Electrolysis/Errors and Shutdown
The chrome process should remain stable even when the content process crashes, hangs, or becomes otherwise unusable.
If a malformed or otherwise illegal message is sent across the IPC wire, no recovery should be attempted: the child process should be immediately terminated as if it crashed.
When a content process is intentionally no longer needed, it should shut down. In release builds, there is no reason to shut down "cleanly", and the content process can just _abort(). In debug/leaktesting builds, the content process should perform a full shutdown so that leak testing can verify that there are no leaked objects.
Q.jjb How will extensions and debuggers know that the content process is exiting in a release build? A.bsmedberg It won't. Why would it need to know?
IPDL Notifications
On both the Parent and Child side, IPDL will notify protocol actors when a connection shuts down:
enum IPCShutdownReason { IPCShutdownNormal, IPCShutdownProtocolError, IPCShutdownCrash, IPCShutdownHang }; virtual void ActorProtocolParent::Shutdown(IPCShutdownReason reason) = 0; virtual void ActorProtocolChild::Shutdown() { // the default child implementation asserts NS_ASSERTION("Subobject was not destroyed before shutdown."); }
Note that child actors will only be notified about normal shutdown, and only in debug/leak builds (in all other cases the child process will simply abort).