Reject CompositorFrames with no render passes when deserializing

Reject CompositorFrames with no render passes when deserializing

LayerTreeHostImpl::DrawLayers never submits a CompositorFrame with no
render passes. Currently we verify that the CompositorFrame sent from
the renderer does not have an empty render pass list in
RenderWidgetHostImpl::SubmitCompositorFrame. This check is necessary
because letting such CompositorFrames through will violate assumptions
and causes the browser to crash. This CL moves the validation code
to StructTraits / ParamTraits to centralize IPC message validation.
Some changes in Android's synchronous compositor was necessary because
currently when it wants to send the CompositorFrameMetadata to the
browser, instead of just sending the metadata directly it creates an
empty CompositorFrame, puts the metadata there and then sends the 
frame. Such frames do not pass the new validation rule, so now we just
send the metadata directly.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel

Review-Url: https://codereview.chromium.org/2835203002
Cr-Commit-Position: refs/heads/master@{#466708}
Committed: https://chromium.googlesource.com/chromium/src/+/ac53e53db3b6db49588a3ad69ba4231308091009

[Saman Sami, 2017-04-24 15:15:59]

Description was changed from

==========
Reject CompositorFrames with no render passes when deserializing
==========

to

==========
Reject CompositorFrames with no render passes when deserializing
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
==========

[Saman Sami, 2017-04-24 15:17:12]

The CQ bit was checked by samans@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-04-24 15:17:47]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Saman Sami, 2017-04-24 15:22:40]

Description was changed from

==========
Reject CompositorFrames with no render passes when deserializing
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
==========

to

==========
Reject CompositorFrames with no render passes when deserializing

LayerTreeHostImpl::DrawLayers never submits a CompositorFrame with no
render passes. Currently we verify that the CompositorFrame sent from
the renderer does not have an empty render pass list in
RenderWidgetHostImpl::SubmitCompositorFrame. This check is necessary
because letting such CompositorFrames through will violate assumptions
and causes the browser to crash. This CL moves the validation code
to StructTraits / ParamTraits because that's where all the IPC
validations are supposed to happen.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
==========

[Saman Sami, 2017-04-24 15:24:46]

The CQ bit was checked by samans@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-04-24 15:25:00]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Saman Sami, 2017-04-24 16:35:17]

The CQ bit was checked by samans@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-04-24 16:35:43]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Saman Sami, 2017-04-24 16:55:01]

The CQ bit was checked by samans@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-04-24 16:55:26]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Saman Sami, 2017-04-24 16:57:15]

The CQ bit was checked by samans@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-04-24 16:57:40]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Saman Sami, 2017-04-24 16:59:46]

Patchset #4 (id:60001) has been deleted

[Saman Sami, 2017-04-24 16:59:56]

Patchset #3 (id:40001) has been deleted

[Saman Sami, 2017-04-24 17:00:06]

Patchset #2 (id:20001) has been deleted

[Saman Sami, 2017-04-24 17:04:47]

The CQ bit was checked by samans@chromium.org to run a CQ dry run

[Saman Sami, 2017-04-24 17:04:53]

Patchset #2 (id:80001) has been deleted

[commit-bot: I haz the power, 2017-04-24 17:05:07]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Saman Sami, 2017-04-24 17:10:57]

Description was changed from

==========
Reject CompositorFrames with no render passes when deserializing

LayerTreeHostImpl::DrawLayers never submits a CompositorFrame with no
render passes. Currently we verify that the CompositorFrame sent from
the renderer does not have an empty render pass list in
RenderWidgetHostImpl::SubmitCompositorFrame. This check is necessary
because letting such CompositorFrames through will violate assumptions
and causes the browser to crash. This CL moves the validation code
to StructTraits / ParamTraits because that's where all the IPC
validations are supposed to happen.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
==========

to

==========
Reject CompositorFrames with no render passes when deserializing

LayerTreeHostImpl::DrawLayers never submits a CompositorFrame with no
render passes. Currently we verify that the CompositorFrame sent from
the renderer does not have an empty render pass list in
RenderWidgetHostImpl::SubmitCompositorFrame. This check is necessary
because letting such CompositorFrames through will violate assumptions
and causes the browser to crash. This CL moves the validation code
to StructTraits / ParamTraits because that's where all the IPC
validations are supposed to happen. Some changes in Android's 
synchronous compositor was necessary because currently it sends
CompositorFrames with no render passes when swap fails. Now it sends
a base::Optional<CompositorFrame> because otherwise its messages would
get rejected.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
==========

[Saman Sami, 2017-04-24 17:12:15]

