1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
content / public / browser / render_process_host.h [blame]
// Copyright 2012 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CONTENT_PUBLIC_BROWSER_RENDER_PROCESS_HOST_H_
#define CONTENT_PUBLIC_BROWSER_RENDER_PROCESS_HOST_H_
#include <stddef.h>
#include <stdint.h>
#include <memory>
#include <string>
#include "base/callback_list.h"
#include "base/clang_profiling_buildflags.h"
#include "base/containers/heap_array.h"
#include "base/containers/id_map.h"
#include "base/functional/function_ref.h"
#include "base/memory/safety_checks.h"
#include "base/process/kill.h"
#include "base/process/process.h"
#include "base/supports_user_data.h"
#include "base/tracing/protos/chrome_track_event.pbzero.h"
#include "build/build_config.h"
#include "content/common/buildflags.h"
#include "content/common/content_export.h"
#include "content/public/browser/web_exposed_isolation_level.h"
#include "ipc/ipc_listener.h"
#include "ipc/ipc_sender.h"
#include "media/media_buildflags.h"
#include "media/mojo/mojom/video_decode_perf_history.mojom-forward.h"
#include "mojo/public/cpp/bindings/generic_pending_receiver.h"
#include "mojo/public/cpp/bindings/pending_receiver.h"
#include "mojo/public/cpp/bindings/pending_remote.h"
#include "net/base/network_isolation_key.h"
#include "services/network/public/mojom/cross_origin_embedder_policy.mojom-forward.h"
#include "services/network/public/mojom/network_context.mojom-forward.h"
#include "services/network/public/mojom/restricted_cookie_manager.mojom-forward.h"
#include "services/network/public/mojom/url_loader_factory.mojom-forward.h"
#include "third_party/blink/public/mojom/background_sync/background_sync.mojom.h"
#include "third_party/blink/public/mojom/buckets/bucket_manager_host.mojom-forward.h"
#include "third_party/blink/public/mojom/cache_storage/cache_storage.mojom-forward.h"
#include "third_party/blink/public/mojom/file_system_access/file_system_access_manager.mojom.h"
#include "third_party/blink/public/mojom/filesystem/file_system.mojom-forward.h"
#include "third_party/blink/public/mojom/indexeddb/indexeddb.mojom-forward.h"
#include "third_party/blink/public/mojom/locks/lock_manager.mojom-forward.h"
#include "third_party/blink/public/mojom/notifications/notification_service.mojom-forward.h"
#include "third_party/blink/public/mojom/payments/payment_app.mojom-forward.h"
#include "third_party/blink/public/mojom/permissions/permission.mojom-forward.h"
#include "third_party/blink/public/mojom/quota/quota_manager_host.mojom-forward.h"
#include "third_party/blink/public/mojom/websockets/websocket_connector.mojom-forward.h"
#include "third_party/perfetto/include/perfetto/tracing/traced_proto.h"
#include "third_party/perfetto/include/perfetto/tracing/traced_value_forward.h"
#include "ui/gfx/native_widget_types.h"
#if BUILDFLAG(IS_ANDROID)
#include "content/public/browser/android/child_process_importance.h"
#endif
#if BUILDFLAG(ALLOW_OOP_VIDEO_DECODER)
#include "media/mojo/mojom/stable/stable_video_decoder.mojom-forward.h"
#endif // BUILDFLAG(ALLOW_OOP_VIDEO_DECODER)
#if BUILDFLAG(IS_FUCHSIA)
#include "media/mojo/mojom/fuchsia_media.mojom-forward.h"
#endif
class GURL;
namespace base {
class PersistentMemoryAllocator;
class TimeDelta;
class Token;
#if BUILDFLAG(IS_ANDROID)
namespace android {
enum class ChildBindingState;
}
#endif
} // namespace base
namespace blink {
class StorageKey;
} // namespace blink
namespace IPC {
class ChannelProxy;
} // namespace IPC
namespace network {
struct CrossOriginEmbedderPolicy;
struct DocumentIsolationPolicy;
} // namespace network
namespace storage {
struct BucketLocator;
}
namespace url {
class Origin;
} // namespace url
namespace content {
class BrowserContext;
class BucketContext;
class IsolationContext;
class ProcessLock;
class RenderFrameHost;
class RenderProcessHostObserver;
class RenderProcessHostPriorityClient;
class SiteInfo;
class StoragePartition;
struct GlobalRenderFrameHostId;
#if BUILDFLAG(IS_ANDROID)
enum class ChildProcessImportance;
#endif
#if BUILDFLAG(CONTENT_ENABLE_LEGACY_IPC)
class BrowserMessageFilter;
#endif
namespace mojom {
class Renderer;
} // namespace mojom
// Interface that represents the browser side of the browser <-> renderer
// communication channel. There will generally be one RenderProcessHost per
// renderer process.
class CONTENT_EXPORT RenderProcessHost : public IPC::Sender,
public IPC::Listener,
public base::SupportsUserData {
// Do not remove this macro!
