
+bool Channel::ChannelImpl::ConnectLocked() {
+  chan_cap_.NoteExclusiveAccess();
+
+  if (pipe_ == -1) {
+    return false;
+  }
+
+#if defined(OS_MACOSX)
+  // If we're still waiting for our peer task to be provided, don't start
+  // listening yet. We'll start receiving messages once the task_t is set.
+  if (accept_mach_ports_ && privileged_ && !other_task_) {
+    MOZ_ASSERT(waiting_connect_);
+    return true;
+  }
+#endif
+
+  MessageLoopForIO::current()->WatchFileDescriptor(
+      pipe_, true, MessageLoopForIO::WATCH_READ, &read_watcher_, this);
+  waiting_connect_ = false;
+
+  return ProcessOutgoingMessages();
+}
+
+bool Channel::ChannelImpl::ProcessIncomingMessages() {
+  chan_cap_.NoteOnIOThread();
+
+  struct msghdr msg = {0};
+  struct iovec iov;
+
+  msg.msg_iov = &iov;
+  msg.msg_iovlen = 1;
+  msg.msg_control = input_cmsg_buf_.get();
+
+  for (;;) {
+    msg.msg_controllen = kControlBufferSize;
+
+    if (pipe_ == -1) return false;
+
+    // In some cases the beginning of a message will be stored in input_buf_. We
+    // don't want to overwrite that, so we store the new data after it.
+    iov.iov_base = input_buf_.get() + input_buf_offset_;
+    iov.iov_len = Channel::kReadBufferSize - input_buf_offset_;
+
+    // Read from pipe.
+    // recvmsg() returns 0 if the connection has closed or EAGAIN if no data
+    // is waiting on the pipe.
+    ssize_t bytes_read = HANDLE_EINTR(recvmsg(pipe_, &msg, MSG_DONTWAIT));
+
+    if (bytes_read < 0) {
+      if (errno == EAGAIN) {
+        return true;
+      } else {
+        if (!ErrorIsBrokenPipe(errno)) {
+          CHROMIUM_LOG(ERROR)
+              << "pipe error (fd " << pipe_ << "): " << strerror(errno);
+        }
+        return false;
+      }
+    } else if (bytes_read == 0) {
+      // The pipe has closed...
+      Close();
+      return false;
+    }
+    DCHECK(bytes_read);
+
+    // a pointer to an array of |num_wire_fds| file descriptors from the read
+    const int* wire_fds = NULL;
+    unsigned num_wire_fds = 0;
+
+    // walk the list of control messages and, if we find an array of file
+    // descriptors, save a pointer to the array
+
+    // This next if statement is to work around an OSX issue where
+    // CMSG_FIRSTHDR will return non-NULL in the case that controllen == 0.
+    // Here's a test case:
+    //
+    // int main() {
+    // struct msghdr msg;
+    //   msg.msg_control = &msg;
+    //   msg.msg_controllen = 0;
+    //   if (CMSG_FIRSTHDR(&msg))
+    //     printf("Bug found!\n");
+    // }
+    if (msg.msg_controllen > 0) {
+      // On OSX, CMSG_FIRSTHDR doesn't handle the case where controllen is 0
+      // and will return a pointer into nowhere.
+      for (struct cmsghdr* cmsg = CMSG_FIRSTHDR(&msg); cmsg;
+           cmsg = CMSG_NXTHDR(&msg, cmsg)) {
+        if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) {
+          const unsigned payload_len = cmsg->cmsg_len - CMSG_LEN(0);
+          DCHECK(payload_len % sizeof(int) == 0);
+          wire_fds = reinterpret_cast<int*>(CMSG_DATA(cmsg));
+          num_wire_fds = payload_len / 4;
+
+          if (msg.msg_flags & MSG_CTRUNC) {
+            CHROMIUM_LOG(ERROR)
+                << "SCM_RIGHTS message was truncated"
+                << " cmsg_len:" << cmsg->cmsg_len << " fd:" << pipe_;
+            for (unsigned i = 0; i < num_wire_fds; ++i)
+              IGNORE_EINTR(close(wire_fds[i]));
+            return false;
+          }
+          break;
+        }
+      }
+    }
+
+    // Process messages from input buffer.
+    const char* p = input_buf_.get();
+    const char* end = input_buf_.get() + input_buf_offset_ + bytes_read;
+
+    // A pointer to an array of |num_fds| file descriptors which includes any
+    // fds that have spilled over from a previous read.
+    const int* fds;
+    unsigned num_fds;
+    unsigned fds_i = 0;  // the index of the first unused descriptor
+
+    if (input_overflow_fds_.empty()) {
+      fds = wire_fds;
+      num_fds = num_wire_fds;
+    } else {
+      // This code may look like a no-op in the case where
+      // num_wire_fds == 0, but in fact:
+      //
+      // 1. wire_fds will be nullptr, so passing it to memcpy is
+      // undefined behavior according to the C standard, even though
+      // the memcpy length is 0.
+      //
+      // 2. prev_size will be an out-of-bounds index for
+      // input_overflow_fds_; this is undefined behavior according to
+      // the C++ standard, even though the element only has its
+      // pointer taken and isn't accessed (and the corresponding
+      // operation on a C array would be defined).
+      //
+      // UBSan makes #1 a fatal error, and assertions in libstdc++ do
+      // the same for #2 if enabled.
