| blob | 842bc229867d2f44c2a1df2ec19e8b665e65c845 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
7 #ifndef mozilla_ipc_ProtocolUtils_h
8 #define mozilla_ipc_ProtocolUtils_h
10 #include <cstddef>
11 #include <cstdint>
12 #include <utility>
38 // XXX Things that could be moved to ProtocolUtils.cpp
42 #if defined(ANDROID) && defined(DEBUG)
43 # include <android/log.h>
44 #endif
49 // WARNING: this takes into account the private, special-message-type
50 // enum in ipc_channel.h. They need to be kept in sync.
52 // XXX the max message ID is actually kuint32max now ... when this
53 // changed, the assumptions of the special message IDs changed in that
54 // they're not carving out messages from likely-unallocated space, but
55 // rather carving out messages from the end of space allocated to
56 // protocol 0. Oops! We can get away with this until protocol 0
57 // starts approaching its 65,536th message.
59 // Message types used by DataPipe
63 // Message types used by NodeChannel
70 // Message types used by MessageChannel
82 // kuint16max - 1 is used by ipc_channel.h.
83 };
104 // Scoped base::ProcessHandle to ensure base::CloseProcessHandle is called.
113 }
114 }
115 };
121 // Used to pass references to protocol actors across the wire.
122 // Actors created on the parent-side have a positive ID, and actors
123 // allocated on the child side have a negative ID.
126 };
128 // What happens if Interrupt calls race?
132 // The actor has not established a link yet, or the actor is no longer in use
133 // by IPC, and its 'Dealloc' method has been called or is being called.
134 //
135 // NOTE: This state is used instead of an explicit `Freed` state when IPC no
136 // longer holds references to the current actor as we currently re-open
137 // existing actors. Once we fix these poorly behaved actors, this loopback
138 // state can be split to have the final state not be the same as the initial
139 // state.
140 Inactive,
142 // A live link is connected to the other side of this actor.
143 Connected,
145 // The link has begun being destroyed. Messages may still be received, but
146 // cannot be sent. (exception: sync/intr replies may be sent while Doomed).
147 Doomed,
149 // The link has been destroyed, and messages will no longer be sent or
150 // received.
151 Destroyed,
152 };
156 // Generated by IPDL compiler
169 FailedConstructor,
170 Deletion,
171 AncestorDeletion,
172 NormalShutdown,
173 AbnormalShutdown,
174 ManagedEndpointDropped
175 };
192 // The following methods either directly forward to the toplevel protocol, or
193 // almost directly do.
208 // Get the nsISerialEventTarget which all messages sent to this actor will be
209 // processed on. Unless stated otherwise, all operations on IProtocol which
210 // don't occur on this `nsISerialEventTarget` are unsafe.
213 // Actor lifecycle and other properties.
228 }
230 // Remove or deallocate a managee given its type.
260 // We have separate functions because the accessibility code manually
261 // calls SetManager.
264 // Sets the manager for the protocol and registers the protocol with
265 // its manager, setting up channels for the protocol as well. Not
266 // for use outside of IPDL.
270 // Helpers for calling `Send` on our underlying IPC channel.
285 }
286 }
288 // Collect all actors managed by this object in an array. To make this safer
289 // to iterate, `ActorLifecycleProxy` references are returned rather than raw
290 // actor pointers.
296 // Internal method called when the actor becomes connected.
299 // Called immediately before setting the actor state to doomed, and triggering
300 // async actor destruction. Messages may be sent from this callback, but no
301 // later.
302 // FIXME(nika): This is currently unused!
306 // Called when the actor has been destroyed due to an error, a __delete__
307 // message, or a __doom__ reply.
311 // Called when IPC has acquired its first reference to the actor. This method
312 // may take references which will later be freed by `ActorDealloc`.
315 // Called when IPC has released its final reference to the actor. It will call
316 // the dealloc method, causing the actor to be actually freed.
317 //
318 // The actor has been freed after this method returns.
325 #ifdef DEBUG
327 #else
329 #endif
332 ProtocolId mProtocolId;
333 Side mSide;
334 LinkStatus mLinkStatus;
338 };
340 #define IPC_OK() mozilla::ipc::IPCResult::Ok()
341 #define IPC_FAIL(actor, why) \
342 mozilla::ipc::IPCResult::Fail(WrapNotNull(actor), __func__, (why))
343 #define IPC_FAIL_NO_REASON(actor) \
344 mozilla::ipc::IPCResult::Fail(WrapNotNull(actor), __func__)
346 /*
347 * IPC_FAIL_UNSAFE_PRINTF(actor, format, ...)
348 *
349 * Create a failure IPCResult with a dynamic reason-string.
350 *
351 * @note This macro causes data collection because IPC failure reasons may be
352 * sent to crash-stats, where they are publicly visible. Firefox data stewards
353 * must do data review on usages of this macro.
354 */
355 #define IPC_FAIL_UNSAFE_PRINTF(actor, format, ...) \
356 mozilla::ipc::IPCResult::FailUnsafePrintfImpl( \
357 WrapNotNull(actor), __func__, nsPrintfCString(format, ##__VA_ARGS__))
359 /**
360 * All message deserializers and message handlers should return this type via
361 * the above macros. We use a less generic name here to avoid conflict with
362 * `mozilla::Result` because we have quite a few `using namespace mozilla::ipc;`
363 * in the code base.
364 *
365 * Note that merely constructing a failure-result, whether directly or via the
366 * IPC_FAIL macros, causes the associated error message to be processed
367 * immediately.
368 */
373 // IPC failure messages can sometimes end up in telemetry. As such, to avoid
374 // accidentally exfiltrating sensitive information without a data review, we
375 // require that they be constant strings.
