Rename 'trusted' messages to 'unchecked', since they don't have to be quite so trusted anymore.

a1e067fb · Kenton Varda · de15e658 · a1e067fb · a1e067fb · a1e067fb
Commit a1e067fb authored May 18, 2013 by Kenton Varda
8 changed files
--- a/c++/src/capnproto/dynamic.c++
+++ b/c++/src/capnproto/dynamic.c++
@@ -712,20 +712,20 @@ DynamicValue::Reader DynamicStruct::Reader::getImpl(
              ListSchema::of(elementType, member.getContainingStruct()),
              reader.getListField(field.getOffset() * POINTERS,
                                  elementSizeFor(elementType.getBody().which()),
-                                  dval.getListValue<internal::TrustedMessage>())));
+                                  dval.getListValue<internal::UncheckedMessage>())));
        }

        case schema::Type::Body::STRUCT_TYPE: {
          return DynamicValue::Reader(DynamicStruct::Reader(
              member.getContainingStruct().getDependency(type.getStructType()).asStruct(),
              reader.getStructField(field.getOffset() * POINTERS,
-                                    dval.getStructValue<internal::TrustedMessage>())));
+                                    dval.getStructValue<internal::UncheckedMessage>())));
        }

        case schema::Type::Body::OBJECT_TYPE: {
          return DynamicValue::Reader(DynamicObject(
              reader.getObjectField(field.getOffset() * POINTERS,
-                                    dval.getObjectValue<internal::TrustedMessage>())));
+                                    dval.getObjectValue<internal::UncheckedMessage>())));
        }

        case schema::Type::Body::INTERFACE_TYPE:
@@ -805,12 +805,12 @@ DynamicValue::Builder DynamicStruct::Builder::getImpl(
            return DynamicValue::Builder(DynamicList::Builder(listType,
                builder.getStructListField(field.getOffset() * POINTERS,
                                           structSizeFromSchema(listType.getStructElementType()),
-                                           dval.getListValue<internal::TrustedMessage>())));
+                                           dval.getListValue<internal::UncheckedMessage>())));
          } else {
            return DynamicValue::Builder(DynamicList::Builder(listType,
                builder.getListField(field.getOffset() * POINTERS,
                                     elementSizeFor(listType.whichElementType()),
-                                     dval.getListValue<internal::TrustedMessage>())));
+                                     dval.getListValue<internal::UncheckedMessage>())));
          }
        }

@@ -822,14 +822,14 @@ DynamicValue::Builder DynamicStruct::Builder::getImpl(
              builder.getStructField(
                  field.getOffset() * POINTERS,
                  structSizeFromSchema(structSchema),
-                  dval.getStructValue<internal::TrustedMessage>())));
+                  dval.getStructValue<internal::UncheckedMessage>())));
        }

        case schema::Type::Body::OBJECT_TYPE: {
          return DynamicValue::Builder(DynamicObject(
              builder.asReader().getObjectField(
                  field.getOffset() * POINTERS,
-                  dval.getObjectValue<internal::TrustedMessage>())));
+                  dval.getObjectValue<internal::UncheckedMessage>())));
        }

        case schema::Type::Body::INTERFACE_TYPE:

--- a/c++/src/capnproto/encoding-test.c++
+++ b/c++/src/capnproto/encoding-test.c++
@@ -69,7 +69,7 @@ TEST(Encoding, AllTypes) {

  ASSERT_EQ(1u, builder.getSegmentsForOutput().size());

-  checkTestMessage(readMessageTrusted<TestAllTypes>(builder.getSegmentsForOutput()[0].begin()));
+  checkTestMessage(readMessageUnchecked<TestAllTypes>(builder.getSegmentsForOutput()[0].begin()));

  EXPECT_EQ(builder.getSegmentsForOutput()[0].size() - 1,  // -1 for root pointer
            reader.getRoot<TestAllTypes>().totalSizeInWords());
@@ -93,7 +93,7 @@ TEST(Encoding, Defaults) {
  SegmentArrayMessageReader reader(arrayPtr(segments, 1));

  checkTestMessage(reader.getRoot<TestDefaults>());
-  checkTestMessage(readMessageTrusted<TestDefaults>(nullRoot.words));
+  checkTestMessage(readMessageUnchecked<TestDefaults>(nullRoot.words));
 }