Description was changed from

==========
Reject CompositorFrames with no render passes when deserializing

LayerTreeHostImpl::DrawLayers never submits a CompositorFrame with no
render passes. Currently we verify that the CompositorFrame sent from
the renderer does not have an empty render pass list in
RenderWidgetHostImpl::SubmitCompositorFrame. This check is necessary
because letting such CompositorFrames through will violate assumptions
and causes the browser to crash. This CL moves the validation code
to StructTraits / ParamTraits because that's where all the IPC
validations are supposed to happen. Some changes in Android's 
synchronous compositor was necessary because currently it sends
CompositorFrames with no render passes when swap fails. Now it sends
a base::Optional<CompositorFrame> because otherwise its messages would
get rejected.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
==========

to

==========
Reject CompositorFrames with no render passes when deserializing

LayerTreeHostImpl::DrawLayers never submits a CompositorFrame with no
render passes. Currently we verify that the CompositorFrame sent from
the renderer does not have an empty render pass list in
RenderWidgetHostImpl::SubmitCompositorFrame. This check is necessary
because letting such CompositorFrames through will violate assumptions
and causes the browser to crash. This CL moves the validation code
to StructTraits / ParamTraits because that's where all the IPC
validations are supposed to happen. Some changes in Android's 
synchronous compositor was necessary because currently it sends
CompositorFrames with no render passes when swap fails. After this CL
it will send a base::Optional<CompositorFrame> because otherwise its
messages would get rejected.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
==========

[Saman Sami, 2017-04-24 17:35:45]

samans@chromium.org changed reviewers:
+ tsepez@chromium.org

[Saman Sami, 2017-04-24 17:39:45]

Description was changed from

==========
Reject CompositorFrames with no render passes when deserializing

LayerTreeHostImpl::DrawLayers never submits a CompositorFrame with no
render passes. Currently we verify that the CompositorFrame sent from
the renderer does not have an empty render pass list in
RenderWidgetHostImpl::SubmitCompositorFrame. This check is necessary
because letting such CompositorFrames through will violate assumptions
and causes the browser to crash. This CL moves the validation code
to StructTraits / ParamTraits because that's where all the IPC
validations are supposed to happen. Some changes in Android's 
synchronous compositor was necessary because currently it sends
CompositorFrames with no render passes when swap fails. After this CL
it will send a base::Optional<CompositorFrame> because otherwise its
messages would get rejected.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
==========

to

==========
Reject CompositorFrames with no render passes when deserializing

LayerTreeHostImpl::DrawLayers never submits a CompositorFrame with no
render passes. Currently we verify that the CompositorFrame sent from
the renderer does not have an empty render pass list in
RenderWidgetHostImpl::SubmitCompositorFrame. This check is necessary
because letting such CompositorFrames through will violate assumptions
and causes the browser to crash. This CL moves the validation code
to StructTraits / ParamTraits to centralize IPC message validation.
Some changes in Android's  synchronous compositor was necessary because 
currently it sends CompositorFrames with no render passes when swap 
fails. After this CL it will send a base::Optional<CompositorFrame> 
because otherwise its messages would get rejected.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
==========

[Saman Sami, 2017-04-24 17:41:35]

samans@chromium.org changed reviewers:
- tsepez@chromium.org

[Saman Sami, 2017-04-24 18:06:29]

The CQ bit was checked by samans@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-04-24 18:06:38]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Saman Sami, 2017-04-24 18:15:19]

Description was changed from

==========
Reject CompositorFrames with no render passes when deserializing

LayerTreeHostImpl::DrawLayers never submits a CompositorFrame with no
render passes. Currently we verify that the CompositorFrame sent from
the renderer does not have an empty render pass list in
RenderWidgetHostImpl::SubmitCompositorFrame. This check is necessary
because letting such CompositorFrames through will violate assumptions
and causes the browser to crash. This CL moves the validation code
to StructTraits / ParamTraits to centralize IPC message validation.
Some changes in Android's  synchronous compositor was necessary because 
currently it sends CompositorFrames with no render passes when swap 
fails. After this CL it will send a base::Optional<CompositorFrame> 
because otherwise its messages would get rejected.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
==========

to

==========
Reject CompositorFrames with no render passes when deserializing

LayerTreeHostImpl::DrawLayers never submits a CompositorFrame with no
render passes. Currently we verify that the CompositorFrame sent from
the renderer does not have an empty render pass list in
RenderWidgetHostImpl::SubmitCompositorFrame. This check is necessary
because letting such CompositorFrames through will violate assumptions
and causes the browser to crash. This CL moves the validation code
to StructTraits / ParamTraits to centralize IPC message validation.
Some changes in Android's synchronous compositor was necessary because currently
when it wants to send the CompositorFrameMetadata to the
browser, instead of just sending the metadata directly it creates an
empty CompositorFrame, puts the metadata there and then sends the frame. Such
frames do not pass the new validation rule, so now we just
send the metadata directly.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
==========

[Saman Sami, 2017-04-24 18:15:37]

