- 16 Jun, 2019 1 commit
-
-
Kenton Varda authored
Way back in 538a767e I added `RpcSystem::setFlowLimit()`, a blunt mechanism by which an RPC node can arrange to stop reading new messages from the connection when too many incoming calls are in-flight. This was needed to deal with buggy Sandstorm apps that would stream multi-gigabyte files by doing a zillion writes without waiting, which would then all be queued in the HTTP gateway, causing it to run out of memory. In implementing that, I inadertently caused the RPC system to do a tree walk on every call message it received, in order to sum up the message size. This is silly, becaues it's much cheaper to sum up the segment sizes. In fact, in the case of a malicious peer, the tree walk is potentially insufficient, because it doesn't count holes in the segments. The tree walk also means that any invalid pointers in the message cause an exception to be thrown even if that pointer is never accessed by the app, which isn't the usual behavior. I seem to recall this issue coming up in discussion once in the past, but I couldn't find the thread. For the new streaming feature, we'll be paying attention to the size of outgoing messages. Again, here, it would be nice to compute this size by summing segments without doing a tree walk. So, this commit adds `sizeInWords()` methods that do this.
-
- 05 Aug, 2018 1 commit
-
-
Kenton Varda authored
So far this is only a small subset of all the STL uses.
-
- 16 Apr, 2017 1 commit
-
-
Kenton Varda authored
Refactor bounds checks to avoid ever creating out-of-bounds pointer values, which is technically UB even if not dereferenced.
-
- 30 Mar, 2017 1 commit
-
-
Kenton Varda authored
-
- 24 Mar, 2017 1 commit
-
-
Kenton Varda authored
See: https://capnproto.org/news/2015-03-02-security-advisory-and-integer-overflow-protection.html This commit as-is is the result of wading through two years of merge conflicts. It does not build as-is because new code added in that time hasn't been converted over.
-
- 03 Jul, 2015 1 commit
-
-
Kenton Varda authored
**The problem** The methods MessageReader::initCapTable() and MessageBuilder::getCapTable() always felt rather hacky. initCapTable() in particular feels like something that should be handled by the constructor. However, in practice, the cap table is often initialized based on a table encoded within the message itself. That is, an RPC message contains a "payload" which includes both the application-level message structure and a table of capabilities. The cap table has to be processed first, then initCapTable() is called on the overall message, before the application structure can safely be read. The really weird part about this is that even though the cap table only applies to one branch of the message (the payload), it is set on the *whole* MessageReader. This implies, for example, that it would be impossible to have a message that contains multiple payloads. We haven't had any need for such a thing, but an implemnetation that has such artificial limitations feels very wrong. MessageBuilder has similar issues going in the opposite direction. All of this ugliness potentially gets worse when we introduce "membranes". We want a way to intercept capabilities as they are being read from or written to an RPC payload. Currently, the only plausible way to do that is, again, to apply a transformation to all capabilities in the message. In practice it seems like this would work out OK, but it again feels wrong -- we really want to take a single Reader or Builder and "wrap" it so that transformations are applied on capabilities read/written through it. **The solution** This change fixes the problem by adding a new pointer to each struct/list Reader/Builder that tracks the current cap table. So, now a Reader or Builder for a particular sub-object can be "imbued" with a cap table without affecting any other existing Readers/Builders pointing into the same message. The cap table is inherited by child Readers/Builders obtained through the original one. This approach matches up nicely with membranes, which should make their implementation nice and clean. This change unfortunately means that Readers and Builders are now bigger, possibly with some performance impact.
-
- 10 Dec, 2014 1 commit
-
-
Kenton Varda authored
-
- 26 Oct, 2014 1 commit
-
-
Kenton Varda authored
To use, pass --disable-reflection to the configure script. This produces a smaller runtime library. However, using it for this purpose is not recommended. The main purpose of lite mode is to define a subset of Cap'n Proto which might plausibly compile under MSVC. MSVC still lacks full support for constexpr and expression SFINAE; luckily, most of our use of these things relates to reflection, and not all users need reflection. Cap'n Proto lite mode inherits its name from Protocol Buffers' lite mode. However, there are some key differences: - Protobuf generated code included global constructors related to registering descriptors and extensions. For many people, this was the main reason to use lite mode: to get rid of these global constructors and achieve faster startup times. Cap'n Proto, on the other hand, never had global constructors in the first place. - Schemas are actually still available in lite mode, though only in their raw (Cap'n Proto structure) form. Only the schema API (which wraps the raw schemas in a more convenient interface) and reflection API (which offers a convenient way to use the schemas) are unavailable. - Lite mode is enabled in an application by defining CAPNP_LITE rather than by specifying an annotation in the schema file. This better-reflects real-world usage patterns, where you typically want to enable lite mode application-wide anyway. - We do not build the lite mode library by default. You must request it by passing --disable-reflection to the configure script. Before you can do that, you must have a prebuilt Cap'n Proto compiler binary available, since the compiler can't be built without reflection. - Relatedly, the lite mode library is built with the same name as the full library. This library is not intended to be installed. If anything it should be statically linked. But, mostly the option only exists on non-MSVC platform to give us a way to test that we haven't broken lite mode.