+      if (num_wire_fds > 0) {
+        const size_t prev_size = input_overflow_fds_.size();
+        input_overflow_fds_.resize(prev_size + num_wire_fds);
+        memcpy(&input_overflow_fds_[prev_size], wire_fds,
+               num_wire_fds * sizeof(int));
+      }
+      fds = &input_overflow_fds_[0];
+      num_fds = input_overflow_fds_.size();
+    }
+
+    // The data for the message we're currently reading consists of any data
+    // stored in incoming_message_ followed by data in input_buf_ (followed by
+    // other messages).
+
+    // NOTE: We re-check `pipe_` after each message to make sure we weren't
+    // closed while calling `OnMessageReceived` or `OnChannelConnected`.
+    while (p < end && pipe_ != -1) {
+      // Try to figure out how big the message is. Size is 0 if we haven't read
+      // enough of the header to know the size.
+      uint32_t message_length = 0;
+      if (incoming_message_) {
+        message_length = incoming_message_->size();
+      } else {
+        message_length = Message::MessageSize(p, end);
+      }
+
+      if (!message_length) {
+        // We haven't seen the full message header.
+        MOZ_ASSERT(!incoming_message_);
+
+        // Move everything we have to the start of the buffer. We'll finish
+        // reading this message when we get more data. For now we leave it in
+        // input_buf_.
+        memmove(input_buf_.get(), p, end - p);
+        input_buf_offset_ = end - p;
+
+        break;
+      }
+
+      input_buf_offset_ = 0;
+
+      bool partial;
+      if (incoming_message_) {
+        // We already have some data for this message stored in
+        // incoming_message_. We want to append the new data there.
+        Message& m = *incoming_message_;
+
+        // How much data from this message remains to be added to
+        // incoming_message_?
+        MOZ_DIAGNOSTIC_ASSERT(message_length > m.CurrentSize());
+        uint32_t remaining = message_length - m.CurrentSize();
+
+        // How much data from this message is stored in input_buf_?
+        uint32_t in_buf = std::min(remaining, uint32_t(end - p));
+
+        m.InputBytes(p, in_buf);
+        p += in_buf;
+
+        // Are we done reading this message?
+        partial = in_buf != remaining;
+      } else {
+        // How much data from this message is stored in input_buf_?
+        uint32_t in_buf = std::min(message_length, uint32_t(end - p));
+
+        incoming_message_ = mozilla::MakeUnique<Message>(p, in_buf);
+        p += in_buf;
+
+        // Are we done reading this message?
+        partial = in_buf != message_length;
+      }
+
+      if (partial) {
+        break;
+      }
+
+      Message& m = *incoming_message_;
+
+      if (m.header()->num_handles) {
+        // the message has file descriptors
+        const char* error = NULL;
+        if (m.header()->num_handles > num_fds - fds_i) {
+          // the message has been completely received, but we didn't get
+          // enough file descriptors.
+          error = "Message needs unreceived descriptors";
+        }
+
+        if (m.header()->num_handles >
+            IPC::Message::MAX_DESCRIPTORS_PER_MESSAGE) {
+          // There are too many descriptors in this message
+          error = "Message requires an excessive number of descriptors";
+        }
+
+        if (error) {
+          CHROMIUM_LOG(WARNING)
+              << error << " channel:" << this << " message-type:" << m.type()
+              << " header()->num_handles:" << m.header()->num_handles
+              << " num_fds:" << num_fds << " fds_i:" << fds_i;
+          // close the existing file descriptors so that we don't leak them
+          for (unsigned i = fds_i; i < num_fds; ++i)
+            IGNORE_EINTR(close(fds[i]));
+          input_overflow_fds_.clear();
+          // abort the connection
+          return false;
+        }
+
+#if defined(OS_MACOSX)
+        // Send a message to the other side, indicating that we are now
+        // responsible for closing the descriptor.
+        auto fdAck = mozilla::MakeUnique<Message>(MSG_ROUTING_NONE,
+                                                  RECEIVED_FDS_MESSAGE_TYPE);
+        DCHECK(m.fd_cookie() != 0);
+        fdAck->set_fd_cookie(m.fd_cookie());
+        {
+          mozilla::MutexAutoLock lock(SendMutex());
+          OutputQueuePush(std::move(fdAck));
+        }
+#endif
+
+        nsTArray<mozilla::UniqueFileHandle> handles(m.header()->num_handles);
+        for (unsigned end_i = fds_i + m.header()->num_handles; fds_i < end_i;
+             ++fds_i) {
+          handles.AppendElement(mozilla::UniqueFileHandle(fds[fds_i]));
+        }
+        m.SetAttachedFileHandles(std::move(handles));
+      }
+
+      // Note: We set other_pid_ below when we receive a Hello message (which
+      // has no routing ID), but we only emit a profiler marker for messages
+      // with a routing ID, so there's no conflict here.
+      AddIPCProfilerMarker(m, other_pid_, MessageDirection::eReceiving,
+                           MessagePhase::TransferEnd);
+
+#ifdef IPC_MESSAGE_DEBUG_EXTRA
+      DLOG(INFO) << "received message on channel @" << this << " with type "
+                 << m.type();
+#endif
+
+      if (m.routing_id() == MSG_ROUTING_NONE &&
+          m.type() == HELLO_MESSAGE_TYPE) {
+        // The Hello message contains only the process id.
