Bug 1867360 - Require toplevel protocols to specify which processes they expect to be bound in, r=decoder,ipc-reviewers,necko-reviewers,media-playback-reviewers,profiler-reviewers,win-reviewers,aosmond,rkraesig,mccr8,kershaw

Differential Revision: https://phabricator.services.mozilla.com/D195485

Author: mystor

dom/file/ipc/PRemoteLazyInputStream.ipdl

@@ -6,6 +6,7 @@ include IPCStream;
 
 namespace mozilla {
 
+[ChildProc=any]
 protocol PRemoteLazyInputStream
 {
 parent:

dom/fs/shared/PFileSystemAccessHandleControl.ipdl

@@ -7,6 +7,7 @@ using struct mozilla::void_t from "mozilla/ipc/IPCCore.h";
 namespace mozilla {
 namespace dom {
 
+[ChildProc=anydom]
 async protocol PFileSystemAccessHandleControl
 {
  parent:

dom/fs/shared/PFileSystemManager.ipdl

@@ -247,6 +247,7 @@ union FileSystemMoveEntryResponse
 
 }  // namespace fs
 
+[ChildProc=anydom]
 async protocol PFileSystemManager
 {
   manages PFileSystemAccessHandle;

dom/ipc/PContent.ipdl

@@ -480,7 +480,7 @@ union PClipboardReadRequestOrError {
  * and a content process. There is exactly one PContentParent/PContentChild pair
  * for each content process.
  */
-[NestedUpTo=inside_cpow, NeedsOtherPid]
+[NestedUpTo=inside_cpow, NeedsOtherPid, ChildProc=Content]
 sync protocol PContent
 {
     manages PBrowser;

dom/ipc/PInProcess.ipdl

@@ -21,6 +21,7 @@ namespace dom {
  * `mozilla::dom::InProcess{Parent, Child}::Singleton()` should be used to get
  * an instance of this actor.
  */
+[ChildProc=Parent]
 async protocol PInProcess
 {
   manages PExtensions;

dom/ipc/PJSOracle.ipdl

@@ -9,6 +9,7 @@ namespace mozilla {
 namespace dom {
 
 // PJSOracle is a top-level actor which manages PJSValidator
+[ChildProc=Utility]
 async protocol PJSOracle {
   manages PJSValidator;
 

dom/ipc/PProcessHangMonitor.ipdl

@@ -23,7 +23,7 @@ struct SlowScriptData
   double duration;
 };
 
-[ChildImpl=virtual, ParentImpl=virtual]
+[ChildImpl=virtual, ParentImpl=virtual, ChildProc=Content]
 protocol PProcessHangMonitor
 {
 parent:

dom/media/gmp/PGMP.ipdl

@@ -24,7 +24,7 @@ using mozilla::dom::NativeThreadId from "mozilla/dom/NativeThreadId.h";
 namespace mozilla {
 namespace gmp {
 
-[NeedsOtherPid, NestedUpTo=inside_sync, ChildImpl="GMPChild", ParentImpl="GMPParent"]
+[NeedsOtherPid, NestedUpTo=inside_sync, ChildImpl="GMPChild", ParentImpl="GMPParent", ChildProc=GMPlugin]
 sync protocol PGMP
 {
   manages PGMPTimer;

dom/media/gmp/PGMPContent.ipdl

@@ -16,7 +16,7 @@ include "GMPContentChild.h";
 namespace mozilla {
 namespace gmp {
 
-[NeedsOtherPid, ChildImpl="GMPContentChild", ParentImpl=virtual]
+[NeedsOtherPid, ChildImpl="GMPContentChild", ParentImpl=virtual, ParentProc=anydom, ChildProc=GMPlugin]
 sync protocol PGMPContent
 {
   manages PGMPVideoDecoder;

dom/media/gmp/PGMPService.ipdl

@@ -23,7 +23,7 @@ struct GMPLaunchResult {
   nsCString errorDescription;
 };
 
-[NeedsOtherPid, ChildImpl=virtual, ParentImpl=virtual]
+[NeedsOtherPid, ChildImpl=virtual, ParentImpl=virtual, ChildProc=Content]
 async protocol PGMPService
 {
 parent:

dom/media/ipc/PRDD.ipdl

@@ -41,7 +41,7 @@ namespace mozilla {
 // (RemoteDataDecoder) process. There is one instance of this protocol,
 // with the RDDParent living on the main thread of the RDD process and
 // the RDDChild living on the main thread of the UI process.
-[NeedsOtherPid]
+[NeedsOtherPid, ParentProc=RDD, ChildProc=Parent]
 protocol PRDD
 {
 parent:

dom/media/ipc/PRemoteDecoderManager.ipdl

@@ -38,7 +38,7 @@ union RemoteDecoderInfoIPDL
   VideoDecoderInfoIPDL;
 };
 
