| blob | 2a0c64de20dda4a43ffbf9a1d895bfc95b0092fe |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
7 #ifndef mozilla_ipc_ProtocolUtils_h
8 #define mozilla_ipc_ProtocolUtils_h
10 #include <cstddef>
11 #include <cstdint>
12 #include <utility>
37 // XXX Things that could be moved to ProtocolUtils.cpp
41 #if defined(ANDROID) && defined(DEBUG)
42 # include <android/log.h>
43 #endif
48 // WARNING: this takes into account the private, special-message-type
49 // enum in ipc_channel.h. They need to be kept in sync.
51 // XXX the max message ID is actually kuint32max now ... when this
52 // changed, the assumptions of the special message IDs changed in that
53 // they're not carving out messages from likely-unallocated space, but
54 // rather carving out messages from the end of space allocated to
55 // protocol 0. Oops! We can get away with this until protocol 0
56 // starts approaching its 65,536th message.
58 // Message types used by DataPipe
62 // Message types used by NodeChannel
69 // Message types used by MessageChannel
81 // kuint16max - 1 is used by ipc_channel.h.
82 };
106 // Used to pass references to protocol actors across the wire.
107 // Actors created on the parent-side have a positive ID, and actors
108 // allocated on the child side have a negative ID.
111 };
113 // What happens if Interrupt calls race?
117 // The actor has not established a link yet, or the actor is no longer in use
118 // by IPC, and its 'Dealloc' method has been called or is being called.
119 //
120 // NOTE: This state is used instead of an explicit `Freed` state when IPC no
121 // longer holds references to the current actor as we currently re-open
122 // existing actors. Once we fix these poorly behaved actors, this loopback
123 // state can be split to have the final state not be the same as the initial
124 // state.
125 Inactive,
127 // A live link is connected to the other side of this actor.
128 Connected,
130 // The link has begun being destroyed. Messages may still be received, but
131 // cannot be sent. (exception: sync/intr replies may be sent while Doomed).
132 Doomed,
134 // The link has been destroyed, and messages will no longer be sent or
135 // received.
136 Destroyed,
137 };
141 // Generated by IPDL compiler
154 FailedConstructor,
155 Deletion,
156 AncestorDeletion,
157 NormalShutdown,
158 AbnormalShutdown,
159 ManagedEndpointDropped
160 };
177 // The following methods either directly forward to the toplevel protocol, or
178 // almost directly do.
193 // Get the nsISerialEventTarget which all messages sent to this actor will be
194 // processed on. Unless stated otherwise, all operations on IProtocol which
195 // don't occur on this `nsISerialEventTarget` are unsafe.
198 // Actor lifecycle and other properties.
213 }
215 // Remove or deallocate a managee given its type.
245 // We have separate functions because the accessibility code manually
246 // calls SetManager.
249 // Sets the manager for the protocol and registers the protocol with
250 // its manager, setting up channels for the protocol as well. Not
251 // for use outside of IPDL.
255 // Helpers for calling `Send` on our underlying IPC channel.
270 }
271 }
273 // Collect all actors managed by this object in an array. To make this safer
274 // to iterate, `ActorLifecycleProxy` references are returned rather than raw
275 // actor pointers.
281 // Internal method called when the actor becomes connected.
284 // Called immediately before setting the actor state to doomed, and triggering
285 // async actor destruction. Messages may be sent from this callback, but no
286 // later.
287 // FIXME(nika): This is currently unused!
291 // Called when the actor has been destroyed due to an error, a __delete__
292 // message, or a __doom__ reply.
296 // Called when IPC has acquired its first reference to the actor. This method
297 // may take references which will later be freed by `ActorDealloc`.
300 // Called when IPC has released its final reference to the actor. It will call
301 // the dealloc method, causing the actor to be actually freed.
302 //
303 // The actor has been freed after this method returns.
310 #ifdef DEBUG
312 #else
314 #endif
317 ProtocolId mProtocolId;
318 Side mSide;
319 LinkStatus mLinkStatus;
323 };
325 #define IPC_OK() mozilla::ipc::IPCResult::Ok()
326 #define IPC_FAIL(actor, why) \
327 mozilla::ipc::IPCResult::Fail(WrapNotNull(actor), __func__, (why))
328 #define IPC_FAIL_NO_REASON(actor) \
329 mozilla::ipc::IPCResult::Fail(WrapNotNull(actor), __func__)
331 /*
332 * IPC_FAIL_UNSAFE_PRINTF(actor, format, ...)
333 *
334 * Create a failure IPCResult with a dynamic reason-string.
335 *
336 * @note This macro causes data collection because IPC failure reasons may be
337 * sent to crash-stats, where they are publicly visible. Firefox data stewards
338 * must do data review on usages of this macro.
339 */
340 #define IPC_FAIL_UNSAFE_PRINTF(actor, format, ...) \
341 mozilla::ipc::IPCResult::FailUnsafePrintfImpl( \
342 WrapNotNull(actor), __func__, nsPrintfCString(format, ##__VA_ARGS__))
344 /**
345 * All message deserializers and message handlers should return this type via
346 * the above macros. We use a less generic name here to avoid conflict with
347 * `mozilla::Result` because we have quite a few `using namespace mozilla::ipc;`
348 * in the code base.
349 *
350 * Note that merely constructing a failure-result, whether directly or via the
351 * IPC_FAIL macros, causes the associated error message to be processed
352 * immediately.
353 */
358 // IPC failure messages can sometimes end up in telemetry. As such, to avoid
359 // accidentally exfiltrating sensitive information without a data review, we
360 // require that they be constant strings.