+        int32_t other_pid = MessageIterator(m).NextInt();
+        SetOtherPid(other_pid);
+        listener_->OnChannelConnected(other_pid);
+#if defined(OS_MACOSX)
+      } else if (m.routing_id() == MSG_ROUTING_NONE &&
+                 m.type() == RECEIVED_FDS_MESSAGE_TYPE) {
+        DCHECK(m.fd_cookie() != 0);
+        CloseDescriptors(m.fd_cookie());
+#endif
+      } else {
+        mozilla::LogIPCMessage::Run run(&m);
+#if defined(OS_MACOSX)
+        if (!AcceptMachPorts(m)) {
+          return false;
+        }
+#endif
+        listener_->OnMessageReceived(std::move(incoming_message_));
+      }
+
+      incoming_message_ = nullptr;
+    }
+
+    input_overflow_fds_ = std::vector<int>(&fds[fds_i], &fds[num_fds]);
+
+    // When the input data buffer is empty, the overflow fds should be too. If
+    // this is not the case, we probably have a rogue renderer which is trying
+    // to fill our descriptor table.
+    if (!incoming_message_ && input_buf_offset_ == 0 &&
+        !input_overflow_fds_.empty()) {
+      // We close these descriptors in Close()
+      return false;
+    }
+  }
+}
+
+bool Channel::ChannelImpl::ProcessOutgoingMessages() {
+  // NOTE: This method may be called on threads other than `IOThread()`.
+  chan_cap_.NoteSendMutex();
+
+  DCHECK(!waiting_connect_);  // Why are we trying to send messages if there's
+                              // no connection?
+  is_blocked_on_write_ = false;
+
+  if (output_queue_.IsEmpty()) return true;
+
+  if (pipe_ == -1) return false;
+
+  // Write out all the messages we can till the write blocks or there are no
+  // more outgoing messages.
+  while (!output_queue_.IsEmpty()) {
+    Message* msg = output_queue_.FirstElement().get();
+
+    struct msghdr msgh = {0};
+
+    char cmsgBuf[kControlBufferSize];
+
+    if (partial_write_.isNothing()) {
+#if defined(OS_MACOSX)
+      if (!TransferMachPorts(*msg)) {
+        return false;
+      }
+#endif
+
+      if (msg->attached_handles_.Length() >
+          IPC::Message::MAX_DESCRIPTORS_PER_MESSAGE) {
+        MOZ_DIAGNOSTIC_ASSERT(false, "Too many file descriptors!");
+        CHROMIUM_LOG(FATAL) << "Too many file descriptors!";
+        // This should not be reached.
+        return false;
+      }
+
+      msg->header()->num_handles = msg->attached_handles_.Length();
+#if defined(OS_MACOSX)
+      if (!msg->attached_handles_.IsEmpty()) {
+        msg->set_fd_cookie(++last_pending_fd_id_);
+      }
+#endif
+
+      Pickle::BufferList::IterImpl iter(msg->Buffers());
+      MOZ_DIAGNOSTIC_ASSERT(!iter.Done(), "empty message");
+      partial_write_.emplace(PartialWrite{iter, msg->attached_handles_});
+
+      AddIPCProfilerMarker(*msg, other_pid_, MessageDirection::eSending,
+                           MessagePhase::TransferStart);
+    }
+
+    if (partial_write_->iter_.Done()) {
+      MOZ_DIAGNOSTIC_ASSERT(false, "partial_write_->iter_ should not be done");
+      // report a send error to our caller, which will close the channel.
+      return false;
+    }
+
+    // How much of this message have we written so far?
+    Pickle::BufferList::IterImpl iter = partial_write_->iter_;
+    auto handles = partial_write_->handles_;
+
+    // Serialize attached file descriptors into the cmsg header. Only up to
+    // kControlBufferMaxFds can be serialized at once, so messages with more
+    // attachments must be sent over multiple `sendmsg` calls.
+    const size_t num_fds = std::min(handles.Length(), kControlBufferMaxFds);
+    size_t max_amt_to_write = iter.TotalBytesAvailable(msg->Buffers());
+    if (num_fds > 0) {
+      msgh.msg_control = cmsgBuf;
+      msgh.msg_controllen = CMSG_LEN(sizeof(int) * num_fds);
+      struct cmsghdr* cmsg = CMSG_FIRSTHDR(&msgh);
+      cmsg->cmsg_level = SOL_SOCKET;
+      cmsg->cmsg_type = SCM_RIGHTS;
+      cmsg->cmsg_len = msgh.msg_controllen;
+      for (size_t i = 0; i < num_fds; ++i) {
+        reinterpret_cast<int*>(CMSG_DATA(cmsg))[i] = handles[i].get();
+      }
+
+      // Avoid writing one byte per remaining handle in excess of
+      // kControlBufferMaxFds.  Each handle written will consume a minimum of 4
+      // bytes in the message (to store it's index), so we can depend on there
+      // being enough data to send every handle.
+      size_t remaining = handles.Length() - num_fds;
+      MOZ_ASSERT(max_amt_to_write > remaining,
+                 "must be at least one byte in the message for each handle");
+      max_amt_to_write -= remaining;
+    }
+
+    // Store remaining segments to write into iovec.
+    //
+    // Don't add more than kMaxIOVecSize iovecs so that we avoid
+    // OS-dependent limits.  Also, stop adding iovecs if we've already
+    // prepared to write at least the full buffer size.
