1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 // TODO(vtl): I currently potentially overflow in doing index calculations.
6 // E.g., |start_index_| and |current_num_bytes_| fit into a |uint32_t|, but
7 // their sum may not. This is bad and poses a security risk. (We're currently
8 // saved by the limit on capacity -- the maximum size of the buffer, checked in
9 // |DataPipe::ValidateOptions()|, is currently sufficiently small.
10
11 #include "mojo/system/local_data_pipe.h"
12
13 #include <string.h>
14
15 #include <algorithm>
16
17 #include "base/logging.h"
18 #include "mojo/system/constants.h"
19
20 namespace mojo {
21 namespace system {
22
LocalDataPipe(const MojoCreateDataPipeOptions & options)23 LocalDataPipe::LocalDataPipe(const MojoCreateDataPipeOptions& options)
24 : DataPipe(true, true, options),
25 start_index_(0),
26 current_num_bytes_(0) {
27 // Note: |buffer_| is lazily allocated, since a common case will be that one
28 // of the handles is immediately passed off to another process.
29 }
30
~LocalDataPipe()31 LocalDataPipe::~LocalDataPipe() {
32 }
33
ProducerCloseImplNoLock()34 void LocalDataPipe::ProducerCloseImplNoLock() {
35 // If the consumer is still open and we still have data, we have to keep the
36 // buffer around. Currently, we won't free it even if it empties later. (We
37 // could do this -- requiring a check on every read -- but that seems to be
38 // optimizing for the uncommon case.)
39 if (!consumer_open_no_lock() || !current_num_bytes_) {
40 // Note: There can only be a two-phase *read* (by the consumer) if we still
41 // have data.
42 DCHECK(!consumer_in_two_phase_read_no_lock());
43 DestroyBufferNoLock();
44 }
45 }
46
ProducerWriteDataImplNoLock(const void * elements,uint32_t * num_bytes,bool all_or_none)47 MojoResult LocalDataPipe::ProducerWriteDataImplNoLock(const void* elements,
48 uint32_t* num_bytes,
49 bool all_or_none) {
50 DCHECK_EQ(*num_bytes % element_num_bytes(), 0u);
51 DCHECK_GT(*num_bytes, 0u);
52 DCHECK(consumer_open_no_lock());
53
54 size_t num_bytes_to_write = 0;
55 if (may_discard()) {
56 if (all_or_none && *num_bytes > capacity_num_bytes())
57 return MOJO_RESULT_OUT_OF_RANGE;
58
59 num_bytes_to_write = std::min(static_cast<size_t>(*num_bytes),
60 capacity_num_bytes());
61 if (num_bytes_to_write > capacity_num_bytes() - current_num_bytes_) {
62 // Discard as much as needed (discard oldest first).
63 MarkDataAsConsumedNoLock(
64 num_bytes_to_write - (capacity_num_bytes() - current_num_bytes_));
65 // No need to wake up write waiters, since we're definitely going to leave
66 // the buffer full.
67 }
68 } else {
69 if (all_or_none && *num_bytes > capacity_num_bytes() - current_num_bytes_) {
70 // Don't return "should wait" since you can't wait for a specified amount
71 // of data.
72 return MOJO_RESULT_OUT_OF_RANGE;
73 }
74
75 num_bytes_to_write = std::min(static_cast<size_t>(*num_bytes),
76 capacity_num_bytes() - current_num_bytes_);
77 }
78 if (num_bytes_to_write == 0)
79 return MOJO_RESULT_SHOULD_WAIT;
80
81 // The amount we can write in our first |memcpy()|.
82 size_t num_bytes_to_write_first =
83 std::min(num_bytes_to_write, GetMaxNumBytesToWriteNoLock());
84 // Do the first (and possibly only) |memcpy()|.
85 size_t first_write_index =
86 (start_index_ + current_num_bytes_) % capacity_num_bytes();
87 EnsureBufferNoLock();
88 memcpy(buffer_.get() + first_write_index, elements, num_bytes_to_write_first);
89
90 if (num_bytes_to_write_first < num_bytes_to_write) {
91 // The "second write index" is zero.
