Hack to make it safe to read capabilities from default values (returning broken…

Hack to make it safe to read capabilities from default values (returning broken caps) without introducing a dependency from libcapnp on libcapnp-rpc.

Hack to make it safe to read capabilities from default values (returning broken…
Hack to make it safe to read capabilities from default values (returning broken caps) without introducing a dependency from libcapnp on libcapnp-rpc.
110ca1c0 · Kenton Varda · fd769d56 · 110ca1c0 · 110ca1c0 · 110ca1c0
Commit 110ca1c0 authored Dec 10, 2013 by Kenton Varda
Showing with 31 additions and 34 deletions

arena.c++ c++/src/capnp/arena.c++ +0 -16

arena.h c++/src/capnp/arena.h +0 -8

capability-context.c++ c++/src/capnp/capability-context.c++ +13 -2

layout.c++ c++/src/capnp/layout.c++ +18 -8

No files found.
--- a/c++/src/capnp/arena.c++
+++ b/c++/src/capnp/arena.c++
@@ -106,10 +106,6 @@ kj::Maybe<kj::Own<ClientHook>> BasicReaderArena::extractCap(uint index) {
  return nullptr;
 }
-kj::Maybe<kj::Own<ClientHook>> BasicReaderArena::newBrokenCap(kj::StringPtr description) {
-  return nullptr;
-}
 // =======================================================================================
 ImbuedReaderArena::ImbuedReaderArena(Arena* base, BrokenCapFactory& brokenCapFactory,
@@ -173,10 +169,6 @@ kj::Maybe<kj::Own<ClientHook>> ImbuedReaderArena::extractCap(uint index) {
  }
 }
-kj::Maybe<kj::Own<ClientHook>> ImbuedReaderArena::newBrokenCap(kj::StringPtr description) {
-  return brokenCapFactory.newBrokenCap(description);
-}
 // =======================================================================================
 BasicBuilderArena::BasicBuilderArena(MessageBuilder* message)
@@ -315,10 +307,6 @@ kj::Maybe<kj::Own<ClientHook>> BasicBuilderArena::extractCap(uint index) {
  return nullptr;
 }
-kj::Maybe<kj::Own<ClientHook>> BasicBuilderArena::newBrokenCap(kj::StringPtr description) {
-  return nullptr;
-}
 uint BasicBuilderArena::injectCap(kj::Own<ClientHook>&& cap) {
  KJ_FAIL_REQUIRE("Cannot inject capability into a builder that has not been imbued with a "
                  "capability context.") {
@@ -394,10 +382,6 @@ kj::Maybe<kj::Own<ClientHook>> ImbuedBuilderArena::extractCap(uint index) {
  }
 }
-kj::Maybe<kj::Own<ClientHook>> ImbuedBuilderArena::newBrokenCap(kj::StringPtr description) {
-  return brokenCapFactory.newBrokenCap(description);
-}
 SegmentBuilder* ImbuedBuilderArena::getSegment(SegmentId id) {
  return imbue(base->getSegment(id));
 }

--- a/c++/src/capnp/arena.h
+++ b/c++/src/capnp/arena.h
@@ -203,10 +203,6 @@ public:
  // Extract the capability at the given index.  If the index is invalid, returns a dummy
  // capability whose methods all throw.  Returns null only if the message is not imbued with a
  // capability context.
-  virtual kj::Maybe<kj::Own<ClientHook>> newBrokenCap(kj::StringPtr description) = 0;
-  // Returns a capability which, when called, always throws an exception with the given description.
-  // Returns null if the message is not imbued with a capability context.
 };
 class BasicReaderArena final: public Arena {
@@ -219,7 +215,6 @@ public:
  SegmentReader* tryGetSegment(SegmentId id) override;
  void reportReadLimitReached() override;
  kj::Maybe<kj::Own<ClientHook>> extractCap(uint index);
-  kj::Maybe<kj::Own<ClientHook>> newBrokenCap(kj::StringPtr description);
 private:
  MessageReader* message;
@@ -252,7 +247,6 @@ public:
  SegmentReader* tryGetSegment(SegmentId id) override;
  void reportReadLimitReached() override;
  kj::Maybe<kj::Own<ClientHook>> extractCap(uint index);
-  kj::Maybe<kj::Own<ClientHook>> newBrokenCap(kj::StringPtr description);
 private:
  Arena* base;
@@ -312,7 +306,6 @@ public:
  SegmentReader* tryGetSegment(SegmentId id) override;
  void reportReadLimitReached() override;
  kj::Maybe<kj::Own<ClientHook>> extractCap(uint index);
-  kj::Maybe<kj::Own<ClientHook>> newBrokenCap(kj::StringPtr description);
  // implements BuilderArena -----------------------------------------
  SegmentBuilder* getSegment(SegmentId id) override;
@@ -352,7 +345,6 @@ public:
  SegmentReader* tryGetSegment(SegmentId id) override;
  void reportReadLimitReached() override;
  kj::Maybe<kj::Own<ClientHook>> extractCap(uint index);
-  kj::Maybe<kj::Own<ClientHook>> newBrokenCap(kj::StringPtr description);
  // implements BuilderArena -----------------------------------------
  SegmentBuilder* getSegment(SegmentId id) override;