-
- 20 Jun, 2014 1 commit
-
-
Kenton Varda authored
For portions currently copyright by Kenton (most of it), transfer copyright to Sandstorm Development Group, Inc. (Kenton's company). The license change is practically meaningless, as MIT and BSD 2-clause are legally equivalent. However, the BSD 2-clause license is sometimes confused for its ugly siblings, BSD 3-clause and BSD 4-clause. The MIT license is more immediately recognizeable for what it is. Rémy Blank and Jason Choy (the two non-trivial contributors) are on record as approving this change: https://groups.google.com/d/msg/capnproto/xXDd2HUOCcc/gbe_COIuXKYJ
-
- 12 Mar, 2014 1 commit
-
-
Kenton Varda authored
Make it possible for a message builder to incorporate a byte array not owned by it without copying. Useful for injecting large data blobs into a message without copying their contents. Access this functionality through the Orphanage interface.
-
- 11 Dec, 2013 1 commit
-
-
Kenton Varda authored
Eliminate the concept of imbuing messages in favor of the simpler concept of setting a cap table directly on MessageReader / getting one from MessageBuilder. This eliminates capability-context entirely. This was made possible by the earlier change which moved capabilities to a separate table rather than storing CapDescriptors inline, but I didn't realize it at the time.
-
- 10 Dec, 2013 1 commit
-
-
Kenton Varda authored
Hack to make it safe to read capabilities from default values (returning broken caps) without introducing a dependency from libcapnp on libcapnp-rpc.
-
- 06 Dec, 2013 1 commit
-
-
Kenton Varda authored
Change capability pointers to be indexes into a separate cap list so that CapDescriptors can be interpreted on receipt rather than delaying until the application actually traverses the message. This massively simplifies a lot of things.
-
- 30 Nov, 2013 2 commits
-
-
Kenton Varda authored
-
Kenton Varda authored
Eliminate the ability to have multiple threads working on building the same message -- performance penalty is too large, and applies even to single-threaded users.
-
- 28 Nov, 2013 1 commit
-
-
Kenton Varda authored
Revamp concurrency model, part 1: EventLoop no longer allows cross-thread event queuing, simplifying many things. Capability clients are no longer thread-safe, so they don't have to be so const. In the future, explicit ways to communicate between threads will be re-added, but threads will be treated more like separate vats that just happen to have a particularly fat pipe. Upcoming: Remove mutexes.
-
- 12 Nov, 2013 2 commits
-
-
Kenton Varda authored
-
Kenton Varda authored
Spin off libraries kj-async and capnp-rpc, so that people who don't want them can avoid their large footprint.
-
- 31 Oct, 2013 1 commit
-
-
Kenton Varda authored
-
- 22 Oct, 2013 1 commit
-
-
Kenton Varda authored
-
- 15 Oct, 2013 2 commits
-
-
Kenton Varda authored
-
Kenton Varda authored
-
- 12 Oct, 2013 1 commit
-
-
Kenton Varda authored
-
- 11 Oct, 2013 2 commits
-
-
Kenton Varda authored
-
Kenton Varda authored
Refactor capability code using fork. Still too much refcounting, though. Maybe this calls for a different design for pipelining...
-
- 08 Oct, 2013 1 commit
-
-
Kenton Varda authored
-
- 04 Oct, 2013 1 commit
-
-
Kenton Varda authored
-
- 02 Oct, 2013 1 commit
-
-
Kenton Varda authored
Interface code generation. Also update method grammar to allow multiple returns, and allow specifying request/response structs instead of parameter lists.
-
- 29 Sep, 2013 1 commit
-
-
Kenton Varda authored
-
- 25 Sep, 2013 1 commit
-
-
Kenton Varda authored
-
- 28 Aug, 2013 1 commit
-
-
Kenton Varda authored
-
- 24 Jul, 2013 1 commit
-
-
David Renshaw authored
-
- 22 Jul, 2013 1 commit
-
-
Kenton Varda authored
-
- 07 Jun, 2013 1 commit
-
-
Kenton Varda authored
Mark every destructor "noexcept(false)" unless it is very clearly noexcept. The change in C++11 making destructors default-noexcept was a mistake.
-
- 06 Jun, 2013 5 commits
-
-
Kenton Varda authored
-
Kenton Varda authored
-
Kenton Varda authored
-
Kenton Varda authored
-
Kenton Varda authored
-
- 04 Jun, 2013 1 commit
-
-
Kenton Varda authored
-