92 memcpy(buffer_.get(),
93 static_cast<const char*>(elements) + num_bytes_to_write_first,
94 num_bytes_to_write - num_bytes_to_write_first);
95 }
96
97 current_num_bytes_ += num_bytes_to_write;
98 DCHECK_LE(current_num_bytes_, capacity_num_bytes());
99 *num_bytes = static_cast<uint32_t>(num_bytes_to_write);
100 return MOJO_RESULT_OK;
101 }
102
ProducerBeginWriteDataImplNoLock(void ** buffer,uint32_t * buffer_num_bytes,bool all_or_none)103 MojoResult LocalDataPipe::ProducerBeginWriteDataImplNoLock(
104 void** buffer,
105 uint32_t* buffer_num_bytes,
106 bool all_or_none) {
107 DCHECK(consumer_open_no_lock());
108
109 // The index we need to start writing at.
110 size_t write_index =
111 (start_index_ + current_num_bytes_) % capacity_num_bytes();
112
113 size_t max_num_bytes_to_write = GetMaxNumBytesToWriteNoLock();
114 if (all_or_none && *buffer_num_bytes > max_num_bytes_to_write) {
115 // In "may discard" mode, we can always write from the write index to the
116 // end of the buffer.
117 if (may_discard() &&
118 *buffer_num_bytes <= capacity_num_bytes() - write_index) {
119 // To do so, we need to discard an appropriate amount of data.
120 // We should only reach here if the start index is after the write index!
121 DCHECK_GE(start_index_, write_index);
122 DCHECK_GT(*buffer_num_bytes - max_num_bytes_to_write, 0u);
123 MarkDataAsConsumedNoLock(*buffer_num_bytes - max_num_bytes_to_write);
124 max_num_bytes_to_write = *buffer_num_bytes;
125 } else {
126 // Don't return "should wait" since you can't wait for a specified amount
127 // of data.
128 return MOJO_RESULT_OUT_OF_RANGE;
129 }
130 }
131
132 // Don't go into a two-phase write if there's no room.
133 if (max_num_bytes_to_write == 0)
134 return MOJO_RESULT_SHOULD_WAIT;
135
136 EnsureBufferNoLock();
137 *buffer = buffer_.get() + write_index;
138 *buffer_num_bytes = static_cast<uint32_t>(max_num_bytes_to_write);
139 set_producer_two_phase_max_num_bytes_written_no_lock(
140 static_cast<uint32_t>(max_num_bytes_to_write));
141 return MOJO_RESULT_OK;
142 }
143
ProducerEndWriteDataImplNoLock(uint32_t num_bytes_written)144 MojoResult LocalDataPipe::ProducerEndWriteDataImplNoLock(
145 uint32_t num_bytes_written) {
146 DCHECK_LE(num_bytes_written,
147 producer_two_phase_max_num_bytes_written_no_lock());
148 current_num_bytes_ += num_bytes_written;
149 DCHECK_LE(current_num_bytes_, capacity_num_bytes());
150 set_producer_two_phase_max_num_bytes_written_no_lock(0);
151 return MOJO_RESULT_OK;
152 }
153
ProducerGetHandleSignalsStateNoLock() const154 HandleSignalsState LocalDataPipe::ProducerGetHandleSignalsStateNoLock() const {
155 HandleSignalsState rv;
156 if (consumer_open_no_lock()) {
157 if ((may_discard() || current_num_bytes_ < capacity_num_bytes()) &&
158 !producer_in_two_phase_write_no_lock())
159 rv.satisfied_signals |= MOJO_HANDLE_SIGNAL_WRITABLE;
160 rv.satisfiable_signals |= MOJO_HANDLE_SIGNAL_WRITABLE;
161 }
162 return rv;
163 }
164
ConsumerCloseImplNoLock()165 void LocalDataPipe::ConsumerCloseImplNoLock() {
166 // If the producer is around and in a two-phase write, we have to keep the
167 // buffer around. (We then don't free it until the producer is closed. This
168 // could be rectified, but again seems like optimizing for the uncommon case.)