Description was changed from

==========
Reject CompositorFrames with no render passes when deserializing

LayerTreeHostImpl::DrawLayers never submits a CompositorFrame with no
render passes. Currently we verify that the CompositorFrame sent from
the renderer does not have an empty render pass list in
RenderWidgetHostImpl::SubmitCompositorFrame. This check is necessary
because letting such CompositorFrames through will violate assumptions
and causes the browser to crash. This CL moves the validation code
to StructTraits / ParamTraits to centralize IPC message validation.
Some changes in Android's synchronous compositor was necessary because currently
when it wants to send the CompositorFrameMetadata to the
browser, instead of just sending the metadata directly it creates an
empty CompositorFrame, puts the metadata there and then sends the frame. Such
frames do not pass the new validation rule, so now we just
send the metadata directly.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
==========

to

==========
Reject CompositorFrames with no render passes when deserializing

LayerTreeHostImpl::DrawLayers never submits a CompositorFrame with no
render passes. Currently we verify that the CompositorFrame sent from
the renderer does not have an empty render pass list in
RenderWidgetHostImpl::SubmitCompositorFrame. This check is necessary
because letting such CompositorFrames through will violate assumptions
and causes the browser to crash. This CL moves the validation code
to StructTraits / ParamTraits to centralize IPC message validation.
Some changes in Android's synchronous compositor was necessary because
currently when it wants to send the CompositorFrameMetadata to the
browser, instead of just sending the metadata directly it creates an
empty CompositorFrame, puts the metadata there and then sends the 
frame. Such frames do not pass the new validation rule, so now we just
send the metadata directly.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
==========

[Saman Sami, 2017-04-24 18:26:18]

samans@chromium.org changed reviewers:
+ tsepez@chromium.org

[Saman Sami, 2017-04-24 18:28:17]

tsepez: Please review IPC.

[Tom Sepez, 2017-04-24 18:35:41]

lgtm

[Saman Sami, 2017-04-24 18:36:48]

Patchset #2 (id:100001) has been deleted

[Saman Sami, 2017-04-24 18:44:49]

samans@chromium.org changed reviewers:
+ boliu@chromium.org

[Saman Sami, 2017-04-24 18:44:49]

boliu: Preview review changes to Android.

[boliu, 2017-04-24 19:03:57]

lgtm

[Saman Sami, 2017-04-24 19:04:24]

The CQ bit was unchecked by samans@chromium.org

[Saman Sami, 2017-04-24 19:04:33]

The CQ bit was checked by samans@chromium.org

[commit-bot: I haz the power, 2017-04-24 19:05:09]

CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-04-24 19:12:15]

CQ is committing da patch.

Bot data: {"patchset_id": 120001, "attempt_start_ts": 1493060673363230,
"parent_rev": "443a29819b5b55a5a9bf8fff7b6275a29028cfac", "commit_rev":
"9fa92a5ede5f54c27637f4bd65ad4d78af74f91d"}

[commit-bot: I haz the power, 2017-04-24 19:12:31]

CQ is committing da patch.

Bot data: {"patchset_id": 120001, "attempt_start_ts": 1493060673363230,
"parent_rev": "4323f7f47559ef583751c803306e8370ef7d1561", "commit_rev":
"ac53e53db3b6db49588a3ad69ba4231308091009"}

[commit-bot: I haz the power, 2017-04-24 19:12:43]

Description was changed from

==========
Reject CompositorFrames with no render passes when deserializing

LayerTreeHostImpl::DrawLayers never submits a CompositorFrame with no
render passes. Currently we verify that the CompositorFrame sent from
the renderer does not have an empty render pass list in
RenderWidgetHostImpl::SubmitCompositorFrame. This check is necessary
because letting such CompositorFrames through will violate assumptions
and causes the browser to crash. This CL moves the validation code
to StructTraits / ParamTraits to centralize IPC message validation.
Some changes in Android's synchronous compositor was necessary because
currently when it wants to send the CompositorFrameMetadata to the
browser, instead of just sending the metadata directly it creates an
empty CompositorFrame, puts the metadata there and then sends the 
frame. Such frames do not pass the new validation rule, so now we just
send the metadata directly.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
==========

to

==========
Reject CompositorFrames with no render passes when deserializing

LayerTreeHostImpl::DrawLayers never submits a CompositorFrame with no
render passes. Currently we verify that the CompositorFrame sent from
the renderer does not have an empty render pass list in
RenderWidgetHostImpl::SubmitCompositorFrame. This check is necessary
because letting such CompositorFrames through will violate assumptions
and causes the browser to crash. This CL moves the validation code
to StructTraits / ParamTraits to centralize IPC message validation.
Some changes in Android's synchronous compositor was necessary because
currently when it wants to send the CompositorFrameMetadata to the
browser, instead of just sending the metadata directly it creates an
empty CompositorFrame, puts the metadata there and then sends the 
frame. Such frames do not pass the new validation rule, so now we just
send the metadata directly.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel

Review-Url: https://codereview.chromium.org/2835203002
Cr-Commit-Position: refs/heads/master@{#466708}
Committed:
https://chromium.googlesource.com/chromium/src/+/ac53e53db3b6db49588a3ad69ba4...
==========

[commit-bot: I haz the power, 2017-04-24 19:12:47]

Committed patchset #2 (id:120001) as
https://chromium.googlesource.com/chromium/src/+/ac53e53db3b6db49588a3ad69ba4...