 TEST(Encoding, DefaultInitialization) {
@@ -133,7 +133,7 @@ TEST(Encoding, DefaultsFromEmptyMessage) {
  SegmentArrayMessageReader reader(arrayPtr(segments, 1));

  checkTestMessage(reader.getRoot<TestDefaults>());
-  checkTestMessage(readMessageTrusted<TestDefaults>(emptyMessage.words));
+  checkTestMessage(readMessageUnchecked<TestDefaults>(emptyMessage.words));
 }

 TEST(Encoding, GenericObjects) {

--- a/c++/src/capnproto/generated-header-support.h
+++ b/c++/src/capnproto/generated-header-support.h
@@ -109,18 +109,18 @@ struct PointerHelpers<T, Kind::BLOB> {

 #if defined(CAPNPROTO_PRIVATE) || defined(__CDT_PARSER__)

-struct TrustedMessage {
+struct UncheckedMessage {
  typedef const word* Reader;
 };

 template <>
-struct PointerHelpers<TrustedMessage> {
-  // Reads an Object field as a trusted message pointer.  Requires that the containing message is
-  // itself trusted.  This hack is currently private.  It is used to locate default values within
+struct PointerHelpers<UncheckedMessage> {
+  // Reads an Object field as an unchecked message pointer.  Requires that the containing message is
+  // itself unchecked.  This hack is currently private.  It is used to locate default values within
  // encoded schemas.

  static inline const word* get(StructReader reader, WirePointerCount index) {
-    return reader.getTrustedPointer(index);
+    return reader.getUncheckedPointer(index);
  }
 };

@@ -132,7 +132,7 @@ struct RawSchema {
  // This is an internal structure which could change in the future.

  const word* encodedNode;
-  // Encoded SchemaNode, readable via readMessageTrusted<schema::Node>(encodedNode).
+  // Encoded SchemaNode, readable via readMessageUnchecked<schema::Node>(encodedNode).

  const RawSchema* const* dependencies;
  // Pointers to other types on which this one depends, sorted by ID.

--- a/c++/src/capnproto/layout-test.c++
+++ b/c++/src/capnproto/layout-test.c++
@@ -46,7 +46,7 @@ TEST(WireFormat, SimpleRawDataStruct) {
    0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
  }};

-  StructReader reader = StructReader::readRootTrusted(data.words);
+  StructReader reader = StructReader::readRootUnchecked(data.words);

  EXPECT_EQ(0xefcdab8967452301ull, reader.getDataField<uint64_t>(0 * ELEMENTS));
  EXPECT_EQ(0u, reader.getDataField<uint64_t>(1 * ELEMENTS));
@@ -301,7 +301,7 @@ TEST(WireFormat, StructRoundTrip_OneSegment) {

  checkStruct(builder);
  checkStruct(builder.asReader());
-  checkStruct(StructReader::readRootTrusted(segment->getStartPtr()));
+  checkStruct(StructReader::readRootUnchecked(segment->getStartPtr()));
  checkStruct(StructReader::readRoot(segment->getStartPtr(), segment, 4));
 }


--- a/c++/src/capnproto/layout.c++
+++ b/c++/src/capnproto/layout.c++
@@ -211,7 +211,7 @@ struct WireHelpers {

  static CAPNPROTO_ALWAYS_INLINE(bool boundsCheck(
      SegmentReader* segment, const word* start, const word* end)) {
-    // If segment is null, this is a trusted message, so all pointers have been checked already.
+    // If segment is null, this is an unchecked message, so we don't do bounds checks.
    return segment == nullptr || segment->containsInterval(start, end);
  }

@@ -269,7 +269,7 @@ struct WireHelpers {

  static CAPNPROTO_ALWAYS_INLINE(
      const word* followFars(const WirePointer*& ref, SegmentReader*& segment)) {
-    // If the segment is null, this is a trusted message, so there are no FAR pointers.
+    // If the segment is null, this is an unchecked message, so there are no FAR pointers.
    if (segment != nullptr && ref->kind() == WirePointer::FAR) {
      // Look up the segment containing the landing pad.
      segment = segment->getArena()->tryGetSegment(ref->farRef.segmentId.get());
@@ -1901,7 +1901,7 @@ StructReader StructBuilder::asReader() const {
 // =======================================================================================
 // StructReader