// The macro is maintained by the memory safety team.
ADVANCED_MEMORY_SAFETY_CHECKS();
public:
using iterator = base::IDMap<RenderProcessHost*>::iterator;
// Crash reporting mode for ShutdownForBadMessage.
enum class CrashReportMode {
NO_CRASH_DUMP,
GENERATE_CRASH_DUMP,
};
enum class NotificationServiceCreatorType {
kDocument,
kDedicatedWorker,
kSharedWorker,
kServiceWorker
};
// General functions ---------------------------------------------------------
~RenderProcessHost() override {}
// Initialize the new renderer process, returning true on success. This must
// be called once before the object can be used, but can be called after
// that with no effect. Therefore, if the caller isn't sure about whether
// the process has been created, it should just call Init().
virtual bool Init() = 0;
// Ensures that a Channel exists and is at least queueing outgoing messages
// if there isn't a render process connected to it yet. This may be used to
// ensure that in the event of a renderer crash and restart, subsequent
// messages sent via Send() will eventually reach the new process.
virtual void EnableSendQueue() = 0;
// Gets the next available routing id.
virtual int GetNextRoutingID() = 0;
// These methods add or remove listener for a specific message routing ID.
// Used for refcounting, each holder of this object must AddRoute and
// RemoveRoute. This object should be allocated on the heap; when no
// listeners own it any more, it will delete itself.
virtual void AddRoute(int32_t routing_id, IPC::Listener* listener) = 0;
virtual void RemoveRoute(int32_t routing_id) = 0;
// Add and remove observers for lifecycle events. The order in which
// notifications are sent to observers is undefined. Observers must be sure to
// remove the observer before they go away.
virtual void AddObserver(RenderProcessHostObserver* observer) = 0;
virtual void RemoveObserver(RenderProcessHostObserver* observer) = 0;
// Called when a received message cannot be decoded. Terminates the renderer.
// Most callers should not call this directly, but instead should call
// bad_message::BadMessageReceived() or an equivalent method outside of the
// content module.
//
// If |crash_report_mode| is GENERATE_CRASH_DUMP, then a browser crash dump
// will be reported as well.
virtual void ShutdownForBadMessage(CrashReportMode crash_report_mode) = 0;
// Recompute Priority state. RenderProcessHostPriorityClient should call this
// when their individual priority changes.
virtual void UpdateClientPriority(
RenderProcessHostPriorityClient* client) = 0;
// Number of visible (ie |!is_hidden|) RenderProcessHostPriorityClients.
virtual int VisibleClientCount() = 0;
// Get computed frame depth from RenderProcessHostPriorityClients.
virtual unsigned int GetFrameDepth() = 0;
// Get computed viewport intersection state from
// RenderProcessHostPriorityClients.
virtual bool GetIntersectsViewport() = 0;
// Called when a video capture stream or an audio stream is added or removed
// and used to determine if the process should be backgrounded or not.
virtual void OnMediaStreamAdded() = 0;
virtual void OnMediaStreamRemoved() = 0;
// Called when a service worker is executing in the process and may need
// to respond to events from other processes in a timely manner. This is
// used to determine if the process should be backgrounded or not.
virtual void OnForegroundServiceWorkerAdded() = 0;
virtual void OnForegroundServiceWorkerRemoved() = 0;
// This is an experimental code that keeps the renderer process foregrounded
// from CommitNavigation to DOMContentLoaded (crbug/351953350). This is used
// to determine if the process should be backgrounded or not.
virtual void OnBoostForLoadingAdded() = 0;
virtual void OnBoostForLoadingRemoved() = 0;
// Indicates whether the current RenderProcessHost is exclusively hosting
// guest RenderFrames. Not all guest RenderFrames are created equal. A guest,
// as indicated by BrowserPluginGuest::IsGuest, may coexist with other
// non-guest RenderFrames in the same process if IsForGuestsOnly() is false.
