tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit 8043a6d9d4bfbdb04f96f75c91a1aac208e3eab6
parent a9582148b310718125a86b373c57aaf4dc444337
Author: Jason Kratzer <jkratzer@mozilla.com>
Date:   Fri, 24 Oct 2025 15:03:02 +0000

Bug 1996116 - Add a helper function to FuzzingFunctions to kill the GPU process. r=truber,webidl,smaug

Differential Revision: https://phabricator.services.mozilla.com/D269866

Diffstat:

Mdom/base/FuzzingFunctions.cpp | 10++++++----


Mdom/base/FuzzingFunctions.h | 2++


Mdom/ipc/ContentParent.cpp | 10++++++++++


Mdom/ipc/ContentParent.h | 4++++


Mdom/ipc/PContent.ipdl | 5+++++


Mdom/webidl/FuzzingFunctions.webidl | 5+++++


6 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/dom/base/FuzzingFunctions.cpp b/dom/base/FuzzingFunctions.cpp
@@ -13,6 +13,7 @@
 #include "mozilla/Sprintf.h"
 #include "mozilla/TextEvents.h"
 #include "mozilla/TextInputProcessor.h"
+#include "mozilla/dom/ContentChild.h"
 #include "mozilla/dom/KeyboardEvent.h"
 #include "nsFocusManager.h"
 #include "nsIAccessibilityService.h"
@@ -21,10 +22,6 @@
 #include "nsPIDOMWindow.h"
 #include "xpcAccessibilityService.h"
 
-#ifdef FUZZING_SNAPSHOT
-#  include "mozilla/dom/ContentChild.h"
-#endif
-
 namespace mozilla::dom {
 
 /* static */
@@ -53,6 +50,11 @@ void FuzzingFunctions::Crash(const GlobalObject& aGlobalObject,
 }
 
 /* static */
+void FuzzingFunctions::KillGPUProcess(const GlobalObject&) {
+  ContentChild::GetSingleton()->SendKillGPUProcess();
+}
+
+/* static */
 void FuzzingFunctions::CycleCollect(const GlobalObject&) {
   nsJSContext::CycleCollectNow(CCReason::API);
 }
diff --git a/dom/base/FuzzingFunctions.h b/dom/base/FuzzingFunctions.h
@@ -30,6 +30,8 @@ class FuzzingFunctions final {
   static void Crash(const GlobalObject& aGlobalObject,
                     const nsAString& aKeyValue);
 
+  static void KillGPUProcess(const GlobalObject&);
+
   static void CycleCollect(const GlobalObject&);
 
   static void MemoryPressure(const GlobalObject&);
diff --git a/dom/ipc/ContentParent.cpp b/dom/ipc/ContentParent.cpp
@@ -8060,6 +8060,16 @@ IPCResult ContentParent::RecvSignalFuzzingReady() {
 }
 #endif
 
+#ifdef FUZZING
+IPCResult ContentParent::RecvKillGPUProcess() {
+  gfx::GPUProcessManager* gpm = gfx::GPUProcessManager::Get();
+  if (gpm) {
+    gpm->KillProcess();
+  }
+  return IPC_OK();
+}
+#endif
+
 nsCString ThreadsafeContentParentHandle::GetRemoteType() {
   RecursiveMutexAutoLock lock(mMutex);
   return mRemoteType;
diff --git a/dom/ipc/ContentParent.h b/dom/ipc/ContentParent.h
@@ -1420,6 +1420,10 @@ class ContentParent final : public PContentParent,
   mozilla::ipc::IPCResult RecvSignalFuzzingReady();
 #endif
 
+#ifdef FUZZING
+  mozilla::ipc::IPCResult RecvKillGPUProcess();
+#endif
+
  public:
   void SendGetFilesResponseAndForget(const nsID& aID,
                                      const GetFilesResponseResult& aResult);
diff --git a/dom/ipc/PContent.ipdl b/dom/ipc/PContent.ipdl
@@ -1985,6 +1985,11 @@ parent:
     async SignalFuzzingReady();
 #endif
 
+#ifdef FUZZING
+    // Used by the child process to signal restarting the GPU process.
+    async KillGPUProcess();
+#endif
+
   async AttributionEvent(nsCString aSourceHost,
                          PrivateAttributionImpressionType aType,
                          uint32_t aIndex, nsString aAd, nsCString aTargetHost);
diff --git a/dom/webidl/FuzzingFunctions.webidl b/dom/webidl/FuzzingFunctions.webidl
@@ -29,6 +29,11 @@ namespace FuzzingFunctions {
   undefined crash(optional DOMString reason = "");
 
   /**
+   * Gracefully kill the GPU process
+   */
+  undefined killGPUProcess();
+
+  /**
    * Synchronously perform a cycle collection.
    */
   undefined cycleCollect();