380 }
384 }
388 // Only used by IPC_FAIL_UNSAFE_PRINTF (q.v.). Do not call this directly. (Or
389 // at least get data-review's approval if you do.)
395 }
403 };
413 /**
414 * All refcounted protocols should inherit this class.
415 */
418 NS_INLINE_DECL_PURE_VIRTUAL_REFCOUNTING
421 };
423 /**
424 * All top-level protocols should inherit this class.
425 *
426 * IToplevelProtocol tracks all top-level protocol actors created from
427 * this protocol actor.
428 */
435 Side aSide);
439 // Shadow methods on IProtocol which are implemented directly on toplevel
440 // actors.
468 // Open a toplevel actor such that both ends of the actor's channel are on
469 // the same thread. This method should be called on the thread to perform
470 // the link.
471 //
472 // WARNING: Attempting to send a sync or intr message on the same thread
473 // will crash.
477 /**
478 * This sends a special message that is processed on the IO thread, so that
479 * other actors can know that the process will soon shutdown.
480 */
493 // WARNING: This function is called with the MessageChannel monitor held.
496 // The code here is only useful for fuzzing. It should not be used for any
497 // other purpose.
498 #ifdef DEBUG
499 // Returns true if we should simulate a timeout.
500 // WARNING: This is a testing-only function that is called with the
501 // MessageChannel monitor held. Don't do anything fancy here or we could
502 // deadlock.
505 // Returns true if we want to cause the worker thread to sleep with the
506 // monitor unlocked.
509 // This function should be implemented to sleep for some amount of time on
510 // the worker thread. Will only be called if NeedArtificialSleep() returns
511 // true.
513 #else
517 #endif
537 // NOTE NOTE NOTE
538 // Used to be on mState
543 MessageChannel mChannel;
544 };
551 };
553 #define FORWARD_SHMEM_ALLOCATOR_TO(aImplClass) \
554 virtual bool AllocShmem(size_t aSize, mozilla::ipc::Shmem* aShmem) \
555 override { \
556 return aImplClass::AllocShmem(aSize, aShmem); \
557 } \
558 virtual bool AllocUnsafeShmem(size_t aSize, mozilla::ipc::Shmem* aShmem) \
559 override { \
560 return aImplClass::AllocUnsafeShmem(aSize, aShmem); \
561 } \
562 virtual bool DeallocShmem(mozilla::ipc::Shmem& aShmem) override { \
563 return aImplClass::DeallocShmem(aShmem); \
564 }
567 #if defined(DEBUG) || defined(FUZZING)
569 #else
571 #endif
572 }
574 #if defined(DEBUG) || defined(FUZZING)
577 #endif
581 #if defined(DEBUG) || defined(FUZZING)
584 #else
586 #endif
587 }
593 MessageDirection aDirection);
597 // IPC::MessageReader and IPC::MessageWriter call this function for FatalError
598 // calls which come from serialization/deserialization.
601 // The code generator calls this function for errors which come from the
602 // methods of protocols. Doing this saves codesize by making the error
603 // cases significantly smaller.
606 // The code generator calls this function for errors which are not
607 // protocol-specific: errors in generated struct methods or errors in
608 // transition functions, for instance. Doing this saves codesize by
609 // by making the error cases significantly smaller.
626 /**
627 * Annotate the crash reporter with the error code from the most recent system
628 * call. Returns the system error.
629 */
632 // The ActorLifecycleProxy is a helper type used internally by IPC to maintain a
633 // maybe-owning reference to an IProtocol object. For well-behaved actors
634 // which are not freed until after their `Dealloc` method is called, a
635 // reference to an actor's `ActorLifecycleProxy` object is an owning one, as the
636 // `Dealloc` method will only be called when all references to the
637 // `ActorLifecycleProxy` are released.
638 //
639 // Unfortunately, some actors may be destroyed before their `Dealloc` method
640 // is called. For these actors, `ActorLifecycleProxy` acts as a weak pointer,
641 // and will begin to return `nullptr` from its `Get()` method once the
642 // corresponding actor object has been destroyed.
643 //
644 // When calling a `Recv` method, IPC will hold a `ActorLifecycleProxy` reference
645 // to the target actor, meaning that well-behaved actors can behave as though a
646 // strong reference is being held.
647 //
648 // Generic IPC code MUST treat ActorLifecycleProxy references as weak
649 // references!
669 // Hold a reference to the actor's manager's ActorLifecycleProxy to help
670 // prevent it from dying while we're still alive!
673 // When requested, the current self-referencing weak reference for this
674 // ActorLifecycleProxy.
676 };
678 // Unlike ActorLifecycleProxy, WeakActorLifecycleProxy only holds a weak
679 // reference to both the proxy and the actual actor, meaning that holding this
680 // type will not attempt to keep the actor object alive.
681 //
682 // This type is safe to hold on threads other than the actor's thread, but is
683 // _NOT_ safe to access on other threads, as actors and ActorLifecycleProxy
684 // objects are not threadsafe.
689 // May only be called on the actor's event target.
690 // Will return `nullptr` if the actor has already been destroyed from IPC's
691 // point of view.
694 // Safe to call on any thread.
706 // This field may only be accessed on the actor's thread, and will be
707 // automatically cleared when the ActorLifecycleProxy is destroyed.
710 // The serial event target which owns the actor, and is the only thread where
711 // it is OK to access the ActorLifecycleProxy.
713 };
725 }
736 };
755 }
759 }
762 // Equivalent to `InsertElementSorted`, avoiding inserting a duplicate
763 // element.
767 }
768 }
774 };
781 }
784 }
790 }
792 }