virtual bool IsForGuestsOnly() = 0;
// Indicates whether the current RenderProcessHost is running with JavaScript
// JIT disabled.
virtual bool IsJitDisabled() = 0;
// Indicates whether the current RenderProcessHost is running with v8
// optimizations disabled. This is distinct from IsJitDisabled() -
// IsJitDisabled() disables all JIT compilation in the renderer, while
// AreV8OptimizationsDisabled() only disables the higher-tier V8 optimizers,
// leaving the basic JIT compiler in V8 (and the wasm JIT compiler) enabled.
virtual bool AreV8OptimizationsDisabled() = 0;
// Indicates whether the current RenderProcessHost exclusively hosts PDF
// content.
virtual bool IsPdf() = 0;
// Returns the storage partition associated with this process.
virtual StoragePartition* GetStoragePartition() = 0;
// Terminate the associated renderer process without running unload handlers,
// waiting for the process to exit, etc. If supported by the OS, set the
// process exit code to |exit_code|. Returns false if the shutdown request
// will not be dispatched. If called before
// RenderProcessHostObserver::RenderProcessReady,
// RenderProcessHostObserver::RenderProcessExited may never be called since
// Shutdown() will race with child process startup.
virtual bool Shutdown(int exit_code) = 0;
// Returns true if shutdown was started by calling |Shutdown()|.
virtual bool ShutdownRequested() = 0;
// Try to shut down the associated renderer process as fast as possible.
// If a non-zero |page_count| value is provided, then a fast shutdown will
// only happen if the count matches the active view count. If
// |skip_unload_handlers| is false and this renderer has any RenderViews with
// unload handlers, then this function does nothing. Otherwise, the function
// will ingnore checking for those handlers. Returns true if it was able to do
// fast shutdown.
virtual bool FastShutdownIfPossible(size_t page_count = 0,
bool skip_unload_handlers = false) = 0;
// Returns true if fast shutdown was started for the renderer.
virtual bool FastShutdownStarted() = 0;
// Returns the process object associated with the child process. In certain
// tests or single-process mode, this will actually represent the current
// process.
//
// NOTE: this is not necessarily valid immediately after calling Init, as
// Init starts the process asynchronously. It's guaranteed to be valid after
// the first IPC arrives or RenderProcessReady was called on a
// RenderProcessHostObserver for this. At that point, IsReady() returns true.
virtual const base::Process& GetProcess() = 0;
// Returns whether the process is ready. The process is ready once both
// conditions (which can happen in arbitrary order) are true:
// 1- the launcher reported a successful launch
// 2- the channel is connected.
//
// After that point, GetHandle() is valid, and deferred messages have been
// sent.
virtual bool IsReady() = 0;
// Returns the user browser context associated with this renderer process.
virtual content::BrowserContext* GetBrowserContext() = 0;
// Returns whether this process is using the same StoragePartition as
// |partition|.
virtual bool InSameStoragePartition(StoragePartition* partition) = 0;
// Returns the unique ID for this child process host. This can be used later
// in a call to FromID() to get back to this object (this is used to avoid
// sending non-threadsafe pointers to other threads).
//
// This ID will be unique across all child process hosts, including workers,
// plugins, etc.
//
// This will never return ChildProcessHost::kInvalidUniqueID.
virtual int GetID() const = 0;
// Returns a SafeRef to `this`. It should only be used in non-owning cases,
// where the caller is not expected to outlive `this`.
// This method is public so that it can be called from within //content, and
// used by MockRenderProcessHost. It isn't meant to be called outside of
// //content.
virtual base::SafeRef<RenderProcessHost> GetSafeRef() const = 0;
// Returns true iff the Init() was called and the process hasn't died yet.
//
// Note that even if IsInitializedAndNotDead() returns true, then (for a short
// duration after calling Init()) the process might not be fully spawned
// *yet*. For example - IsReady() might return false and GetProcess() might
// still return an invalid process with a null handle.
virtual bool IsInitializedAndNotDead() = 0;
// Returns true iff the decision has been made to delete `this`.