-[NeedsOtherPid]
+[NeedsOtherPid, ParentProc=any, ChildProc=anydom]
 sync protocol PRemoteDecoderManager
 {
   manages PRemoteDecoder;

dom/media/webrtc/PMediaTransport.ipdl

@@ -28,6 +28,7 @@ using mozilla::net::NrIceStunAddrArray from "mozilla/net/PStunAddrsParams.h";
 namespace mozilla {
 namespace dom {
 
+[ParentProc=Socket, ChildProc=Content]
 async protocol PMediaTransport {
 #ifdef MOZ_WEBRTC
 parent:

dom/midi/PMIDIManager.ipdl

@@ -7,6 +7,7 @@ include MIDITypes;
 namespace mozilla {
 namespace dom {
 
+[ChildProc=anydom]
 async protocol PMIDIManager
 {
 parent:

dom/midi/PMIDIPort.ipdl

@@ -9,6 +9,7 @@ include MIDITypes;
 namespace mozilla {
 namespace dom {
 
+[ChildProc=anydom]
 async protocol PMIDIPort
 {
 parent:

dom/quota/PRemoteQuotaObject.ipdl

@@ -6,6 +6,7 @@ namespace mozilla {
 namespace dom {
 namespace quota {
 
+[ChildProc=anydom]
 sync protocol PRemoteQuotaObject
 {
  parent:

dom/quota/test/gtest/PQuotaTest.ipdl

@@ -6,6 +6,7 @@ namespace mozilla {
 namespace dom {
 namespace quota {
 
+[ParentProc=any, ChildProc=any]
 sync protocol PQuotaTest {
  parent:
   sync Try_Success_CustomErr_QmIpcFail()

dom/system/windows/PWindowsUtils.ipdl

@@ -10,6 +10,7 @@ namespace mozilla {
 namespace dom {
 
 // Manager of utility actors that run in the windows utility process.
+[ChildProc=Utility]
 protocol PWindowsUtils {
   manages PWindowsLocation;
 

dom/webtransport/shared/PWebTransport.ipdl

@@ -45,6 +45,7 @@ union StreamResetOrStopSendingError {
   StopSendingError;
 };
 
+[ChildProc=anydom]
 async protocol PWebTransport
 {
  parent:

gfx/ipc/PCanvasManager.ipdl

@@ -22,7 +22,7 @@ namespace gfx {
  * compositor process. This protocol should be used to create accelerated
  * canvas instances.
  */
-[NeedsOtherPid]
+[NeedsOtherPid, ParentProc=compositor, ChildProc=anydom]
 sync protocol PCanvasManager
 {
   manages PCanvas;

gfx/ipc/PGPU.ipdl

@@ -53,7 +53,7 @@ struct LayerTreeIdMapping {
 // This protocol allows the UI process to talk to the GPU process. There is one
 // instance of this protocol, with the GPUParent living on the main thread of
 // the GPU process and the GPUChild living on the main thread of the UI process.
-[NeedsOtherPid]
+[NeedsOtherPid, ParentProc=GPU, ChildProc=Parent]
 sync protocol PGPU
 {
 parent:

gfx/ipc/PVsyncBridge.ipdl

@@ -16,7 +16,7 @@ namespace gfx {
 // dedicated thread in the UI process to the compositor thread in the
 // compositor process. The child side exists in the UI process, and the
 // parent side in the GPU process.
-[NeedsOtherPid]
+[NeedsOtherPid, ParentProc=GPU, ChildProc=Parent]
 sync protocol PVsyncBridge
 {
 parent:

gfx/layers/ipc/PAPZInputBridge.ipdl

@@ -33,6 +33,7 @@ namespace layers {
  * The parent side lives on the main thread in the GPU process. If there is no
  * GPU process, then this protocol is not instantiated.
  */
+[ParentProc=GPU, ChildProc=Parent]
 sync protocol PAPZInputBridge
 {
 parent:

