1. 23 Jul, 2015 2 commits
    • Kenton Varda's avatar
      Fix link errors. · 96e9663a
      Kenton Varda authored
      96e9663a
    • Kenton Varda's avatar
      Fix bug causing exception: "'Disembargo' of type 'senderLoopback' sent to an… · d4cd01e9
      Kenton Varda authored
      Fix bug causing exception: "'Disembargo' of type 'senderLoopback' sent to an object that does not point back to the sender."
      
      The problem happened when pipelined calls were made on a promised capability, but then that capability turned out to be null. The promise resolving code incorrectly interpreted this as the remote promise having resolved to a local capability (because the "null" stub capability looks local), and so it would send a Disembargo message to flush the pipeline as required. However, the remote end would receive this Disembargo message and find it is addressed to a null capability, not a capability pointing back to the sender. This was treated as a protocol error, causing the receiver to close the connection.
      
      The solution is to explicitly identity "null" capabilities so that we can distinguish this case. This change also has the benefit that now when you copy a null capability between messages with foo.setCap(bar.getCap()), the pointer will be set null in the destination, rather than becoming a reference to a local broken capability.
      
      Thanks to David Renshaw for narrowing this down.
      d4cd01e9
  2. 03 Jul, 2015 1 commit
    • Kenton Varda's avatar
      Refactor how messages are imbued with a capability table. · 5413038b
      Kenton Varda authored
      **The problem**
      
      The methods MessageReader::initCapTable() and MessageBuilder::getCapTable() always felt rather hacky. initCapTable() in particular feels like something that should be handled by the constructor. However, in practice, the cap table is often initialized based on a table encoded within the message itself. That is, an RPC message contains a "payload" which includes both the application-level message structure and a table of capabilities. The cap table has to be processed first, then initCapTable() is called on the overall message, before the application structure can safely be read.
      
      The really weird part about this is that even though the cap table only applies to one branch of the message (the payload), it is set on the *whole* MessageReader. This implies, for example, that it would be impossible to have a message that contains multiple payloads. We haven't had any need for such a thing, but an implemnetation that has such artificial limitations feels very wrong.
      
      MessageBuilder has similar issues going in the opposite direction.
      
      All of this ugliness potentially gets worse when we introduce "membranes". We want a way to intercept capabilities as they are being read from or written to an RPC payload. Currently, the only plausible way to do that is, again, to apply a transformation to all capabilities in the message. In practice it seems like this would work out OK, but it again feels wrong -- we really want to take a single Reader or Builder and "wrap" it so that transformations are applied on capabilities read/written through it.
      
      **The solution**
      
      This change fixes the problem by adding a new pointer to each struct/list Reader/Builder that tracks the current cap table. So, now a Reader or Builder for a particular sub-object can be "imbued" with a cap table without affecting any other existing Readers/Builders pointing into the same message. The cap table is inherited by child Readers/Builders obtained through the original one.
      
      This approach matches up nicely with membranes, which should make their implementation nice and clean.
      
      This change unfortunately means that Readers and Builders are now bigger, possibly with some performance impact.
      5413038b
  3. 07 May, 2015 1 commit
  4. 29 Apr, 2015 1 commit
  5. 04 Apr, 2015 1 commit
  6. 22 Mar, 2015 1 commit
  7. 15 Mar, 2015 1 commit
  8. 29 Nov, 2014 2 commits
  9. 24 Oct, 2014 1 commit
  10. 20 Jun, 2014 1 commit
    • Kenton Varda's avatar
      Change license to MIT. · 889204fe
      Kenton Varda authored
      For portions currently copyright by Kenton (most of it), transfer copyright to Sandstorm Development Group, Inc. (Kenton's company).
      
      The license change is practically meaningless, as MIT and BSD 2-clause are legally equivalent. However, the BSD 2-clause license is sometimes confused for its ugly siblings, BSD 3-clause and BSD 4-clause. The MIT license is more immediately recognizeable for what it is.
      
      Rémy Blank and Jason Choy (the two non-trivial contributors) are on record as approving this change:
      
      https://groups.google.com/d/msg/capnproto/xXDd2HUOCcc/gbe_COIuXKYJ
      889204fe
  11. 11 Feb, 2014 1 commit
  12. 25 Jan, 2014 1 commit
  13. 11 Dec, 2013 1 commit
    • Kenton Varda's avatar
      Eliminate the concept of imbuing messages in favor of the simpler concept of… · 3c7efbb4
      Kenton Varda authored
      Eliminate the concept of imbuing messages in favor of the simpler concept of setting a cap table directly on MessageReader / getting one from MessageBuilder.  This eliminates capability-context entirely.  This was made possible by the earlier change which moved capabilities to a separate table rather than storing CapDescriptors inline, but I didn't realize it at the time.
      3c7efbb4
  14. 10 Dec, 2013 1 commit
  15. 06 Dec, 2013 2 commits
  16. 05 Dec, 2013 2 commits
  17. 30 Nov, 2013 3 commits
  18. 29 Nov, 2013 1 commit
  19. 28 Nov, 2013 1 commit
    • Kenton Varda's avatar
      Revamp concurrency model, part 1: EventLoop no longer allows cross-thread event… · 7921c854
      Kenton Varda authored
      Revamp concurrency model, part 1:  EventLoop no longer allows cross-thread event queuing, simplifying many things.  Capability clients are no longer thread-safe, so they don't have to be so const.  In the future, explicit ways to communicate between threads will be re-added, but threads will be treated more like separate vats that just happen to have a particularly fat pipe.  Upcoming:  Remove mutexes.
      7921c854
  20. 26 Nov, 2013 4 commits
  21. 25 Nov, 2013 2 commits
  22. 23 Nov, 2013 1 commit
  23. 22 Nov, 2013 1 commit
  24. 21 Nov, 2013 1 commit
  25. 15 Nov, 2013 1 commit
  26. 12 Nov, 2013 1 commit
  27. 31 Oct, 2013 1 commit
  28. 23 Oct, 2013 1 commit
  29. 22 Oct, 2013 1 commit
  30. 15 Oct, 2013 1 commit