//
// If this returns true, then no new child processes will be associated
// with `this`.
virtual bool IsDeletingSoon() = 0;
// Returns the renderer channel.
virtual IPC::ChannelProxy* GetChannel() = 0;
#if BUILDFLAG(CONTENT_ENABLE_LEGACY_IPC)
// Adds a message filter to the IPC channel.
virtual void AddFilter(BrowserMessageFilter* filter) = 0;
#endif
// Sets whether this render process is blocked. This means that input events
// should not be sent to it, nor other timely signs of life expected from it.
virtual void SetBlocked(bool blocked) = 0;
virtual bool IsBlocked() = 0;
using BlockStateChangedCallbackList = base::RepeatingCallbackList<void(bool)>;
using BlockStateChangedCallback = BlockStateChangedCallbackList::CallbackType;
virtual base::CallbackListSubscription RegisterBlockStateChangedCallback(
const BlockStateChangedCallback& cb) = 0;
// Schedules the host for deletion and removes it from the all_hosts list.
virtual void Cleanup() = 0;
// Track the count of pending views that are being swapped back in. Called
// by listeners to register and unregister pending views to prevent the
// process from exiting.
virtual void AddPendingView() = 0;
virtual void RemovePendingView() = 0;
// Adds and removes priority clients.
virtual void AddPriorityClient(
RenderProcessHostPriorityClient* priority_client) = 0;
virtual void RemovePriorityClient(
RenderProcessHostPriorityClient* priority_client) = 0;
#if !BUILDFLAG(IS_ANDROID)
// Sets a process priority override. This overrides the entire built-in
// priority setting mechanism for the process.
// TODO(pmonette): Make this work well on Android.
virtual void SetPriorityOverride(base::Process::Priority priority) = 0;
virtual bool HasPriorityOverride() = 0;
virtual void ClearPriorityOverride() = 0;
#endif
#if BUILDFLAG(IS_ANDROID)
// Return the highest importance of all widgets in this process.
virtual ChildProcessImportance GetEffectiveImportance() = 0;
// Return the highest binding this process has.
virtual base::android::ChildBindingState GetEffectiveChildBindingState() = 0;
// Dumps the stack of this render process without crashing it.
virtual void DumpProcessStack() = 0;
#endif
virtual void PauseSocketManagerForRenderFrameHost(
const GlobalRenderFrameHostId& render_frame_host_id) = 0;
virtual void ResumeSocketManagerForRenderFrameHost(
const GlobalRenderFrameHostId& render_frame_host_id) = 0;
// Sets a flag indicating that the process can be abnormally terminated.
virtual void SetSuddenTerminationAllowed(bool allowed) = 0;
// Returns true if the process can be abnormally terminated.
virtual bool SuddenTerminationAllowed() = 0;
// Returns how long the child has been idle. The definition of idle
// depends on when a derived class calls mark_child_process_activity_time().
// This is a rough indicator and its resolution should not be better than
// 10 milliseconds.
virtual base::TimeDelta GetChildProcessIdleTime() = 0;
// Checks that the given renderer is allowed to request `url`; if not, `url`
// will be set to "about:blank#blocked".
//
// `empty_allowed` must be `false` when filtering URLs for navigations. The
// browser typically treats a navigation to an empty URL as a navigation to
// the home page, but this is often a privileged page, e.g. chrome://newtab/,
// which is a security problem that this method is specifically trying to
// block.
//
// This method return whether or not the URL was blocked so that callers can
// distinguish between the blocked case and a literal request to navigate to
// "about:blank#blocked".
enum class FilterURLResult {
kAllowed,
kBlocked,
};
virtual FilterURLResult FilterURL(bool empty_allowed, GURL* url) = 0;
virtual void EnableAudioDebugRecordings(const base::FilePath& file) = 0;
virtual void DisableAudioDebugRecordings() = 0;
using WebRtcRtpPacketCallback =
base::RepeatingCallback<void(base::HeapArray<uint8_t> packet_header,
size_t packet_length,
bool incoming)>;
using WebRtcStopRtpDumpCallback =
base::OnceCallback<void(bool incoming, bool outgoing)>;
// Starts passing RTP packets to |packet_callback| and returns the callback
// used to stop dumping.
virtual WebRtcStopRtpDumpCallback StartRtpDump(
bool incoming,
bool outgoing,
WebRtcRtpPacketCallback packet_callback) = 0;
// Asks the renderer process to bind |receiver|. |receiver| arrives in the
// renderer process and is carried through the following flow, stopping if any
// step decides to bind it:
//
// 1. IO thread, |ChildProcessImpl::BindReceiver()| (child_thread_impl.cc)
// 2. IO thread ,|ContentClient::BindChildProcessInterface()|
// 3. Main thread, |ChildThreadImpl::OnBindReceiver()| (virtual)
// 4. Possibly more steps, depending on the ChildThreadImpl subclass.
virtual void BindReceiver(mojo::GenericPendingReceiver receiver) = 0;
// Extracts any persistent-memory-allocator used for renderer metrics.