-StructReader StructReader::readRootTrusted(const word* location) {
+StructReader StructReader::readRootUnchecked(const word* location) {
  return WireHelpers::readStructPointer(nullptr, reinterpret_cast<const WirePointer*>(location),
                                        nullptr, std::numeric_limits<int>::max());
 }
@@ -1950,8 +1950,8 @@ ObjectReader StructReader::getObjectField(
      segment, pointers + ptrIndex, defaultValue, nestingLimit);
 }

-const word* StructReader::getTrustedPointer(WirePointerCount ptrIndex) const {
-  PRECOND(segment == nullptr, "getTrustedPointer() only allowed on trusted messages.");
+const word* StructReader::getUncheckedPointer(WirePointerCount ptrIndex) const {
+  PRECOND(segment == nullptr, "getUncheckedPointer() only allowed on unchecked messages.");
  return reinterpret_cast<const word*>(pointers + ptrIndex);
 }


--- a/c++/src/capnproto/layout.h
+++ b/c++/src/capnproto/layout.h
@@ -333,7 +333,7 @@ public:
  StructBuilder getStructField(WirePointerCount ptrIndex, StructSize size,
                               const word* defaultValue) const;
  // Gets the struct field at the given index in the pointer segment.  If the field is not already
-  // initialized, it is initialized as a deep copy of the given default value (a trusted message),
+  // initialized, it is initialized as a deep copy of the given default value (a flat message),
  // or to the empty state if defaultValue is nullptr.

  ListBuilder initListField(WirePointerCount ptrIndex, FieldSize elementSize,
@@ -350,14 +350,14 @@ public:
                           const word* defaultValue) const;
  // Gets the already-allocated list field for the given pointer index, ensuring that the list is
  // suitable for storing non-struct elements of the given size.  If the list is not already
-  // allocated, it is allocated as a deep copy of the given default value (a trusted message).  If
+  // allocated, it is allocated as a deep copy of the given default value (a flat message).  If
  // the default value is null, an empty list is used.

  ListBuilder getStructListField(WirePointerCount ptrIndex, StructSize elementSize,
                                 const word* defaultValue) const;
  // Gets the already-allocated list field for the given pointer index, ensuring that the list
  // is suitable for storing struct elements of the given size.  If the list is not
-  // already allocated, it is allocated as a deep copy of the given default value (a trusted
+  // already allocated, it is allocated as a deep copy of the given default value (a flat
  // message).  If the default value is null, an empty list is used.

  template <typename T>
@@ -418,7 +418,7 @@ public:
      : segment(nullptr), data(nullptr), pointers(nullptr), dataSize(0),
        pointerCount(0), bit0Offset(0), nestingLimit(0x7fffffff) {}

-  static StructReader readRootTrusted(const word* location);
+  static StructReader readRootUnchecked(const word* location);
  static StructReader readRoot(const word* location, SegmentReader* segment, int nestingLimit);

  inline BitCount getDataSectionSize() const { return dataSize; }
@@ -439,7 +439,7 @@ public:

  StructReader getStructField(WirePointerCount ptrIndex, const word* defaultValue) const;
  // Get the struct field at the given index in the pointer segment, or the default value if not
-  // initialized.  defaultValue will be interpreted as a trusted message -- it must point at a
+  // initialized.  defaultValue will be interpreted as a flat message -- it must point at a
  // struct pointer, which in turn points at the struct value.  The default value is allowed to
  // be null, in which case an empty struct is used.

@@ -456,10 +456,10 @@ public:
  ObjectReader getObjectField(WirePointerCount ptrIndex, const word* defaultValue) const;
  // Read a pointer of arbitrary type.