+    struct iovec iov[kMaxIOVecSize];
+    size_t iov_count = 0;
+    size_t amt_to_write = 0;
+    while (!iter.Done() && iov_count < kMaxIOVecSize &&
+           PipeBufHasSpaceAfter(amt_to_write) &&
+           amt_to_write < max_amt_to_write) {
+      char* data = iter.Data();
+      size_t size =
+          std::min(iter.RemainingInSegment(), max_amt_to_write - amt_to_write);
+
+      iov[iov_count].iov_base = data;
+      iov[iov_count].iov_len = size;
+      iov_count++;
+      amt_to_write += size;
+      iter.Advance(msg->Buffers(), size);
+    }
+    MOZ_ASSERT(amt_to_write <= max_amt_to_write);
+    MOZ_ASSERT(amt_to_write > 0);
+
+    const bool intentional_short_write = !iter.Done();
+    msgh.msg_iov = iov;
+    msgh.msg_iovlen = iov_count;
+
+    ssize_t bytes_written =
+        HANDLE_EINTR(corrected_sendmsg(pipe_, &msgh, MSG_DONTWAIT));
+
+    if (bytes_written < 0) {
+      switch (errno) {
+        case EAGAIN:
+          // Not an error; the sendmsg would have blocked, so return to the
+          // event loop and try again later.
+          break;
+#if defined(OS_MACOSX) || defined(OS_NETBSD)
+          // (Note: this comment is copied from https://crrev.com/86c3d9ef4fdf6;
+          // see also bug 1142693 comment #73.)
+          //
+          // On OS X if sendmsg() is trying to send fds between processes and
+          // there isn't enough room in the output buffer to send the fd
+          // structure over atomically then EMSGSIZE is returned. The same
+          // applies to NetBSD as well.
+          //
+          // EMSGSIZE presents a problem since the system APIs can only call us
+          // when there's room in the socket buffer and not when there is
+          // "enough" room.
+          //
+          // The current behavior is to return to the event loop when EMSGSIZE
+          // is received and hopefull service another FD.  This is however still
+          // technically a busy wait since the event loop will call us right
+          // back until the receiver has read enough data to allow passing the
+          // FD over atomically.
+        case EMSGSIZE:
+          // Because this is likely to result in a busy-wait, we'll try to make
+          // it easier for the receiver to make progress, but only if we're on
+          // the I/O thread already.
+          if (IOThread().IsOnCurrentThread()) {
+            sched_yield();
+          }
+          break;
+#endif
+        default:
+          if (!ErrorIsBrokenPipe(errno)) {
+            CHROMIUM_LOG(ERROR) << "pipe error: " << strerror(errno);
+          }
+          return false;
+      }
+    }
+
+    if (intentional_short_write ||
+        static_cast<size_t>(bytes_written) != amt_to_write) {
+      // If write() fails with EAGAIN or EMSGSIZE then bytes_written will be -1.
+      if (bytes_written > 0) {
+        MOZ_DIAGNOSTIC_ASSERT(intentional_short_write ||
+                              static_cast<size_t>(bytes_written) <
+                                  amt_to_write);
+        partial_write_->iter_.AdvanceAcrossSegments(msg->Buffers(),
+                                                    bytes_written);
+        partial_write_->handles_ = handles.From(num_fds);
+        // We should not hit the end of the buffer.
+        MOZ_DIAGNOSTIC_ASSERT(!partial_write_->iter_.Done());
+      }
+
+      is_blocked_on_write_ = true;
+      if (IOThread().IsOnCurrentThread()) {
+        // If we're on the I/O thread already, tell libevent to call us back
+        // when things are unblocked.
+        MessageLoopForIO::current()->WatchFileDescriptor(
+            pipe_,
+            false,  // One shot
+            MessageLoopForIO::WATCH_WRITE, &write_watcher_, this);
+      } else {
+        // Otherwise, emulate being called back from libevent on the I/O thread,
+        // which will re-try the write, and then potentially start watching if
+        // still necessary.
+        IOThread().Dispatch(mozilla::NewRunnableMethod<int>(
+            "ChannelImpl::ContinueProcessOutgoing", this,
+            &ChannelImpl::OnFileCanWriteWithoutBlocking, -1));
+      }
+      return true;
+    } else {
+      MOZ_ASSERT(partial_write_->handles_.Length() == num_fds,
+                 "not all handles were sent");
+      partial_write_.reset();
+
+#if defined(OS_MACOSX)
+      if (!msg->attached_handles_.IsEmpty()) {
+        pending_fds_.push_back(PendingDescriptors{
+            msg->fd_cookie(), std::move(msg->attached_handles_)});
+      }
+#else
+      if (bytes_written > 0) {
+        msg->attached_handles_.Clear();
+      }
+#endif
+
+      // Message sent OK!
+
+      AddIPCProfilerMarker(*msg, other_pid_, MessageDirection::eSending,
+                           MessagePhase::TransferEnd);
+
+#ifdef IPC_MESSAGE_DEBUG_EXTRA
+      DLOG(INFO) << "sent message @" << msg << " on channel @" << this
+                 << " with type " << msg->type();
+#endif
+      OutputQueuePop();
+      // msg has been destroyed, so clear the dangling reference.
+      msg = nullptr;
+    }
+  }
+  return true;
+}
+
+bool Channel::ChannelImpl::Send(mozilla::UniquePtr<Message> message) {
+  // NOTE: This method may be called on threads other than `IOThread()`.