gfx/layers/ipc/PCompositorManager.ipdl

@@ -59,7 +59,7 @@ union CompositorBridgeOptions {
  * compositor thread for compositor data that is only shared once, rather than
  * per PCompositorBridge instance.
  */
-[NeedsOtherPid]
+[NeedsOtherPid, ParentProc=compositor, ChildProc=anydom]
 sync protocol PCompositorManager
 {
   manages PCompositorBridge;

gfx/layers/ipc/PImageBridge.ipdl

@@ -26,7 +26,7 @@ namespace layers {
  * frames directly to the compositor thread/process without relying on the main thread
  * which might be too busy dealing with content script.
  */
-[NeedsOtherPid]
+[NeedsOtherPid, ParentProc=compositor, ChildProc=anydom]
 sync protocol PImageBridge
 {
   manages PTexture;

gfx/layers/ipc/PUiCompositorController.ipdl

@@ -20,7 +20,7 @@ namespace layers {
  * compositor from the UI thread. Primarily used on Android to coordinate registering and
  * releasing the surface with the compositor.
  */
-[NeedsOtherPid]
+[NeedsOtherPid, ParentProc=compositor, ChildProc=Parent]
 sync protocol PUiCompositorController
 {
 

gfx/layers/ipc/PVideoBridge.ipdl

@@ -21,7 +21,7 @@ namespace layers {
  * The PVideoBridge protocol is used to share textures from the video decoders
  * to the compositor.
  */
-[NeedsOtherPid]
+[NeedsOtherPid, ParentProc=compositor, ChildProc=any]
 sync protocol PVideoBridge
 {
   manages PTexture;

gfx/vr/ipc/PVR.ipdl

@@ -18,7 +18,7 @@ include protocol PVRGPU;
 namespace mozilla {
 namespace gfx {
 
-[NeedsOtherPid, ChildImpl="VRChild", ParentImpl="VRParent"]
+[NeedsOtherPid, ChildImpl="VRChild", ParentImpl="VRParent", ParentProc=VR, ChildProc=Parent]
 async protocol PVR
 {
 parent:

gfx/vr/ipc/PVRGPU.ipdl

@@ -11,7 +11,7 @@ namespace gfx {
 
 // The parent process is the VR process.
 // The child process is the GPU process.
-[NeedsOtherPid, ChildImpl="VRGPUChild", ParentImpl="VRGPUParent"]
+[NeedsOtherPid, ChildImpl="VRGPUChild", ParentImpl="VRGPUParent", ParentProc=VR, ChildProc=GPU]
 async protocol PVRGPU
 {
 parent:

gfx/vr/ipc/PVRManager.ipdl

@@ -34,7 +34,7 @@ namespace gfx {
  * enumeration and sensor state between the compositor thread and
  * content threads/processes.
  */
-[NeedsOtherPid, ChildImpl="VRManagerChild", ParentImpl="VRManagerParent"]
+[NeedsOtherPid, ChildImpl="VRManagerChild", ParentImpl="VRManagerParent", ParentProc=compositor, ChildProc=anydom]
 sync protocol PVRManager
 {
   manages PVRLayer;

ipc/docs/ipdl.rst

@@ -351,6 +351,7 @@ one in ``PMyManager.ipdl``:
 
 .. code-block:: cpp
 
+    [ChildProc=Content]
     sync protocol PMyManager {
         manages PMyManaged;
 
@@ -406,6 +407,12 @@ They will be discussed further in `Nested messages`_.
                                response.
 ============================== ================================================
 
