Home | History | Annotate | Download | only in system 
      1 // Copyright 2014 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 // Functions to help with verifying various |Mojo...Options| structs from the
      6 // (public, C) API. These are "extensible" structs, which all have |struct_size|
      7 // as their first member. All fields (other than |struct_size|) are optional,
      8 // but any |flags| specified must be known to the system (otherwise, an error of
      9 // |MOJO_RESULT_UNIMPLEMENTED| should be returned).
     10 
     11 #ifndef MOJO_SYSTEM_OPTIONS_VALIDATION_H_
     12 #define MOJO_SYSTEM_OPTIONS_VALIDATION_H_
     13 
     14 #include <stddef.h>
     15 #include <stdint.h>
     16 
     17 #include <algorithm>
     18 
     19 #include "base/logging.h"
     20 #include "base/macros.h"
     21 #include "mojo/public/c/system/types.h"
     22 #include "mojo/system/constants.h"
     23 #include "mojo/system/memory.h"
     24 #include "mojo/system/system_impl_export.h"
     25 
     26 namespace mojo {
     27 namespace system {
     28 
     29 template <class Options>
     30 class UserOptionsReader {
     31  public:
     32   // Constructor from a |UserPointer<const Options>| (which it checks -- this
     33   // constructor has side effects!).
     34   // Note: We initialize |options_reader_| without checking, since we do a check
     35   // in |GetSizeForReader()|.
     36   explicit UserOptionsReader(UserPointer<const Options> options)
     37       : options_reader_(UserPointer<const char>::Reader::NoCheck(),
     38                         options.template ReinterpretCast<const char>(),
     39                         GetSizeForReader(options)) {
     40     static_assert(offsetof(Options, struct_size) == 0,
     41                   "struct_size not first member of Options");
     42     // TODO(vtl): Enable when MSVC supports this (C++11 extended sizeof):
     43     //   static_assert(sizeof(Options::struct_size) == sizeof(uint32_t),
     44     //                 "Options::struct_size not a uint32_t");
     45     // (Or maybe assert that its type is uint32_t?)
     46   }
     47 
     48   bool is_valid() const { return !!options_reader_.GetPointer(); }
     49 
     50   const Options& options() const {
     51     DCHECK(is_valid());
     52     return *reinterpret_cast<const Options*>(options_reader_.GetPointer());
     53   }
     54 
     55   // Checks that the given (variable-size) |options| passed to the constructor
     56   // (plausibly) has a member at the given offset with the given size. You
     57   // probably want to use |OPTIONS_STRUCT_HAS_MEMBER()| instead.
     58   bool HasMember(size_t offset, size_t size) const {
     59     DCHECK(is_valid());
     60     // We assume that |offset| and |size| are reasonable, since they should come
     61     // from |offsetof(Options, some_member)| and |sizeof(Options::some_member)|,
     62     // respectively.
     63     return options().struct_size >= offset + size;
     64   }
     65 
     66  private:
     67   static inline size_t GetSizeForReader(UserPointer<const Options> options) {
     68     uint32_t struct_size =
     69         options.template ReinterpretCast<const uint32_t>().Get();
     70     if (struct_size < sizeof(uint32_t))
     71       return 0;
     72 
     73     // Check the full requested size.
     74     // Note: Use |MOJO_ALIGNOF()| here to match the exact macro used in the
     75     // declaration of Options structs.
     76     internal::CheckUserPointerWithSize<MOJO_ALIGNOF(Options)>(options.pointer_,
     77                                                               struct_size);
     78     options.template ReinterpretCast<const char>().CheckArray(struct_size);
     79     // But we'll never look at more than |sizeof(Options)| bytes.
     80     return std::min(static_cast<size_t>(struct_size), sizeof(Options));
     81   }
     82 
     83   UserPointer<const char>::Reader options_reader_;
     84 
     85   DISALLOW_COPY_AND_ASSIGN(UserOptionsReader);
     86 };
     87 
     88 // Macro to invoke |UserOptionsReader<Options>::HasMember()| parametrized by
     89 // member name instead of offset and size.
     90 //
     91 // (We can't just give |HasMember()| a member pointer template argument instead,
     92 // since there's no good/strictly-correct way to get an offset from that.)
     93 //
     94 // TODO(vtl): With C++11, use |sizeof(Options::member)| instead of (the
     95 // contortion below). We might also be able to pull out the type |Options| from
     96 // |reader| (using |decltype|) instead of requiring a parameter.
     97 #define OPTIONS_STRUCT_HAS_MEMBER(Options, member, reader) \
     98   reader.HasMember(offsetof(Options, member), sizeof(reader.options().member))
     99 
    100 }  // namespace system
    101 }  // namespace mojo
    102 
    103 #endif  // MOJO_SYSTEM_OPTIONS_VALIDATION_H_
    104