- 03 Jan, 2018 1 commit
-
-
Kenton Varda authored
-
- 21 Apr, 2017 1 commit
-
-
Kenton Varda authored
-
- 07 Apr, 2017 1 commit
-
-
Kenton Varda authored
-
- 18 Nov, 2016 1 commit
-
-
Kenton Varda authored
-
- 07 Oct, 2016 1 commit
-
-
Kenton Varda authored
Previously, in the presence of promise capabilities, a save() request could cross over the same gateway twice (or more!). Some gateways (e.g. Sandstorm's) implement one-way transformations, so this could cause the request to fail when it shouldn't.
-
- 17 Jun, 2016 1 commit
-
-
Kenton Varda authored
This is blunt: A peer can choose to stop reading new messages from a connection whenever the calls in-flight cross a certain threshold. This is needed in Sandstorm to prevent errant (or malicious) apps from consuming excessive RAM in other parts of the system by flooding them with calls.
-
- 06 Apr, 2016 1 commit
-
-
Harris Hancock authored
-
- 07 Jan, 2016 4 commits
-
-
David Renshaw authored
-
David Renshaw authored
-
David Renshaw authored
-
David Renshaw authored
-
- 23 Jul, 2015 1 commit
-
-
Kenton Varda authored
Fix bug causing exception: "'Disembargo' of type 'senderLoopback' sent to an object that does not point back to the sender." The problem happened when pipelined calls were made on a promised capability, but then that capability turned out to be null. The promise resolving code incorrectly interpreted this as the remote promise having resolved to a local capability (because the "null" stub capability looks local), and so it would send a Disembargo message to flush the pipeline as required. However, the remote end would receive this Disembargo message and find it is addressed to a null capability, not a capability pointing back to the sender. This was treated as a protocol error, causing the receiver to close the connection. The solution is to explicitly identity "null" capabilities so that we can distinguish this case. This change also has the benefit that now when you copy a null capability between messages with foo.setCap(bar.getCap()), the pointer will be set null in the destination, rather than becoming a reference to a local broken capability. Thanks to David Renshaw for narrowing this down.
-
- 03 Jul, 2015 1 commit
-
-
Kenton Varda authored
**The problem** The methods MessageReader::initCapTable() and MessageBuilder::getCapTable() always felt rather hacky. initCapTable() in particular feels like something that should be handled by the constructor. However, in practice, the cap table is often initialized based on a table encoded within the message itself. That is, an RPC message contains a "payload" which includes both the application-level message structure and a table of capabilities. The cap table has to be processed first, then initCapTable() is called on the overall message, before the application structure can safely be read. The really weird part about this is that even though the cap table only applies to one branch of the message (the payload), it is set on the *whole* MessageReader. This implies, for example, that it would be impossible to have a message that contains multiple payloads. We haven't had any need for such a thing, but an implemnetation that has such artificial limitations feels very wrong. MessageBuilder has similar issues going in the opposite direction. All of this ugliness potentially gets worse when we introduce "membranes". We want a way to intercept capabilities as they are being read from or written to an RPC payload. Currently, the only plausible way to do that is, again, to apply a transformation to all capabilities in the message. In practice it seems like this would work out OK, but it again feels wrong -- we really want to take a single Reader or Builder and "wrap" it so that transformations are applied on capabilities read/written through it. **The solution** This change fixes the problem by adding a new pointer to each struct/list Reader/Builder that tracks the current cap table. So, now a Reader or Builder for a particular sub-object can be "imbued" with a cap table without affecting any other existing Readers/Builders pointing into the same message. The cap table is inherited by child Readers/Builders obtained through the original one. This approach matches up nicely with membranes, which should make their implementation nice and clean. This change unfortunately means that Readers and Builders are now bigger, possibly with some performance impact.
-
- 11 Jun, 2015 1 commit
-
-
Kenton Varda authored
Don't kill the connection just because someone pipelined on a capability pointer that turned out to be null.
-
- 06 May, 2015 2 commits
-
-
Kenton Varda authored
-
Kenton Varda authored
Add ability to construct a new bootstrap capability for each connecting client based on their authenticated VatId.
-
- 05 May, 2015 1 commit
-
-
Kenton Varda authored
- Reduce noise. - Trace through async callbacks.
-
- 23 Dec, 2014 1 commit
-
-
Kenton Varda authored
-
- 10 Dec, 2014 1 commit
-
-
Kenton Varda authored
-
- 29 Nov, 2014 1 commit
-
-
Kenton Varda authored
Distinguishing between "local bugs" and "preconditions" was proving difficult in practice, because a precondition failure in one function may very well indicate a bug in a calling function, but the exception may be thrown through that function, thus when caught the classification is nonsensical. The distinction also was not as useful as imagined. So, I eliminated this distinction.