+In addition, top-level protocols are annotated with which processes each side
+should be bound into using the ``[ParentProc=*]`` and ``[ChildProc=*]``
+attributes.  The ``[ParentProc]`` attribute is optional, and defaults to the
+``Parent`` process.  The ``[ChildProc]`` attribute is required.  See `Process
+Type Attributes`_ for possible values.
+
 The ``manages`` clause tells IPDL that ``PMyManager`` manages the
 ``PMyManaged`` actor that was previously ``include`` d.  As with any managed
 protocol, it must also be the case that ``PMyManaged.ipdl`` includes
@@ -730,7 +737,62 @@ for use in IPDL files:
                               ``Recv`` methods should be used instead of direct
                               function calls.  *New uses of this attribute are
                               discouraged.*
+``[ChildProc=...]``           Indicates which process the child side of the actor
+                              is expected to be bound in.  This will be release
+                              asserted when creating the actor.  Required for
+                              top-level actors.  See `Process Type Attributes`_
+                              for possible values.
+``[ParentProc=...]``          Indicates which process the parent side of the
+                              actor is expected to be bound in.  This will be
+                              release asserted when creating the actor.
+                              Defaults to ``Parent`` for top-level actors.  See
+                              `Process Type Attributes`_ for possible values.
+============================= =================================================
+
+.. _Process Type Attributes:
+
+Process Type Attributes
+^^^^^^^^^^^^^^^^^^^^^^^
+
+The following are valid values for the ``[ChildProc=...]`` and
+``[ParentProc=...]`` attributes on protocols, each corresponding to a specific
+process type:
+
 ============================= =================================================
+``Parent``                    The primary "parent" or "main" process
+``Content``                   A content process, such as those used to host web
+                              pages, workers, and extensions
+``IPDLUnitTest``              Test-only process used in IPDL gtests
+``GMPlugin``                  Gecko Media Plugin (GMP) process
+``GPU``                       GPU process
+``VR``                        VR process
+``RDD``                       Remote Data Decoder (RDD) process
+``Socket``                    Socket/Networking process
+``RemoteSandboxBroker``       Remote Sandbox Broker process
+``ForkServer``                Fork Server process
+``Utility``                   Utility process
+============================= =================================================
+
+The attributes also support some wildcard values, which can be used when an
+actor can be bound in multiple processes.  If you are adding an actor which
+needs a new wildcard value, please reach out to the IPC team, and we can add one
+for your use-case.  They are as follows:
+
+============================= =================================================
+``any``                       Any process.  If a more specific value is
+                              applicable, it should be preferred where possible.
+``anychild``                  Any process other than ``Parent``.  Often used for
+                              utility actors which are bound on a per-process
+                              basis, such as profiling.
+``compositor``                Either the ``GPU`` or ``Parent`` process.  Often
+                              used for actors bound to the compositor thread.
+``anydom``                    Either the ``Parent`` or a ``Content`` process.
+                              Often used for actors used to implement DOM APIs.
+============================= =================================================
+
+Note that these assertions do not provide security guarantees, and are primarily
+intended for use when auditing and as documentation for how actors are being
+used.
 
 
 The C++ Interface

ipc/glue/PBackground.ipdl

@@ -80,7 +80,7 @@ using mozilla::camera::CamerasAccessStatus from "mozilla/media/CamerasTypes.h";
 namespace mozilla {
 namespace ipc {
 
-[NeedsOtherPid, ChildImpl=virtual, ParentImpl=virtual]
+[NeedsOtherPid, ChildImpl=virtual, ParentImpl=virtual, ChildProc=anydom]
 sync protocol PBackground
 {
   manages PBackgroundIDBFactory;

ipc/glue/PBackgroundStarter.ipdl

@@ -7,7 +7,7 @@ include protocol PBackground;
 namespace mozilla {
 namespace ipc {
 
-[NeedsOtherPid]
+[NeedsOtherPid, ChildProc=anydom]
 async protocol PBackgroundStarter
 {
 parent:

ipc/glue/PUtilityAudioDecoder.ipdl

@@ -21,6 +21,7 @@ namespace ipc {
 
 // This protocol allows to run media audio decoding infrastructure on top
 // of the Utility process
+[ParentProc=Utility, ChildProc=Parent]
 protocol PUtilityAudioDecoder
 {
 parent:

ipc/glue/PUtilityProcess.ipdl

@@ -45,7 +45,8 @@ namespace ipc {
 // one instance of this protocol, with the UtilityProcessParent living on the main thread
 // of the main process and the UtilityProcessChild living on the main thread of the Utility
 // process.
-[NeedsOtherPid] protocol PUtilityProcess
+[NeedsOtherPid, ChildProc=Utility]
+protocol PUtilityProcess
 {
 parent:
   async InitCrashReporter(NativeThreadId threadId);

ipc/glue/ProtocolUtils.h

@@ -309,17 +309,13 @@ class IProtocol : public HasResultCodes {
 
   // Called when IPC has acquired its first reference to the actor. This method
   // may take references which will later be freed by `ActorDealloc`.
-  virtual void ActorAlloc() {}
+  virtual void ActorAlloc() = 0;
 
   // Called when IPC has released its final reference to the actor. It will call
   // the dealloc method, causing the actor to be actually freed.
   //
   // The actor has been freed after this method returns.
-  virtual void ActorDealloc() {
-    if (Manager()) {
-      Manager()->DeallocManagee(mProtocolId, this);
-    }
-  }
+  virtual void ActorDealloc() = 0;
 
   static const int32_t kNullActorId = 0;
   static const int32_t kFreedActorId = 1;