Electrolysis/Errors and Shutdown

From MozillaWiki
Jump to: navigation, search

The chrome process should remain stable even when the content process crashes, hangs, or becomes otherwise unusable.

If a malformed or otherwise illegal message is sent across the IPC wire, no recovery should be attempted: the child process should be immediately terminated as if it crashed.

When a content process is intentionally no longer needed, it should shut down. In release builds, there is no reason to shut down "cleanly", and the content process can just _abort(). In debug/leaktesting builds, the content process should perform a full shutdown so that leak testing can verify that there are no leaked objects.

Q.jjb How will extensions and debuggers know that the content process is exiting in a release build? A.bsmedberg It won't. Why would it need to know?

IPDL Notifications

On both the Parent and Child side, IPDL will notify protocol actors when a connection shuts down:

enum IPCShutdownReason {
  IPCShutdownNormal,
  IPCShutdownProtocolError,
  IPCShutdownCrash,
  IPCShutdownHang
};

virtual void ActorProtocolParent::Shutdown(IPCShutdownReason reason) = 0;
virtual void ActorProtocolChild::Shutdown() {
  // the default child implementation asserts
  NS_ASSERTION("Subobject was not destroyed before shutdown.");
}

Note that child actors will only be notified about normal shutdown, and only in debug/leak builds (in all other cases the child process will simply abort).