+  mozilla::MutexAutoLock lock(SendMutex());
+  chan_cap_.NoteSendMutex();
+
+#ifdef IPC_MESSAGE_DEBUG_EXTRA
+  DLOG(INFO) << "sending message @" << message.get() << " on channel @" << this
+             << " with type " << message->type() << " ("
+             << output_queue_.Count() << " in queue)";
+#endif
+
+  // If the channel has been closed, ProcessOutgoingMessages() is never going
+  // to pop anything off output_queue; output_queue will only get emptied when
+  // the channel is destructed.  We might as well delete message now, instead
+  // of waiting for the channel to be destructed.
+  if (pipe_ == -1) {
+    if (mozilla::ipc::LoggingEnabled()) {
+      fprintf(stderr,
+              "Can't send message %s, because this channel is closed.\n",
+              message->name());
+    }
+    return false;
+  }
+
+  OutputQueuePush(std::move(message));
+  if (!waiting_connect_) {
+    if (!is_blocked_on_write_) {
+      if (!ProcessOutgoingMessages()) return false;
+    }
+  }
+
+  return true;
+}
+
+void Channel::ChannelImpl::GetClientFileDescriptorMapping(int* src_fd,
+                                                          int* dest_fd) const {
+  IOThread().AssertOnCurrentThread();
+  DCHECK(mode_ == MODE_SERVER);
+  *src_fd = client_pipe_;
+  *dest_fd = gClientChannelFd;
+}
+
+void Channel::ChannelImpl::CloseClientFileDescriptor() {
+  IOThread().AssertOnCurrentThread();
+  if (client_pipe_ != -1) {
+    IGNORE_EINTR(close(client_pipe_));
+    client_pipe_ = -1;
+  }
+}
+
+// Called by libevent when we can read from th pipe without blocking.
+void Channel::ChannelImpl::OnFileCanReadWithoutBlocking(int fd) {
+  IOThread().AssertOnCurrentThread();
+  chan_cap_.NoteOnIOThread();
+
+  if (!waiting_connect_ && fd == pipe_ && pipe_ != -1) {
+    if (!ProcessIncomingMessages()) {
+      Close();
+      listener_->OnChannelError();
+      // The OnChannelError() call may delete this, so we need to exit now.
+      return;
+    }
+  }
+}
+
+#if defined(OS_MACOSX)
+void Channel::ChannelImpl::CloseDescriptors(uint32_t pending_fd_id) {
+  mozilla::MutexAutoLock lock(SendMutex());
+  chan_cap_.NoteExclusiveAccess();
+
+  DCHECK(pending_fd_id != 0);
+  for (std::list<PendingDescriptors>::iterator i = pending_fds_.begin();
+       i != pending_fds_.end(); i++) {
+    if ((*i).id == pending_fd_id) {
+      pending_fds_.erase(i);
+      return;
+    }
+  }
+  DCHECK(false) << "pending_fd_id not in our list!";
+}
+#endif
+
+void Channel::ChannelImpl::OutputQueuePush(mozilla::UniquePtr<Message> msg) {
+  chan_cap_.NoteSendMutex();
+
+  mozilla::LogIPCMessage::LogDispatchWithPid(msg.get(), other_pid_);
+
+  MOZ_DIAGNOSTIC_ASSERT(pipe_ != -1);
+  msg->AssertAsLargeAsHeader();
+  output_queue_.Push(std::move(msg));
+}
+
+void Channel::ChannelImpl::OutputQueuePop() {
+  // Clear any reference to the front of output_queue_ before we destroy it.
+  partial_write_.reset();
+
+  mozilla::UniquePtr<Message> message = output_queue_.Pop();
+}
+
+// Called by libevent when we can write to the pipe without blocking.
+void Channel::ChannelImpl::OnFileCanWriteWithoutBlocking(int fd) {
+  RefPtr<ChannelImpl> grip(this);
+  IOThread().AssertOnCurrentThread();
+  mozilla::ReleasableMutexAutoLock lock(SendMutex());
+  chan_cap_.NoteExclusiveAccess();
+  if (pipe_ != -1 && !ProcessOutgoingMessages()) {
+    CloseLocked();
+    lock.Unlock();
+    listener_->OnChannelError();
+  }
+}
+
+void Channel::ChannelImpl::Close() {
+  IOThread().AssertOnCurrentThread();
+  mozilla::MutexAutoLock lock(SendMutex());
+  CloseLocked();
+}
+
+void Channel::ChannelImpl::CloseLocked() {
+  chan_cap_.NoteExclusiveAccess();
+
+  // Close can be called multiple times, so we need to make sure we're
+  // idempotent.
+
+  // Unregister libevent for the FIFO and close it.