365 }
369 }
373 // Only used by IPC_FAIL_UNSAFE_PRINTF (q.v.). Do not call this directly. (Or
374 // at least get data-review's approval if you do.)
380 }
388 };
398 /**
399 * All refcounted protocols should inherit this class.
400 */
403 NS_INLINE_DECL_PURE_VIRTUAL_REFCOUNTING
406 };
408 /**
409 * All top-level protocols should inherit this class.
410 *
411 * IToplevelProtocol tracks all top-level protocol actors created from
412 * this protocol actor.
413 */
420 Side aSide);
424 // Shadow methods on IProtocol which are implemented directly on toplevel
425 // actors.
453 // Open a toplevel actor such that both ends of the actor's channel are on
454 // the same thread. This method should be called on the thread to perform
455 // the link.
456 //
457 // WARNING: Attempting to send a sync or intr message on the same thread
458 // will crash.
462 /**
463 * This sends a special message that is processed on the IO thread, so that
464 * other actors can know that the process will soon shutdown.
465 */
478 // WARNING: This function is called with the MessageChannel monitor held.
481 // The code here is only useful for fuzzing. It should not be used for any
482 // other purpose.
483 #ifdef DEBUG
484 // Returns true if we should simulate a timeout.
485 // WARNING: This is a testing-only function that is called with the
486 // MessageChannel monitor held. Don't do anything fancy here or we could
487 // deadlock.
490 // Returns true if we want to cause the worker thread to sleep with the
491 // monitor unlocked.
494 // This function should be implemented to sleep for some amount of time on
495 // the worker thread. Will only be called if NeedArtificialSleep() returns
496 // true.
498 #else
502 #endif
522 // NOTE NOTE NOTE
523 // Used to be on mState
528 MessageChannel mChannel;
529 };
536 };
538 #define FORWARD_SHMEM_ALLOCATOR_TO(aImplClass) \
539 virtual bool AllocShmem(size_t aSize, mozilla::ipc::Shmem* aShmem) \
540 override { \
541 return aImplClass::AllocShmem(aSize, aShmem); \
542 } \
543 virtual bool AllocUnsafeShmem(size_t aSize, mozilla::ipc::Shmem* aShmem) \
544 override { \
545 return aImplClass::AllocUnsafeShmem(aSize, aShmem); \
546 } \
547 virtual bool DeallocShmem(mozilla::ipc::Shmem& aShmem) override { \
548 return aImplClass::DeallocShmem(aShmem); \
549 }
552 #if defined(DEBUG) || defined(FUZZING)
554 #else
556 #endif
557 }
559 #if defined(DEBUG) || defined(FUZZING)
562 #endif
566 #if defined(DEBUG) || defined(FUZZING)
569 #else
571 #endif
572 }
578 MessageDirection aDirection);
582 // IPC::MessageReader and IPC::MessageWriter call this function for FatalError
583 // calls which come from serialization/deserialization.
586 // The code generator calls this function for errors which come from the
587 // methods of protocols. Doing this saves codesize by making the error
588 // cases significantly smaller.
591 // The code generator calls this function for errors which are not
592 // protocol-specific: errors in generated struct methods or errors in
593 // transition functions, for instance. Doing this saves codesize by
594 // by making the error cases significantly smaller.
611 /**
612 * Annotate the crash reporter with the error code from the most recent system
613 * call. Returns the system error.
614 */
617 // The ActorLifecycleProxy is a helper type used internally by IPC to maintain a
618 // maybe-owning reference to an IProtocol object. For well-behaved actors
619 // which are not freed until after their `Dealloc` method is called, a
620 // reference to an actor's `ActorLifecycleProxy` object is an owning one, as the
621 // `Dealloc` method will only be called when all references to the
622 // `ActorLifecycleProxy` are released.
623 //
624 // Unfortunately, some actors may be destroyed before their `Dealloc` method
625 // is called. For these actors, `ActorLifecycleProxy` acts as a weak pointer,
626 // and will begin to return `nullptr` from its `Get()` method once the
627 // corresponding actor object has been destroyed.
628 //
629 // When calling a `Recv` method, IPC will hold a `ActorLifecycleProxy` reference
630 // to the target actor, meaning that well-behaved actors can behave as though a
631 // strong reference is being held.
632 //
633 // Generic IPC code MUST treat ActorLifecycleProxy references as weak
634 // references!
654 // Hold a reference to the actor's manager's ActorLifecycleProxy to help
655 // prevent it from dying while we're still alive!
658 // When requested, the current self-referencing weak reference for this
659 // ActorLifecycleProxy.
661 };
663 // Unlike ActorLifecycleProxy, WeakActorLifecycleProxy only holds a weak
664 // reference to both the proxy and the actual actor, meaning that holding this
665 // type will not attempt to keep the actor object alive.
666 //
667 // This type is safe to hold on threads other than the actor's thread, but is
668 // _NOT_ safe to access on other threads, as actors and ActorLifecycleProxy
669 // objects are not threadsafe.
674 // May only be called on the actor's event target.
675 // Will return `nullptr` if the actor has already been destroyed from IPC's
676 // point of view.
679 // Safe to call on any thread.
691 // This field may only be accessed on the actor's thread, and will be
692 // automatically cleared when the ActorLifecycleProxy is destroyed.
695 // The serial event target which owns the actor, and is the only thread where
696 // it is OK to access the ActorLifecycleProxy.
698 };
710 }
721 };
740 }
744 }
747 // Equivalent to `InsertElementSorted`, avoiding inserting a duplicate
748 // element.
752 }
753 }
759 };
766 }
769 }
775 }
777 }