// Ownership is passed to the caller. To support sharing of histogram data
// between the Renderer and the Browser, the allocator is created when the
// process is created and later retrieved by the SubprocessMetricsProvider
// for management.
virtual std::unique_ptr<base::PersistentMemoryAllocator>
TakeMetricsAllocator() = 0;
// Returns the time of the last call to Init that was completed successfully
// (after a new renderer process was created); further calls to Init would
// change this value only when they caused the new process to be created after
// a crash.
virtual const base::TimeTicks& GetLastInitTime() = 0;
// Returns the priority of this process.
virtual base::Process::Priority GetPriority() = 0;
// Returns a list of durations for active KeepAlive requests.
// For debugging only. TODO(wjmaclean): Remove once the causes behind
// https://crbug.com/1148542 are known.
virtual std::string GetKeepAliveDurations() const = 0;
// Returns the number of active Shutdown-Delay requests.
// For debugging only. TODO(wjmaclean): Remove once the causes behind
// https://crbug.com/1148542 are known.
virtual size_t GetShutdownDelayRefCount() const = 0;
// Diagnostic code for https://crbug/1148542. This will be removed prior to
// resolving that issue. It counts all RenderFrameHosts that have not been
// destroyed, including speculative ones and pending deletion ones. This
// is included to allow MockRenderProcessHost to override them, and should not
// be called from outside of content/.
virtual int GetRenderFrameHostCount() const = 0;
// Calls |on_frame| for every RenderFrameHost whose frames live in this
// process. Note that speculative RenderFrameHosts will be skipped.
virtual void ForEachRenderFrameHost(
base::FunctionRef<void(RenderFrameHost*)> on_frame) = 0;
// Register/unregister a RenderFrameHost instance whose frame lives in this
// process. RegisterRenderFrameHost and UnregisterRenderFrameHost are the
// implementation details and should be called only from within //content.
virtual void RegisterRenderFrameHost(
const GlobalRenderFrameHostId& render_frame_host_id,
bool is_outermost_main_frame) = 0;
virtual void UnregisterRenderFrameHost(
const GlobalRenderFrameHostId& render_frame_host_id,
bool is_outermost_main_frame) = 0;
// "Worker ref count" is similar to "Keep alive ref count", but is specific to
// workers since they do not have pre-defined timeouts. Also affected by
// DisableRefCounts() in the same manner as for
// Increment/DecrementKeepAliveRefCount() functions.
//
// List of users:
// - Service Worker:
// While there are service workers who live in this process, they wish
// the renderer process to be alive. The ref count is incremented when this
// process is allocated to the worker, and decremented when worker's
// shutdown sequence is completed.
// - Shared Worker:
// While there are shared workers who live in this process, they wish
// the renderer process to be alive. The ref count is incremented when
// a shared worker is created in the process, and decremented when
// it is terminated (it self-destructs when it no longer has clients).
// - Shared Storage Worklet:
// (https://github.com/pythagoraskitty/shared-storage)
// While there are shared storage worklets who live in this process, they
// wish the renderer process to be alive. The ref count is incremented when
// a shared storage worklet is created in the process, and decremented when
// it is terminated (after the document is destroyed, the worklet
// will be destroyed when all pending operations have finished or a timeout
// is reached). Note that this is only relevant for the implementation of
// shared storage worklets that run in the renderer process. The actual
// process that the shared storage worklets are going to use is determined
// by the concrete implementation of
// `SharedStorageRenderThreadWorkletDriver`.
// - Auction Worklets (on Android only):
// (https://github.com/WICG/turtledove/blob/main/FLEDGE.md)
// Keeps the renderer alive if there are any worklets using it.
virtual void IncrementWorkerRefCount() = 0;
virtual void DecrementWorkerRefCount() = 0;
// "Pending reuse" ref count may be used to keep a process alive because we
// know that it will be reused soon. Unlike the keep alive ref count, it is
// not time-based, and unlike the worker ref count above, it is not used for
// workers. It is intentionally kept separate from the other ref counts to
// ease debugging, so that it's easier to tell what kept a particular process
// alive.
virtual void IncrementPendingReuseRefCount() = 0;
virtual void DecrementPendingReuseRefCount() = 0;
// Sets all the various process lifetime ref counts to zero (e.g., keep alive,
// worker, etc). Called when the browser context will be destroyed so this
// RenderProcessHost can immediately die.