-
- 13 Nov, 2014 1 commit
-
-
Kenton Varda authored
-
- 09 Nov, 2014 2 commits
-
-
Kenton Varda authored
-
Kenton Varda authored
-
- 04 Nov, 2014 1 commit
-
-
Kenton Varda authored
The 'objectId' field is now deprecated. Long-term, each vat will export no more than one "bootstrap interface" which can be obtained via 'Bootstrap'. Restoring SturdyRefs will be accomplished through higher-level interfaces specific to the VatNetwork in use. See comments for 'Bootstrap' in rpc.capnp for more discussion.
-
- 11 Sep, 2014 1 commit
-
-
Kenton Varda authored
This only happened if the Finish message indicating cancellation and the Return message happened to cross paths. If the Finish arrived before the Return was sent, then the server would send an empty response. If the Return was received before the Finish was sent, the client would properly record caps in the response. But if they crossed paths, the server would send back a full response with caps, but the client would never bother to inspect that response, thus leaking the caps. Fix is to set the flag to release all returned caps in the Finish message when cancelling.
-
- 19 Aug, 2014 1 commit
-
-
Kenton Varda authored
Bug 1 ----- If a Resolve message indicated that the promise had been rejected, the code would see the error cap as a local cap and erroneously believe that the promise had resolved back to a local capability, thereby requiring a Disembargo to be sent. The peer, on receiving the nonsensical Disembargo, would throw an exception and close the connection. The error message seen was: "expected target->getBrand() == this; 'Disembargo' of type 'senderLoopback' sent to an object that does not point back to the sender." Bug 2 ----- Disembargos are sent not only in response to Resolves, but also Returns, since capabilities in a returned message were previously accessible as PromisedAnswers. This means that we must apply the same rule that states that once a promise has been resolved, the promise must from then on forward all messages it receives strictly to the object to which it resolved, even if that object is itself a promise which later resolves to somewhere else. The code which sends Resolve messages was doing this correctly, but the code sending Return messages was not. They now both operate correctly. I've also added more explanation to the documentation in rpc.capnp. The error message seen was: "expected redirect == nullptr; 'Disembargo' of type 'senderLoopback' sent to an object that does not appear to have been the object of a previous 'Resolve' message."
-
- 20 Jun, 2014 1 commit
-
-
Kenton Varda authored
For portions currently copyright by Kenton (most of it), transfer copyright to Sandstorm Development Group, Inc. (Kenton's company). The license change is practically meaningless, as MIT and BSD 2-clause are legally equivalent. However, the BSD 2-clause license is sometimes confused for its ugly siblings, BSD 3-clause and BSD 4-clause. The MIT license is more immediately recognizeable for what it is. Rémy Blank and Jason Choy (the two non-trivial contributors) are on record as approving this change: https://groups.google.com/d/msg/capnproto/xXDd2HUOCcc/gbe_COIuXKYJ
-
- 29 May, 2014 1 commit
-
-
David Renshaw authored
-
- 11 Feb, 2014 1 commit
-
-
Kenton Varda authored
Cleaner disconnect handling. Better fix for issue #71, and also simplifies the interface and improves robustness.
-
- 28 Jan, 2014 1 commit
-
-
Kenton Varda authored
Fix bug where receiving EOF on the RPC connection could cause RpcConnectionState to go into an infinite promise loop. Strange that this did not cause trouble earlier. Also some minor tweaks.
-
- 11 Dec, 2013 1 commit
-
-
Kenton Varda authored
Eliminate the concept of imbuing messages in favor of the simpler concept of setting a cap table directly on MessageReader / getting one from MessageBuilder. This eliminates capability-context entirely. This was made possible by the earlier change which moved capabilities to a separate table rather than storing CapDescriptors inline, but I didn't realize it at the time.
-
- 10 Dec, 2013 3 commits
-
-
Kenton Varda authored
Define additional type aliases AnswerId and ImportId. In the RPC protocol, always use the type corresponding to the sender's point of view. In the implementation, always use the type corresponding to the local point of view.
-
Kenton Varda authored
Lift requirement that releaseParams() be called before tailCall() or allowCancellation() -- this is no longer necessary given the protocol simplification that allowed cap descriptors to be interpreted immediately upon receipt.
-
Kenton Varda authored
-
- 06 Dec, 2013 3 commits
-
-
Kenton Varda authored
Extend totalSizeInWords() to also return a count of capabilities, which helps when a separate capability table needs to be allocated as well. Use this in the RPC system.
-
Kenton Varda authored
-
Kenton Varda authored
Change capability pointers to be indexes into a separate cap list so that CapDescriptors can be interpreted on receipt rather than delaying until the application actually traverses the message. This massively simplifies a lot of things.
-
- 05 Dec, 2013 3 commits
-
-
Kenton Varda authored
-
Kenton Varda authored
-
Kenton Varda authored
Make all Promise methods consistently consume the promise (returning a new promise when it makes sense), rename daemonize -> detach, and make eagerlyEvaluate() require an error handler (this caught several places where I forgot to use one).
-