+  read_watcher_.StopWatchingFileDescriptor();
+  write_watcher_.StopWatchingFileDescriptor();
+  if (pipe_ != -1) {
+    IGNORE_EINTR(close(pipe_));
+    SetPipe(-1);
+  }
+  if (client_pipe_ != -1) {
+    IGNORE_EINTR(close(client_pipe_));
+    client_pipe_ = -1;
+  }
+
+  while (!output_queue_.IsEmpty()) {
+    OutputQueuePop();
+  }
+
+  // Close any outstanding, received file descriptors
+  for (std::vector<int>::iterator i = input_overflow_fds_.begin();
+       i != input_overflow_fds_.end(); ++i) {
+    IGNORE_EINTR(close(*i));
+  }
+  input_overflow_fds_.clear();
+
+#if defined(OS_MACOSX)
+  pending_fds_.clear();
+
+  other_task_ = nullptr;
+#endif
+}
+
+#if defined(OS_MACOSX)
+void Channel::ChannelImpl::SetOtherMachTask(task_t task) {
+  IOThread().AssertOnCurrentThread();
+  mozilla::MutexAutoLock lock(SendMutex());
+  chan_cap_.NoteExclusiveAccess();
+
+  if (NS_WARN_IF(pipe_ == -1)) {
+    return;
+  }
+
+  MOZ_ASSERT(accept_mach_ports_ && privileged_ && waiting_connect_);
+  other_task_ = mozilla::RetainMachSendRight(task);
+  // Now that `other_task_` is provided, we can continue connecting.
+  ConnectLocked();
+}
+
+void Channel::ChannelImpl::StartAcceptingMachPorts(Mode mode) {
+  IOThread().AssertOnCurrentThread();
+  mozilla::MutexAutoLock lock(SendMutex());
+  chan_cap_.NoteExclusiveAccess();
+
+  if (accept_mach_ports_) {
+    MOZ_ASSERT(privileged_ == (MODE_SERVER == mode));
+    return;
+  }
+  accept_mach_ports_ = true;
+  privileged_ = MODE_SERVER == mode;
+}
+
+//------------------------------------------------------------------------------
+// Mach port transferring logic
+//
+// It is currently not possible to directly transfer a mach send right between
+// two content processes using SCM_RIGHTS, unlike how we can handle file
+// descriptors. This means that mach ports need to be transferred through a
+// separate mechanism. This file only implements support for transferring mach
+// ports between a (potentially sandboxed) child process and the parent process.
+// Support for transferring mach ports between other process pairs is handled by
+// `NodeController`, which is responsible for relaying messages which carry
+// handles via the parent process.
+//
+// The logic which we use for doing this is based on the following from
+// Chromium, which pioneered this technique. As of this writing, chromium no
+// longer uses this strategy, as all IPC messages are sent using mach ports on
+// macOS.
+// https://source.chromium.org/chromium/chromium/src/+/9f707e5e04598d8303fa99ca29eb507c839767d8:mojo/core/mach_port_relay.cc
+// https://source.chromium.org/chromium/chromium/src/+/9f707e5e04598d8303fa99ca29eb507c839767d8:base/mac/mach_port_util.cc.
+//
+// As we only need to consider messages between the privileged (parent) and
+// unprivileged (child) processes in this code, there are 2 relevant cases which
+// we need to handle:
+//
+// # Unprivileged (child) to Privileged (parent)
+//
+// As the privileged process has access to the unprivileged process' `task_t`,
+// it is possible to directly extract the mach port from the target process'
+// address space, given its name, using `mach_port_extract_right`.
+//
+// To transfer the port, the unprivileged process will leak a reference to the
+// send right, and include the port's name in the message footer. The privileged
+// process will extract that port right (and drop the reference in the old
+// process) using `mach_port_extract_right` with `MACH_MSG_TYPE_MOVE_SEND`. The
+// call to `mach_port_extract_right` is handled by `BrokerExtractSendRight`
+//
+// # Privileged (parent) to Unprivileged (child)
+//
+// Unfortunately, the process of transferring a right into a target process is
+// more complex.  The only well-supported way to transfer a right into a process
+// is by sending it with `mach_msg`, and receiving it on the other side [1].
+//
+// To work around this, the privileged process uses `mach_port_allocate` to
+// create a new receive right in the target process using its `task_t`, and
+// `mach_port_extract_right` to extract a send-once right to that port. It then
+// sends a message to the port with port we're intending to send as an
+// attachment. This is handled by `BrokerTransferSendRight`, which returns the
+// name of the newly created receive right in the target process to be sent in
+// the message footer.
+//
+// In the unprivileged process, `mach_msg` is used to receive a single message
+// from the receive right, which will have the actual port we were trying to
+// transfer as an attachment. This is handled by the `MachReceivePortSendRight`
+// function.
+//
+// [1] We cannot use `mach_port_insert_right` to transfer the right into the
+// target process, as that method requires explicitly specifying the remote
+// port's name, and we do not control the port name allocator.
+
+// Extract a send right from the given peer task. A reference to the remote
+// right will be dropped.  See comment above for details.
+static mozilla::UniqueMachSendRight BrokerExtractSendRight(
+    task_t task, mach_port_name_t name) {
+  mach_port_t extractedRight = MACH_PORT_NULL;
+  mach_msg_type_name_t extractedRightType;
+  kern_return_t kr =
+      mach_port_extract_right(task, name, MACH_MSG_TYPE_MOVE_SEND,
+                              &extractedRight, &extractedRightType);
+  if (kr != KERN_SUCCESS) {
+    CHROMIUM_LOG(ERROR) << "failed to extract port right from other process. "
+                        << mach_error_string(kr);
+    return nullptr;
+  }
+  MOZ_ASSERT(extractedRightType == MACH_MSG_TYPE_PORT_SEND,
+             "We asked the OS for a send port");
+  return mozilla::UniqueMachSendRight(extractedRight);
+}
+
+// Transfer a send right to the given peer task. The name of a receive right in
+// the remote process will be returned if successful. The sent port can be
+// obtained from that port in the peer task using `MachReceivePortSendRight`.
