ChannelLinux: shared mem circular buffer + eventfd trigger

This CL introduces a Linux specific mojo channel which can
use a shared memory circular buffer and an eventfd to trigger the other
side to read. For more context on this change, please see the doc: go/cros-mojo.

In multiprocess micro-benchmarks this change improves message latency by 30-40%.

Bug: b:173022729
Change-Id: I6771a18220cbea36a208f28eb1b046712770d7a7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2500951
Reviewed-by: Yaron Friedman <yfriedman@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Matthew Denton <mpdenton@chromium.org>
Reviewed-by: Ken Rockot <rockot@google.com>
Commit-Queue: Brian Geffon <bgeffon@chromium.org>
Cr-Commit-Position: refs/heads/master@{#847646}

base/memory/shared_memory_security_policy.h

@@ -7,8 +7,15 @@
 
 #include <stddef.h>
 
+#include "base/base_export.h"
 #include "base/compiler_specific.h"
 
+namespace mojo {
+namespace core {
+class ChannelLinux;
+}  // namespace core
+}  // namespace mojo
+
 namespace base {
 
 namespace subtle {
@@ -19,10 +26,11 @@ class PlatformSharedMemoryRegion;
 // mapped. This can help prevent an attacker from spraying the address space of
 // a process with shared memory mappings to bypass ASLR. For more details, see
 // https://googleprojectzero.blogspot.com/2019/04/virtually-unlimited-memory-escaping.html
-class SharedMemorySecurityPolicy {
+class BASE_EXPORT SharedMemorySecurityPolicy {
  private:
   friend class subtle::PlatformSharedMemoryRegion;
   friend class SharedMemoryMapping;
+  friend class mojo::core::ChannelLinux;
 
   // Checks that a mapping with |size| can be created. Returns false if there is
   // an overflow in internal calculations, or the max limit has been reached.

chrome/browser/BUILD.gn

@@ -2307,6 +2307,7 @@ static_library("browser") {
     "//media/mojo/services",
     "//media/webrtc",
     "//mojo/core/embedder",
+    "//mojo/core/embedder:features",
     "//mojo/public/cpp/bindings",
     "//net",
     "//net:extras",

chrome/browser/DEPS

@@ -528,4 +528,7 @@ specific_include_rules = {
   "chrome_content_browser_client\.cc" : [
     "+content/public/browser/tts_controller.h",
   ],
+  "about_flags\.cc" : [
+    "+mojo/core/embedder/features.h",
+  ]
 }

chrome/browser/about_flags.cc

@@ -157,6 +157,7 @@
 #include "media/media_buildflags.h"
 #include "media/midi/midi_switches.h"
 #include "media/webrtc/webrtc_switches.h"
+#include "mojo/core/embedder/features.h"
 #include "net/base/features.h"
 #include "net/net_buildflags.h"
 #include "net/nqe/effective_connection_type.h"
@@ -3232,6 +3233,13 @@ const FeatureEntry kFeatureEntries[] = {
      FEATURE_VALUE_TYPE(performance_manager::features::kDynamicTcmallocTuning)},
 #endif  // BUILDFLAG(USE_TCMALLOC)
 #endif  // BUILDFLAG(IS_CHROMEOS_ASH)
+#if (defined(OS_CHROMEOS) || defined(OS_LINUX) || defined(OS_ANDROID)) && \
+    !defined(OS_NACL)
+    {"mojo-linux-sharedmem", flag_descriptions::kMojoLinuxChannelSharedMemName,
+     flag_descriptions::kMojoLinuxChannelSharedMemDescription,
+     kOsCrOS | kOsLinux | kOsAndroid,
+     FEATURE_VALUE_TYPE(mojo::core::kMojoLinuxChannelSharedMem)},
+#endif
 #if defined(OS_ANDROID)
     {"enable-site-isolation-for-password-sites",
      flag_descriptions::kSiteIsolationForPasswordSitesName,

chrome/browser/flag-metadata.json

@@ -3415,6 +3415,11 @@
     "owners": [ "nazerke", "bling-flags@google.com" ],
     "expiry_milestone": 92
   },
+  {
+    "name": "mojo-linux-sharedmem",
+    "owners": ["bgeffon", "rockot"],
+    "expiry_milestone": 99
+  },
   {
     "name": "mouse-subframe-no-implicit-capture",
     "owners": [ "eirage", "nzolghadr", "input-dev" ],

chrome/browser/flag_descriptions.cc

@@ -1433,6 +1433,12 @@ const char kMobilePwaInstallUseBottomSheetName[] =
 const char kMobilePwaInstallUseBottomSheetDescription[] =
     "Enables use of a rich bottom sheet when offering mobile PWA installation.";
 