169 if (!producer_open_no_lock() || !producer_in_two_phase_write_no_lock())
170 DestroyBufferNoLock();
171 current_num_bytes_ = 0;
172 }
173
ConsumerReadDataImplNoLock(void * elements,uint32_t * num_bytes,bool all_or_none)174 MojoResult LocalDataPipe::ConsumerReadDataImplNoLock(void* elements,
175 uint32_t* num_bytes,
176 bool all_or_none) {
177 DCHECK_EQ(*num_bytes % element_num_bytes(), 0u);
178 DCHECK_GT(*num_bytes, 0u);
179
180 if (all_or_none && *num_bytes > current_num_bytes_) {
181 // Don't return "should wait" since you can't wait for a specified amount of
182 // data.
183 return producer_open_no_lock() ? MOJO_RESULT_OUT_OF_RANGE :
184 MOJO_RESULT_FAILED_PRECONDITION;
185 }
186
187 size_t num_bytes_to_read =
188 std::min(static_cast<size_t>(*num_bytes), current_num_bytes_);
189 if (num_bytes_to_read == 0) {
190 return producer_open_no_lock() ? MOJO_RESULT_SHOULD_WAIT :
191 MOJO_RESULT_FAILED_PRECONDITION;
192 }
193
194 // The amount we can read in our first |memcpy()|.
195 size_t num_bytes_to_read_first =
196 std::min(num_bytes_to_read, GetMaxNumBytesToReadNoLock());
197 memcpy(elements, buffer_.get() + start_index_, num_bytes_to_read_first);
198
199 if (num_bytes_to_read_first < num_bytes_to_read) {
200 // The "second read index" is zero.
201 memcpy(static_cast<char*>(elements) + num_bytes_to_read_first,
202 buffer_.get(),
203 num_bytes_to_read - num_bytes_to_read_first);
204 }
205
206 MarkDataAsConsumedNoLock(num_bytes_to_read);
207 *num_bytes = static_cast<uint32_t>(num_bytes_to_read);
208 return MOJO_RESULT_OK;
209 }
210
ConsumerDiscardDataImplNoLock(uint32_t * num_bytes,bool all_or_none)211 MojoResult LocalDataPipe::ConsumerDiscardDataImplNoLock(uint32_t* num_bytes,
212 bool all_or_none) {
213 DCHECK_EQ(*num_bytes % element_num_bytes(), 0u);
214 DCHECK_GT(*num_bytes, 0u);
215
216 if (all_or_none && *num_bytes > current_num_bytes_) {
217 // Don't return "should wait" since you can't wait for a specified amount of
218 // data.
219 return producer_open_no_lock() ? MOJO_RESULT_OUT_OF_RANGE :
220 MOJO_RESULT_FAILED_PRECONDITION;
221 }
222
223 // Be consistent with other operations; error if no data available.
224 if (current_num_bytes_ == 0) {
225 return producer_open_no_lock() ? MOJO_RESULT_SHOULD_WAIT :
226 MOJO_RESULT_FAILED_PRECONDITION;
227 }
228
229 size_t num_bytes_to_discard =
230 std::min(static_cast<size_t>(*num_bytes), current_num_bytes_);
231 MarkDataAsConsumedNoLock(num_bytes_to_discard);
232 *num_bytes = static_cast<uint32_t>(num_bytes_to_discard);
233 return MOJO_RESULT_OK;
234 }
235
ConsumerQueryDataImplNoLock(uint32_t * num_bytes)236 MojoResult LocalDataPipe::ConsumerQueryDataImplNoLock(uint32_t* num_bytes) {
237 // Note: This cast is safe, since the capacity fits into a |uint32_t|.
238 *num_bytes = static_cast<uint32_t>(current_num_bytes_);
239 return MOJO_RESULT_OK;
240 }
241
ConsumerBeginReadDataImplNoLock(const void ** buffer,uint32_t * buffer_num_bytes,bool all_or_none)242 MojoResult LocalDataPipe::ConsumerBeginReadDataImplNoLock(
243 const void** buffer,
244 uint32_t* buffer_num_bytes,
245 bool all_or_none) {
246 size_t max_num_bytes_to_read = GetMaxNumBytesToReadNoLock();
247 if (all_or_none && *buffer_num_bytes > max_num_bytes_to_read) {
248 // Don't return "should wait" since you can't wait for a specified amount of
249 // data.