//
// After this is called, the Increment/DecrementKeepAliveRefCount() functions
// and Increment/DecrementWorkerRefCount() functions must not be called.
virtual void DisableRefCounts() = 0;
// Returns true if DisableRefCounts() was called.
virtual bool AreRefCountsDisabled() = 0;
// Acquires the |mojom::Renderer| interface to the render process. This is for
// internal use only, and is only exposed here to support
// MockRenderProcessHost usage in tests.
virtual mojom::Renderer* GetRendererInterface() = 0;
// Whether this process is locked out from ever being reused for sites other
// than the ones it currently has.
virtual bool MayReuseHost() = 0;
// Indicates whether this RenderProcessHost is "unused". This starts out as
// true for new processes and becomes false after one of the following:
// (1) This process commits any page.
// (2) This process is given to a SiteInstance that already has a site
// assigned.
// Note that a process hosting ServiceWorkers will be implicitly handled by
// (2) during ServiceWorker initialization, and SharedWorkers will be handled
// by (1) since a page needs to commit before it can create a SharedWorker.
//
// While a process is unused, it is still suitable to host a URL that
// requires a dedicated process.
virtual bool IsUnused() = 0;
virtual void SetIsUsed() = 0;
// Return true if the host has not been used. This is stronger than IsUnused()
// in that it checks if this RPH has ever been used to render at all, rather
// than just no being suitable to host a URL that requires a dedicated
// process.
// TODO(alexmos): can this be unified with IsUnused()? See also
// crbug.com/738634.
virtual bool HostHasNotBeenUsed() = 0;
// Returns true if this is a spare RenderProcessHost.
virtual bool IsSpare() const = 0;
// Locks this RenderProcessHost to documents compatible with |process_lock|.
// This method is public so that it can be called from within //content, and
// used by MockRenderProcessHost. It isn't meant to be called outside of
// //content.
virtual void SetProcessLock(const IsolationContext& isolation_context,
const ProcessLock& process_lock) = 0;
// Returns the ProcessLock associated with this process.
// This method is public so that it can be called from within //content, and
// used by MockRenderProcessHost. It isn't meant to be called outside of
// //content.
virtual ProcessLock GetProcessLock() const = 0;
// Returns true if this process is locked to a particular site-specific
// ProcessLock. See the SetProcessLock() call above.
virtual bool IsProcessLockedToSiteForTesting() = 0;
// The following several methods are for internal use only, and are only
// exposed here to support MockRenderProcessHost usage in tests.
virtual void DelayProcessShutdown(
const base::TimeDelta& subframe_shutdown_timeout,
const base::TimeDelta& unload_handler_timeout,
const SiteInfo& site_info) = 0;
virtual void StopTrackingProcessForShutdownDelay() = 0;
virtual void BindCacheStorage(
const network::CrossOriginEmbedderPolicy& cross_origin_embedder_policy,
mojo::PendingRemote<network::mojom::CrossOriginEmbedderPolicyReporter>
coep_reporter_remote,
const network::DocumentIsolationPolicy& document_isolation_policy,
const storage::BucketLocator& bucket_locator,
mojo::PendingReceiver<blink::mojom::CacheStorage> receiver) = 0;
virtual void BindFileSystemManager(
const blink::StorageKey& storage_key,
mojo::PendingReceiver<blink::mojom::FileSystemManager> receiver) = 0;
virtual void BindFileSystemAccessManager(
const blink::StorageKey& storage_key,
mojo::PendingReceiver<blink::mojom::FileSystemAccessManager>
receiver) = 0;
virtual void GetSandboxedFileSystemForBucket(
const storage::BucketLocator& bucket_locator,
const std::vector<std::string>& directory_path_components,
blink::mojom::FileSystemAccessManager::GetSandboxedFileSystemCallback
callback) = 0;
virtual void BindIndexedDB(
const blink::StorageKey& storage_key,
BucketContext& bucket_context,
mojo::PendingReceiver<blink::mojom::IDBFactory> receiver) = 0;
virtual void BindBucketManagerHost(
base::WeakPtr<BucketContext> bucket_context,
mojo::PendingReceiver<blink::mojom::BucketManagerHost> receiver) = 0;
virtual void BindRestrictedCookieManagerForServiceWorker(
const blink::StorageKey& storage_key,
mojo::PendingReceiver<network::mojom::RestrictedCookieManager>