--- a/c++/src/capnp/capability-context.c++
+++ b/c++/src/capnp/capability-context.c++
@@ -30,6 +30,13 @@
 namespace capnp {
+namespace _ {
+void setGlobalBrokenCapFactoryForLayoutCpp(BrokenCapFactory& factory);
+// Defined in layout.c++.
+}  // namespace _
 namespace {
 class BrokenCapFactoryImpl: public _::BrokenCapFactory {
@@ -44,7 +51,9 @@ static BrokenCapFactoryImpl brokenCapFactory;
 }  // namespace
 CapReaderContext::CapReaderContext(kj::Array<kj::Own<ClientHook>>&& capTable)
-    : capTable(kj::mv(capTable)) {}
+    : capTable(kj::mv(capTable)) {
+  setGlobalBrokenCapFactoryForLayoutCpp(brokenCapFactory);
+}
 CapReaderContext::~CapReaderContext() noexcept(false) {
  if (capTable == nullptr) {
    kj::dtor(arena());
@@ -64,7 +73,9 @@ AnyPointer::Reader CapReaderContext::imbue(AnyPointer::Reader base) {
  return AnyPointer::Reader(base.reader.imbue(arena()));
 }
-CapBuilderContext::CapBuilderContext() {}
+CapBuilderContext::CapBuilderContext() {
+  setGlobalBrokenCapFactoryForLayoutCpp(brokenCapFactory);
+}
 CapBuilderContext::~CapBuilderContext() noexcept(false) {
  if (arenaAllocated) {
    kj::dtor(arena());

--- a/c++/src/capnp/layout.c++
+++ b/c++/src/capnp/layout.c++
@@ -32,6 +32,16 @@
 namespace capnp {
 namespace _ {  // private
+static BrokenCapFactory* brokenCapFactory = nullptr;
+// Horrible hack:  We need to be able to construct broken caps without any capability context,
+// but we can't have a link-time dependency on libcapnp-rpc.
+void setGlobalBrokenCapFactoryForLayoutCpp(BrokenCapFactory& factory) {
+  // Called from capability-context.c++ when a capability context is created.  May be called
+  // multiple times but always with the same value.
+  __atomic_store_n(&brokenCapFactory, &factory, __ATOMIC_RELAXED);
+}
 // =======================================================================================
 struct WirePointer {
@@ -1830,19 +1840,19 @@ struct WireHelpers {
      SegmentReader* segment, const WirePointer* ref, int nestingLimit)) {
    kj::Maybe<kj::Own<ClientHook>> maybeCap;
-    if (segment == nullptr) {
+    KJ_REQUIRE(brokenCapFactory != nullptr,
-      // No capability context for unchecked messages.
+               "Trying to read capabilities without ever having created a capability context.  "
-      // TODO(now):  This means a capability read from an omitted (and therefore default-valued)
+               "To read capabilities from a message, you must imbue it with CapReaderContext, or "
-      //   sub-message will throw a fatal exception.
+               "use the Cap'n Proto RPC system.");
-      maybeCap = nullptr;
-    } else if (ref->isNull()) {
+    if (ref->isNull()) {
-      maybeCap = segment->getArena()->newBrokenCap("Calling null capability pointer.");
+      maybeCap = brokenCapFactory->newBrokenCap("Calling null capability pointer.");
    } else if (!ref->isCapability()) {
      KJ_FAIL_REQUIRE(
          "Message contains non-capability pointer where capability pointer was expected.") {
        break;
      }
-      maybeCap = segment->getArena()->newBrokenCap(
+      maybeCap = brokenCapFactory->newBrokenCap(
          "Calling capability extracted from a non-capability pointer.");
    } else {
      maybeCap = segment->getArena()->extractCap(ref->capRef.index.get());