250 return producer_open_no_lock() ? MOJO_RESULT_OUT_OF_RANGE :
251 MOJO_RESULT_FAILED_PRECONDITION;
252 }
253
254 // Don't go into a two-phase read if there's no data.
255 if (max_num_bytes_to_read == 0) {
256 return producer_open_no_lock() ? MOJO_RESULT_SHOULD_WAIT :
257 MOJO_RESULT_FAILED_PRECONDITION;
258 }
259
260 *buffer = buffer_.get() + start_index_;
261 *buffer_num_bytes = static_cast<uint32_t>(max_num_bytes_to_read);
262 set_consumer_two_phase_max_num_bytes_read_no_lock(
263 static_cast<uint32_t>(max_num_bytes_to_read));
264 return MOJO_RESULT_OK;
265 }
266
ConsumerEndReadDataImplNoLock(uint32_t num_bytes_read)267 MojoResult LocalDataPipe::ConsumerEndReadDataImplNoLock(
268 uint32_t num_bytes_read) {
269 DCHECK_LE(num_bytes_read, consumer_two_phase_max_num_bytes_read_no_lock());
270 DCHECK_LE(start_index_ + num_bytes_read, capacity_num_bytes());
271 MarkDataAsConsumedNoLock(num_bytes_read);
272 set_consumer_two_phase_max_num_bytes_read_no_lock(0);
273 return MOJO_RESULT_OK;
274 }
275
ConsumerGetHandleSignalsStateNoLock() const276 HandleSignalsState LocalDataPipe::ConsumerGetHandleSignalsStateNoLock() const {
277 HandleSignalsState rv;
278 if (current_num_bytes_ > 0) {
279 if (!consumer_in_two_phase_read_no_lock())
280 rv.satisfied_signals |= MOJO_HANDLE_SIGNAL_READABLE;
281 rv.satisfiable_signals |= MOJO_HANDLE_SIGNAL_READABLE;
282 } else if (producer_open_no_lock()) {
283 rv.satisfiable_signals |= MOJO_HANDLE_SIGNAL_READABLE;
284 }
285 return rv;
286 }
287
EnsureBufferNoLock()288 void LocalDataPipe::EnsureBufferNoLock() {
289 DCHECK(producer_open_no_lock());
290 if (buffer_.get())
291 return;
292 buffer_.reset(static_cast<char*>(
293 base::AlignedAlloc(capacity_num_bytes(), kDataPipeBufferAlignmentBytes)));
294 }
295
DestroyBufferNoLock()296 void LocalDataPipe::DestroyBufferNoLock() {
297 #ifndef NDEBUG
298 // Scribble on the buffer to help detect use-after-frees. (This also helps the
299 // unit test detect certain bugs without needing ASAN or similar.)
300 if (buffer_.get())
301 memset(buffer_.get(), 0xcd, capacity_num_bytes());
302 #endif
303 buffer_.reset();
304 }
305
GetMaxNumBytesToWriteNoLock()306 size_t LocalDataPipe::GetMaxNumBytesToWriteNoLock() {
307 size_t next_index = start_index_ + current_num_bytes_;
308 if (next_index >= capacity_num_bytes()) {
309 next_index %= capacity_num_bytes();
310 DCHECK_GE(start_index_, next_index);
311 DCHECK_EQ(start_index_ - next_index,
312 capacity_num_bytes() - current_num_bytes_);
313 return start_index_ - next_index;
314 }
315 return capacity_num_bytes() - next_index;
316 }
317
GetMaxNumBytesToReadNoLock()318 size_t LocalDataPipe::GetMaxNumBytesToReadNoLock() {
319 if (start_index_ + current_num_bytes_ > capacity_num_bytes())
320 return capacity_num_bytes() - start_index_;
321 return current_num_bytes_;
322 }
323
MarkDataAsConsumedNoLock(size_t num_bytes)324 void LocalDataPipe::MarkDataAsConsumedNoLock(size_t num_bytes) {
325 DCHECK_LE(num_bytes, current_num_bytes_);
326 start_index_ += num_bytes;
327 start_index_ %= capacity_num_bytes();
328 current_num_bytes_ -= num_bytes;
329 }
330
331 } // namespace system
332 } // namespace mojo
333