+// See comment above for details.
+static mozilla::Maybe<mach_port_name_t> BrokerTransferSendRight(
+    task_t task, mozilla::UniqueMachSendRight port_to_send) {
+  mach_port_name_t endpoint;
+  kern_return_t kr =
+      mach_port_allocate(task, MACH_PORT_RIGHT_RECEIVE, &endpoint);
+  if (kr != KERN_SUCCESS) {
+    CHROMIUM_LOG(ERROR)
+        << "Unable to create receive right in TransferMachPorts. "
+        << mach_error_string(kr);
+    return mozilla::Nothing();
+  }
+
+  // Clean up the endpoint on error.
+  auto destroyEndpoint =
+      mozilla::MakeScopeExit([&] { mach_port_deallocate(task, endpoint); });
+
+  // Change its message queue limit so that it accepts one message.
+  mach_port_limits limits = {};
+  limits.mpl_qlimit = 1;
+  kr = mach_port_set_attributes(task, endpoint, MACH_PORT_LIMITS_INFO,
+                                reinterpret_cast<mach_port_info_t>(&limits),
+                                MACH_PORT_LIMITS_INFO_COUNT);
+  if (kr != KERN_SUCCESS) {
+    CHROMIUM_LOG(ERROR)
+        << "Unable configure receive right in TransferMachPorts. "
+        << mach_error_string(kr);
+    return mozilla::Nothing();
+  }
+
+  // Get a send right.
+  mach_port_t send_once_right;
+  mach_msg_type_name_t send_right_type;
+  kr = mach_port_extract_right(task, endpoint, MACH_MSG_TYPE_MAKE_SEND_ONCE,
+                               &send_once_right, &send_right_type);
+  if (kr != KERN_SUCCESS) {
+    CHROMIUM_LOG(ERROR) << "Unable extract send right in TransferMachPorts. "
+                        << mach_error_string(kr);
+    return mozilla::Nothing();
+  }
+  MOZ_ASSERT(MACH_MSG_TYPE_PORT_SEND_ONCE == send_right_type);
+
+  kr = MachSendPortSendRight(send_once_right, port_to_send.get(),
+                             mozilla::Some(0), MACH_MSG_TYPE_MOVE_SEND_ONCE);
+  if (kr != KERN_SUCCESS) {
+    // This right will be destroyed due to being a SEND_ONCE right if we
+    // succeed.
+    mach_port_deallocate(mach_task_self(), send_once_right);
+    CHROMIUM_LOG(ERROR) << "Unable to transfer right in TransferMachPorts. "
+                        << mach_error_string(kr);
+    return mozilla::Nothing();
+  }
+
+  destroyEndpoint.release();
+  return mozilla::Some(endpoint);
+}
+
+// Process footer information attached to the message, and acquire owning
+// references to any transferred mach ports. See comment above for details.
+bool Channel::ChannelImpl::AcceptMachPorts(Message& msg) {
+  chan_cap_.NoteOnIOThread();
+
+  uint32_t num_send_rights = msg.header()->num_send_rights;
+  if (num_send_rights == 0) {
+    return true;
+  }
+
+  if (!accept_mach_ports_) {
+    CHROMIUM_LOG(ERROR) << "invalid message: " << msg.name()
+                        << ". channel is not configured to accept mach ports";
+    return false;
+  }
+
+  // Read in the payload from the footer, truncating the message.
+  nsTArray<uint32_t> payload;
+  payload.AppendElements(num_send_rights);
+  if (!msg.ReadFooter(payload.Elements(), num_send_rights * sizeof(uint32_t),
+                      /* truncate */ true)) {
+    CHROMIUM_LOG(ERROR) << "failed to read mach port payload from message";
+    return false;
+  }
+  msg.header()->num_send_rights = 0;
+
+  // Read in the handles themselves, transferring ownership as required.
+  nsTArray<mozilla::UniqueMachSendRight> rights(num_send_rights);
+  for (uint32_t name : payload) {
+    mozilla::UniqueMachSendRight right;
+    if (privileged_) {
+      if (!other_task_) {
+        CHROMIUM_LOG(ERROR) << "other_task_ is invalid in AcceptMachPorts";
+        return false;
+      }
+      right = BrokerExtractSendRight(other_task_.get(), name);
+    } else {
+      kern_return_t kr = MachReceivePortSendRight(
+          mozilla::UniqueMachReceiveRight(name), mozilla::Some(0), &right);
+      if (kr != KERN_SUCCESS) {
+        CHROMIUM_LOG(ERROR)
+            << "failed to receive mach send right. " << mach_error_string(kr);
+        return false;
+      }
+    }
+    if (!right) {
+      return false;
+    }
+    rights.AppendElement(std::move(right));
+  }
+
+  // We're done with the handle footer, truncate the message at that point.
+  msg.attached_send_rights_ = std::move(rights);
+  MOZ_ASSERT(msg.num_send_rights() == num_send_rights);
+  return true;
+}
+
+// Transfer ownership of any attached mach ports to the peer task, and add the
+// required information for AcceptMachPorts to the message footer. See comment
+// above for details.