receiver) = 0;
virtual void BindVideoDecodePerfHistory(
mojo::PendingReceiver<media::mojom::VideoDecodePerfHistory> receiver) = 0;
#if BUILDFLAG(IS_FUCHSIA)
virtual void BindMediaCodecProvider(
mojo::PendingReceiver<media::mojom::FuchsiaMediaCodecProvider>
receiver) = 0;
#endif
virtual void CreateOneShotSyncService(
const url::Origin& origin,
mojo::PendingReceiver<blink::mojom::OneShotBackgroundSyncService>
receiver) = 0;
virtual void CreatePeriodicSyncService(
const url::Origin& origin,
mojo::PendingReceiver<blink::mojom::PeriodicBackgroundSyncService>
receiver) = 0;
virtual void BindQuotaManagerHost(
const blink::StorageKey& storage_key,
mojo::PendingReceiver<blink::mojom::QuotaManagerHost> receiver) = 0;
virtual void CreateLockManager(
const blink::StorageKey& storage_key,
mojo::PendingReceiver<blink::mojom::LockManager> receiver) = 0;
virtual void CreatePermissionService(
const url::Origin& origin,
mojo::PendingReceiver<blink::mojom::PermissionService> receiver) = 0;
virtual void CreatePaymentManagerForOrigin(
const url::Origin& origin,
mojo::PendingReceiver<payments::mojom::PaymentManager> receiver) = 0;
// `rfh_id` is the id for RenderFrameHost for the `receiver` if
// the notification service is created by a document, or the id for the
// ancestor RenderFrameHost of the worker if the notification service is
// created by a dedicated worker, or empty value otherwise.
virtual void CreateNotificationService(
GlobalRenderFrameHostId rfh_id,
NotificationServiceCreatorType creator_type,
const blink::StorageKey& storage_key,
mojo::PendingReceiver<blink::mojom::NotificationService> receiver) = 0;
virtual void CreateWebSocketConnector(
const blink::StorageKey& storage_key,
mojo::PendingReceiver<blink::mojom::WebSocketConnector> receiver) = 0;
#if BUILDFLAG(ALLOW_OOP_VIDEO_DECODER)
virtual void CreateStableVideoDecoder(
mojo::PendingReceiver<media::stable::mojom::StableVideoDecoder>
receiver) = 0;
#endif // BUILDFLAG(ALLOW_OOP_VIDEO_DECODER)
// Returns the current number of active views in this process. Excludes
// any RenderViewHosts that are swapped out.
size_t GetActiveViewCount();
// Returns the cross-origin isolation mode used by content in this process.
//
// Unlike WebExposedIsolationInfo, this is not guaranteed to be the same for
// all processes in a BrowsingInstance; frames that are not delegated the
// "cross-origin-isolated" permissions policy will have a kNotIsolated
// isolation level, even if their WebExposedIsolationInfo is isolated.
// Additionally, content that is cross-origin to a kIsolatedApplication main
// frame will return kIsolated, as the application isolation level cannot be
// inherited cross-origin.
//
// RenderFrameHost::GetWebExposedIsolationLevel() should typically be used
// instead of this function if running in the context a frame so that
// Permissions Policy can be taken into account. This function should be used
// in contexts that don't have an associated frame like shared/service
// workers. Once Permissions Policy applies to workers, a worker-specific
// API to access isolation capability may need to be introduced which should
// be used instead of this.
//
// Note that the embedder can force-enable APIs in frames even if they
// lack the necessary privilege. This function doesn't account for that;
// use content::IsIsolatedContext(RenderProcessHost*) to handle this case.
WebExposedIsolationLevel GetWebExposedIsolationLevel();
// Posts |task|, if this RenderProcessHost is ready or when it becomes ready
// (see RenderProcessHost::IsReady method). The |task| might not run at all
// (e.g. if |render_process_host| is destroyed before becoming ready). This
// function can only be called on the browser's UI thread (and the |task| will
// be posted back on the UI thread).
void PostTaskWhenProcessIsReady(base::OnceClosure task);
// Forces the renderer process to crash ASAP.
virtual void ForceCrash() {}
// Returns a string that contains information useful for debugging
// crashes related to RenderProcessHost objects staying alive longer than
// the BrowserContext they are associated with.
virtual std::string GetInfoForBrowserContextDestructionCrashReporting() = 0;
using TraceProto = perfetto::protos::pbzero::RenderProcessHost;
// Write a representation of this object into a trace.