-  const word* getTrustedPointer(WirePointerCount ptrIndex) const;
-  // If this is a trusted message, get a word* pointing at the location of the pointer.  This
-  // word* can actually be passed to readTrusted() to read the designated sub-object later.  If
-  // this isn't a trusted message, throws an exception.
+  const word* getUncheckedPointer(WirePointerCount ptrIndex) const;
+  // If this is an unchecked message, get a word* pointing at the location of the pointer.  This
+  // word* can actually be passed to readUnchecked() to read the designated sub-object later.  If
+  // this isn't an unchecked message, throws an exception.

  bool isPointerFieldNull(WirePointerCount ptrIndex) const;


--- a/c++/src/capnproto/message.h
+++ b/c++/src/capnproto/message.h
@@ -175,27 +175,32 @@ private:
 };

 template <typename RootType>
-static typename RootType::Reader readMessageTrusted(const word* data);
+static typename RootType::Reader readMessageUnchecked(const word* data);
 // IF THE INPUT IS INVALID, THIS MAY CRASH, CORRUPT MEMORY, CREATE A SECURITY HOLE IN YOUR APP,
 // MURDER YOUR FIRST-BORN CHILD, AND/OR BRING ABOUT ETERNAL DAMNATION ON ALL OF HUMANITY.  DO NOT
 // USE UNLESS YOU UNDERSTAND THE CONSEQUENCES.
 //
 // Given a pointer to a known-valid message located in a single contiguous memory segment,
-// returns a reader for that message.  No bounds-checking will be done while tranversing this
-// message.  Use this only if you are absolutely sure that the input data is a valid message
-// created by your own system.  Never use this to read messages received from others.
+// returns a reader for that message.  No bounds-checking will be done while traversing this
+// message.  Use this only if you have already verified that all pointers are valid and in-bounds,
+// and there are no far pointers in the message.
 //
-// To create a trusted message, build a message using a MallocAllocator whose preferred segment
-// size is larger than the message size.  This guarantees that the message will be allocated as a
-// single segment, meaning getSegmentsForOutput() returns a single word array.  That word array
-// is your message; you may pass a pointer to its first word into readMessageTrusted() to read the
-// message.
+// To create a message that can be passed to this function, build a message using a MallocAllocator
+// whose preferred segment size is larger than the message size.  This guarantees that the message
+// will be allocated as a single segment, meaning getSegmentsForOutput() returns a single word
+// array.  That word array is your message; you may pass a pointer to its first word into
+// readMessageUnchecked() to read the message.
 //
 // This can be particularly handy for embedding messages in generated code:  you can
 // embed the raw bytes (using AlignedData) then make a Reader for it using this.  This is the way
 // default values are embedded in code generated by the Cap'n Proto compiler.  E.g., if you have
 // a message MyMessage, you can read its default value like so:
-//    MyMessage::Reader reader = Message<MyMessage>::readMessageTrusted(MyMessage::DEFAULT.words);
+//    MyMessage::Reader reader = Message<MyMessage>::readMessageUnchecked(MyMessage::DEFAULT.words);
+//
+// To sanitize a message from an untrusted source such that it can be safely passed to
+// readMessageUnchecked(), construct a MessageBuilder whose first segment is large enough to store
+// the message, and then use MessageBuilder::setRoot() to copy the message in.  The process of
+// copying the message implicitly validates all pointers.

 template <typename Type>
 static typename Type::Reader defaultValue();
@@ -324,8 +329,8 @@ inline typename RootType::Builder MessageBuilder::getRoot() {
 }

 template <typename RootType>
-typename RootType::Reader readMessageTrusted(const word* data) {
-  return typename RootType::Reader(internal::StructReader::readRootTrusted(data));
+typename RootType::Reader readMessageUnchecked(const word* data) {
+  return typename RootType::Reader(internal::StructReader::readRootUnchecked(data));
 }

 template <typename Type>

--- a/c++/src/capnproto/schema.c++
+++ b/c++/src/capnproto/schema.c++
@@ -29,7 +29,7 @@
 namespace capnproto {

 schema::Node::Reader Schema::getProto() const {
-  return readMessageTrusted<schema::Node>(raw->encodedNode);
+  return readMessageUnchecked<schema::Node>(raw->encodedNode);
 }

 Schema Schema::getDependency(uint64_t id) const {