+bool Channel::ChannelImpl::TransferMachPorts(Message& msg) {
+  uint32_t num_send_rights = msg.num_send_rights();
+  if (num_send_rights == 0) {
+    return true;
+  }
+
+  if (!accept_mach_ports_) {
+    CHROMIUM_LOG(ERROR) << "cannot send message: " << msg.name()
+                        << ". channel is not configured to accept mach ports";
+    return false;
+  }
+
+#  ifdef DEBUG
+  uint32_t rights_offset = msg.header()->payload_size;
+#  endif
+
+  nsTArray<uint32_t> payload(num_send_rights);
+  for (auto& port_to_send : msg.attached_send_rights_) {
+    if (privileged_) {
+      if (!other_task_) {
+        CHROMIUM_LOG(ERROR) << "other_task_ is invalid in TransferMachPorts";
+        return false;
+      }
+      mozilla::Maybe<mach_port_name_t> endpoint =
+          BrokerTransferSendRight(other_task_.get(), std::move(port_to_send));
+      if (!endpoint) {
+        return false;
+      }
+      payload.AppendElement(*endpoint);
+    } else {
+      payload.AppendElement(port_to_send.release());
+    }
+  }
+  msg.attached_send_rights_.Clear();
+
+  msg.WriteFooter(payload.Elements(), payload.Length() * sizeof(uint32_t));
+  msg.header()->num_send_rights = num_send_rights;
+
+  MOZ_ASSERT(msg.header()->payload_size ==
+                 rights_offset + (sizeof(uint32_t) * num_send_rights),
+             "Unexpected number of bytes written for send rights footer?");
+  return true;
+}
+#endif
+
+//------------------------------------------------------------------------------
+// Channel's methods simply call through to ChannelImpl.
+Channel::Channel(const ChannelId& channel_id, Mode mode, Listener* listener)
+    : channel_impl_(new ChannelImpl(channel_id, mode, listener)) {
+  MOZ_COUNT_CTOR(IPC::Channel);
+}
+
+Channel::Channel(ChannelHandle pipe, Mode mode, Listener* listener)
+    : channel_impl_(new ChannelImpl(std::move(pipe), mode, listener)) {
+  MOZ_COUNT_CTOR(IPC::Channel);
+}
+
+Channel::~Channel() { MOZ_COUNT_DTOR(IPC::Channel); }
+
+bool Channel::Connect() { return channel_impl_->Connect(); }
+
+void Channel::Close() { channel_impl_->Close(); }
+
+Channel::Listener* Channel::set_listener(Listener* listener) {
+  return channel_impl_->set_listener(listener);
+}
+
+bool Channel::Send(mozilla::UniquePtr<Message> message) {
+  return channel_impl_->Send(std::move(message));
+}
+
+void Channel::GetClientFileDescriptorMapping(int* src_fd, int* dest_fd) const {
+  return channel_impl_->GetClientFileDescriptorMapping(src_fd, dest_fd);
+}
+
+void Channel::CloseClientFileDescriptor() {
+  channel_impl_->CloseClientFileDescriptor();
+}
+
+int32_t Channel::OtherPid() const { return channel_impl_->OtherPid(); }
+
+bool Channel::IsClosed() const { return channel_impl_->IsClosed(); }
+
+#if defined(OS_MACOSX)
+void Channel::SetOtherMachTask(task_t task) {
+  channel_impl_->SetOtherMachTask(task);
+}
+
+void Channel::StartAcceptingMachPorts(Mode mode) {
+  channel_impl_->StartAcceptingMachPorts(mode);
+}
+#endif
+
+// static
+Channel::ChannelId Channel::GenerateVerifiedChannelID() { return {}; }
+
+// static
+Channel::ChannelId Channel::ChannelIDForCurrentProcess() { return {}; }
+
+// static
+bool Channel::CreateRawPipe(ChannelHandle* server, ChannelHandle* client) {
+  int fds[2];
+  if (socketpair(AF_UNIX, SOCK_STREAM, 0, fds) < 0) {
+    mozilla::ipc::AnnotateCrashReportWithErrno(
+        CrashReporter::Annotation::IpcCreatePipeSocketPairErrno, errno);
+    return false;
+  }
+
+  auto configureFd = [](int fd) -> bool {
+    // Mark the endpoints as non-blocking
+    if (fcntl(fd, F_SETFL, O_NONBLOCK) == -1) {
+      mozilla::ipc::AnnotateCrashReportWithErrno(
+          CrashReporter::Annotation::IpcCreatePipeFcntlErrno, errno);
+      return false;
+    }
+
+    // Mark the pipes as FD_CLOEXEC
+    int flags = fcntl(fd, F_GETFD);
+    if (flags == -1) {
+      mozilla::ipc::AnnotateCrashReportWithErrno(
+          CrashReporter::Annotation::IpcCreatePipeCloExecErrno, errno);
+      return false;
+    }
+    flags |= FD_CLOEXEC;
+    if (fcntl(fd, F_SETFD, flags) == -1) {
+      mozilla::ipc::AnnotateCrashReportWithErrno(
+          CrashReporter::Annotation::IpcCreatePipeCloExecErrno, errno);
+      return false;
+    }
+    return true;
+  };
+
+  if (!configureFd(fds[0]) || !configureFd(fds[1])) {
+    IGNORE_EINTR(close(fds[0]));
+    IGNORE_EINTR(close(fds[1]));
+    return false;
+  }
+
+  server->reset(fds[0]);
+  client->reset(fds[1]);
+  return true;
+}
+
+}  // namespace IPC