+const char kMojoLinuxChannelSharedMemName[] =
+    "Enable Mojo Shared Memory Channel";
+const char kMojoLinuxChannelSharedMemDescription[] =
+    "If enabled Mojo on Linux based platforms can use shared memory as an "
+    "alternate channel for most messages.";
+
 const char kMouseSubframeNoImplicitCaptureName[] =
     "Disable mouse implicit capture for iframe";
 const char kMouseSubframeNoImplicitCaptureDescription[] =

chrome/browser/flag_descriptions.h

@@ -847,6 +847,9 @@ extern const char kMobileIdentityConsistencyVarDescription[];
 extern const char kMobilePwaInstallUseBottomSheetName[];
 extern const char kMobilePwaInstallUseBottomSheetDescription[];
 
+extern const char kMojoLinuxChannelSharedMemName[];
+extern const char kMojoLinuxChannelSharedMemDescription[];
+
 extern const char kMouseSubframeNoImplicitCaptureName[];
 extern const char kMouseSubframeNoImplicitCaptureDescription[];
 

mojo/core/BUILD.gn

@@ -105,6 +105,7 @@ template("core_impl_source_set") {
 
     public_deps = [
       "//base",
+      "//mojo/core/embedder:features",
       "//mojo/core/ports",
       "//mojo/public/c/system:headers",
       "//mojo/public/cpp/platform",
@@ -124,6 +125,15 @@ template("core_impl_source_set") {
           "channel_posix.h",
         ]
       }
+
+      if ((is_linux || is_chromeos || is_android) && !is_nacl) {
+        sources += [
+          "channel_linux.cc",
+          "channel_linux.h",
+        ]
+
+        public += [ "channel_linux.h" ]
+      }
     }
 
     if (is_mac) {

mojo/core/channel.cc

@@ -480,9 +480,7 @@ class Channel::ReadBuffer {
     data_ = MakeAlignedBuffer(size_);
   }
 
-  ~ReadBuffer() {
-    DCHECK(data_);
-  }
+  ~ReadBuffer() { DCHECK(data_); }
 
   const char* occupied_bytes() const {
     return data_.get() + num_discarded_bytes_;
@@ -729,5 +727,19 @@ bool Channel::OnControlMessage(Message::MessageType message_type,
   return false;
 }
 
+// Currently only Non-nacl CrOs, Linux, and Android support upgrades.
+#if defined(OS_NACL) || \
+    (!(defined(OS_CHROMEOS) || defined(OS_LINUX) || defined(OS_ANDROID)))
+// static
+MOJO_SYSTEM_IMPL_EXPORT bool Channel::SupportsChannelUpgrade() {
+  return false;
+}
+
+MOJO_SYSTEM_IMPL_EXPORT void Channel::OfferChannelUpgrade() {
+  NOTREACHED();
+  return;
+}
+#endif
+
 }  // namespace core
 }  // namespace mojo

mojo/core/channel.h

@@ -76,6 +76,16 @@ class MOJO_SYSTEM_IMPL_EXPORT Channel
 #endif
       // A normal message that uses Header and can contain extra header values.
       NORMAL,
+
+      // The UPGRADE_OFFER control message offers to upgrade the channel to
+      // another side who has advertised support for an upgraded channel.
+      UPGRADE_OFFER,
+      // The UPGRADE_ACCEPT control message is returned when an upgrade offer is
+      // accepted.
+      UPGRADE_ACCEPT,
+      // The UPGRADE_REJECT control message is returned when the receiver cannot
+      // or chooses not to upgrade the channel.
+      UPGRADE_REJECT,
     };
 
 #pragma pack(push, 1)
@@ -281,7 +291,15 @@ class MOJO_SYSTEM_IMPL_EXPORT Channel
 #if defined(OS_POSIX) && !defined(OS_NACL) && !defined(OS_MAC)
   // At this point only ChannelPosix needs InitFeatures.
   static void set_posix_use_writev(bool use_writev);
-#endif
+#endif  // defined(OS_POSIX) && !defined(OS_NACL) && !defined(OS_MAC)
+
+  // SupportsChannelUpgrade will return true if this channel is capable of being
+  // upgraded.
+  static bool SupportsChannelUpgrade();
+
+  // OfferChannelUpgrade will inform this channel that it should offer an
+  // upgrade to the remote.
+  void OfferChannelUpgrade();
 
   // Allows the caller to change the Channel's HandlePolicy after construction.
   void set_handle_policy(HandlePolicy policy) { handle_policy_ = policy; }
@@ -328,6 +346,9 @@ class MOJO_SYSTEM_IMPL_EXPORT Channel
 
   Delegate* delegate() const { return delegate_; }
 
+  // Allows the caller to determine the current HandlePolicy.
+  HandlePolicy handle_policy() const { return handle_policy_; }
+
   // Called by the implementation when it wants somewhere to stick data.
   // |*buffer_capacity| may be set by the caller to indicate the desired buffer
   // size. If 0, a sane default size will be used instead.