1 // Copyright 2014 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 // Functions to help with verifying various |Mojo...Options| structs from the 6 // (public, C) API. These are "extensible" structs, which all have |struct_size| 7 // as their first member. All fields (other than |struct_size|) are optional, 8 // but any |flags| specified must be known to the system (otherwise, an error of 9 // |MOJO_RESULT_UNIMPLEMENTED| should be returned). 10 11 #ifndef MOJO_EDK_SYSTEM_OPTIONS_VALIDATION_H_ 12 #define MOJO_EDK_SYSTEM_OPTIONS_VALIDATION_H_ 13 14 #include <stddef.h> 15 #include <stdint.h> 16 17 #include <algorithm> 18 19 #include "base/logging.h" 20 #include "base/macros.h" 21 #include "mojo/edk/system/system_impl_export.h" 22 #include "mojo/public/c/system/types.h" 23 24 namespace mojo { 25 namespace edk { 26 27 template <class Options> 28 class UserOptionsReader { 29 public: 30 // Constructor from a |const* Options| (which it checks -- this constructor 31 // has side effects!). 32 // Note: We initialize |options_reader_| without checking, since we do a check 33 // in |GetSizeForReader()|. 34 explicit UserOptionsReader(const Options* options) { 35 CHECK(options && IsAligned<MOJO_ALIGNOF(Options)>(options)); 36 options_ = GetSizeForReader(options) == 0 ? nullptr : options; 37 static_assert(offsetof(Options, struct_size) == 0, 38 "struct_size not first member of Options"); 39 // TODO(vtl): Enable when MSVC supports this (C++11 extended sizeof): 40 // static_assert(sizeof(Options::struct_size) == sizeof(uint32_t), 41 // "Options::struct_size not a uint32_t"); 42 // (Or maybe assert that its type is uint32_t?) 43 } 44 45 bool is_valid() const { return !!options_; } 46 47 const Options& options() const { 48 DCHECK(is_valid()); 49 return *options_; 50 } 51 52 // Checks that the given (variable-size) |options| passed to the constructor 53 // (plausibly) has a member at the given offset with the given size. You 54 // probably want to use |OPTIONS_STRUCT_HAS_MEMBER()| instead. 55 bool HasMember(size_t offset, size_t size) const { 56 DCHECK(is_valid()); 57 // We assume that |offset| and |size| are reasonable, since they should come 58 // from |offsetof(Options, some_member)| and |sizeof(Options::some_member)|, 59 // respectively. 60 return options().struct_size >= offset + size; 61 } 62 63 private: 64 static inline size_t GetSizeForReader(const Options* options) { 65 uint32_t struct_size = *reinterpret_cast<const uint32_t*>(options); 66 if (struct_size < sizeof(uint32_t)) 67 return 0; 68 69 return std::min(static_cast<size_t>(struct_size), sizeof(Options)); 70 } 71 72 template <size_t alignment> 73 static bool IsAligned(const void* pointer) { 74 return reinterpret_cast<uintptr_t>(pointer) % alignment == 0; 75 } 76 77 const Options* options_; 78 79 DISALLOW_COPY_AND_ASSIGN(UserOptionsReader); 80 }; 81 82 // Macro to invoke |UserOptionsReader<Options>::HasMember()| parametrized by 83 // member name instead of offset and size. 84 // 85 // (We can't just give |HasMember()| a member pointer template argument instead, 86 // since there's no good/strictly-correct way to get an offset from that.) 87 // 88 // TODO(vtl): With C++11, use |sizeof(Options::member)| instead of (the 89 // contortion below). We might also be able to pull out the type |Options| from 90 // |reader| (using |decltype|) instead of requiring a parameter. 91 #define OPTIONS_STRUCT_HAS_MEMBER(Options, member, reader) \ 92 reader.HasMember(offsetof(Options, member), sizeof(reader.options().member)) 93 94 } // namespace edk 95 } // namespace mojo 96 97 #endif // MOJO_EDK_SYSTEM_OPTIONS_VALIDATION_H_ 98