virtual void WriteIntoTrace(
perfetto::TracedProto<TraceProto> proto) const = 0;
#if BUILDFLAG(CLANG_PROFILING_INSIDE_SANDBOX)
// Ask the renderer process to dump its profiling data to disk. Invokes
// |callback| once this has completed.
virtual void DumpProfilingData(base::OnceClosure callback) {}
#endif
#if BUILDFLAG(IS_CHROMEOS_ASH)
// Reinitializes the child process's logging with the given settings. This
// is needed on Chrome OS, which switches to a log file in the user's home
// directory once they log in.
virtual void ReinitializeLogging(uint32_t logging_dest,
base::ScopedFD log_file_descriptor) = 0;
#endif
// Asks the renderer process to prioritize energy efficiency because the
// embedder is in battery saver mode. This signal is propagated to blink and
// v8. The default state is `false`, meaning the power/speed tuning is left up
// to the different components to figure out.
virtual void SetBatterySaverMode(bool battery_saver_mode_enabled) = 0;
// Return the memory usage of this process. On Android this value is
// provided by the renderer periodically. On other platforms this value is
// read from the OS but is cached for a short duration so we don't incur
// a cost on every call.
virtual uint64_t GetPrivateMemoryFootprint() = 0;
// Static management functions -----------------------------------------------
// Flag to run the renderer in process. This is primarily
// for debugging purposes. When running "in process", the
// browser maintains a single RenderProcessHost which communicates
// to a RenderProcess which is instantiated in the same process
// with the Browser. All IPC between the Browser and the
// Renderer is the same, it's just not crossing a process boundary.
static bool run_renderer_in_process();
// This also calls out to ContentBrowserClient::GetApplicationLocale and
// modifies the current process' command line.
// NOTE: This function is fundamentally unsafe and *should not be used*. By
// the time a ContentBrowserClient exists in test fixtures, it is already
// unsafe to modify the command-line. The command-line should only be modified
// from SetUpCommandLine, which is before the ContentClient is created. See
// crbug.com/1197147
static void SetRunRendererInProcess(bool value);
// This forces a renderer that is running "in process" to shut down.
static void ShutDownInProcessRenderer();
// Allows iteration over all the RenderProcessHosts in the browser. Note
// that each host may not be active, and therefore may have nullptr channels.
static iterator AllHostsIterator();
// Returns the RenderProcessHost given its ID. Returns nullptr if the ID does
// not correspond to a live RenderProcessHost.
static RenderProcessHost* FromID(int render_process_id);
// Returns the RenderProcessHost given its renderer's service instance ID,
// generated randomly when launching the renderer. Returns nullptr if the
// instance does not correspond to a live RenderProcessHost.
static RenderProcessHost* FromRendererInstanceId(
const base::Token& instance_id);
// Returns true if the process limit is reached. In that case, site instances
// will be assigned to an existing process host instead of a new one when
// possible (see MayReuseAndIsSuitable).
static bool IsProcessLimitReached();
// Overrides the default heuristic for limiting the max renderer process
// count. This is useful for unit testing process limit behaviors. It is
// also used to allow a command line parameter to configure the max number of
// renderer processes and should only be called once during startup.
// A value of zero means to use the default heuristic.
static void SetMaxRendererProcessCount(size_t count);
// Returns the current maximum number of renderer process hosts kept by the
// content module.
static size_t GetMaxRendererProcessCount();
// TODO(siggi): Remove once https://crbug.com/806661 is resolved.
using AnalyzeHungRendererFunction = void (*)(const base::Process& renderer);
static void SetHungRendererAnalysisFunction(
AnalyzeHungRendererFunction analyze_hung_renderer);
// Counts current RenderProcessHost(s), ignoring all spare processes.
static int GetCurrentRenderProcessCountForTesting();
// Allows tests to override host interface binding behavior. Any interface
// binding request which would normally pass through the RPH's internal
// IOThreadHostImpl::BindHostReceiver() will pass through |callback| first if
// non-null. |callback| is only called from the IO thread.
using BindHostReceiverInterceptor =
base::RepeatingCallback<void(int render_process_id,
mojo::GenericPendingReceiver* receiver)>;
static void InterceptBindHostReceiverForTesting(
BindHostReceiverInterceptor callback);
};
} // namespace content
#endif // CONTENT_PUBLIC_BROWSER_RENDER_PROCESS_HOST_H_