Mojo: Report bindings validation errors via MojoNotifyBadMessage

mojo/public/cpp/bindings/message.h

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef MOJO_PUBLIC_CPP_BINDINGS_MESSAGE_H_
 #define MOJO_PUBLIC_CPP_BINDINGS_MESSAGE_H_
 
 #include <stddef.h>
 #include <stdint.h>
 
 #include <limits>
 #include <memory>
+#include <string>
 #include <vector>
 
 #include "base/logging.h"
 #include "mojo/public/cpp/bindings/lib/message_buffer.h"
 #include "mojo/public/cpp/bindings/lib/message_internal.h"
 #include "mojo/public/cpp/system/message.h"
 
 namespace mojo {
 
 // Message is a holder for the data and handles to be sent over a MessagePipe.
@@ skipping 69 matching lines @@
   std::vector<Handle>* mutable_handles() { return &handles_; }
 
   // Access the underlying Buffer interface.
   internal::Buffer* buffer() { return buffer_.get(); }
 
   // Takes a scoped MessageHandle which may be passed to |WriteMessageNew()| for
   // transmission. Note that this invalidates this Message object, taking
   // ownership of its internal storage and any attached handles.
   ScopedMessageHandle TakeMojoMessage();
 
+  // Notifies the system that this message is "bad," in this case meaning it was
+  // rejected by bindings validation code.
+  void NotifyBadMessage(const std::string& error);
+
  private:
   void CloseHandles();
 
   std::unique_ptr<internal::MessageBuffer> buffer_;
   std::vector<Handle> handles_;
 
   DISALLOW_COPY_AND_ASSIGN(Message);
 };
 
 class MessageReceiver {
  public:
+  // The result of an Accept() or related operation.
+  class Result {
+   public:
+    enum class Type {
+      // The message was accepted successfully.
+      SUCCESS,
+
+      // A request was dropped because it didn't have a bound receiver after
+      // being read from a pipe. This may be raised on the receiving end of a
+      // request.
+      REQUEST_DROPPED,
+
+      // A request expecting a response has become impossible to fulfill (i.e.
+      // a response callback was destroyed without being Run.) This may be
+      // raised on the receiving side of a request, i.e. the responder.
+      RESPONSE_DROPPED,
+
+      // A message could not be sent for some reason, e.g., peer closure
+      // detected on a pipe.
+      SEND_FAILED,
+
+      // An unexpected or malformed message was received.
+      BAD_MESSAGE,
+
+      // An unknown error occurred. This may be raised in exceptional cases,
+      // e.g. when an code is reached which should be unreachable.

[yzshen1, 2016/06/15 16:22:33]

nit: an code ->  some code ?

+      UNKNOWN_ERROR,
+    };
+
+    explicit Result(Type type);
+    Result(Type type, const std::string& details);
+    Result(Result&& other);
+
+    ~Result();
+
+    Result& operator=(Result&& other);
+
+    // Set the Message object associated with this result, if any. Takes
+    // ownership of the contents of |*message|.
+    void set_message(Message* message) {
+      DCHECK(message);
+      message->MoveTo(&message_);
+    }
+
+    bool Succeeded() const { return type_ == Type::SUCCESS; }
+
+    Type type() const { return type_; }
+    const std::string& details() const { return details_; }
+    Message& message() { return message_; }
+
+    static Result ForSuccess() { return Result(Type::SUCCESS); }
+    static Result ForUnknownError() { return Result(Type::UNKNOWN_ERROR); }
+
+    static Result ForBadMessage(const std::string& details, Message* message);
+    static Result ForBadRequest(const std::string& interface_name,
+                                const std::string& method_name,
+                                Message* message);
+    static Result ForBadResponse(const std::string& interface_name,
+                                 const std::string& method_name,
+                                 Message* message);
+    static Result ForUnexpectedRequest(const std::string& interface_name,
+                                       Message* message);
+    static Result ForUnexpectedResponse(const std::string& interface_name,
+                                        Message* message);
+    static Result ForBadControlMessage(const std::string& interface_name,
+                                       Message* message);
+
+   private:
+    Type type_;
+    std::string details_;
+    Message message_;
+
+    DISALLOW_COPY_AND_ASSIGN(Result);
+  };
+
   virtual ~MessageReceiver() {}
 
   // The receiver may mutate the given message.  Returns true if the message

[yzshen1, 2016/06/15 16:22:33]

Please update the comment about the return value. (And also line 210 and 250)

   // was accepted and false otherwise, indicating that the message was invalid
   // or malformed.
-  virtual bool Accept(Message* message) WARN_UNUSED_RESULT = 0;
+  virtual Result Accept(Message* message) WARN_UNUSED_RESULT = 0;
 };
 
 class MessageReceiverWithResponder : public MessageReceiver {
  public:
   ~MessageReceiverWithResponder() override {}
 
   // A variant on Accept that registers a MessageReceiver (known as the
   // responder) to handle the response message generated from the given
   // message. The responder's Accept method may be called during
   // AcceptWithResponder or some time after its return.
   //
   // NOTE: Upon returning true, AcceptWithResponder assumes ownership of
   // |responder| and will delete it after calling |responder->Accept| or upon
   // its own destruction.
   //
   // TODO(yzshen): consider changing |responder| to
   // std::unique_ptr<MessageReceiver>.
-  virtual bool AcceptWithResponder(Message* message, MessageReceiver* responder)
+  virtual Result AcceptWithResponder(Message* message,
+                                     MessageReceiver* responder)
       WARN_UNUSED_RESULT = 0;
 };
 
 // A MessageReceiver that is also able to provide status about the state
 // of the underlying MessagePipe to which it will be forwarding messages
 // received via the |Accept()| call.
 class MessageReceiverWithStatus : public MessageReceiver {
  public:
   ~MessageReceiverWithStatus() override {}
 
@@ skipping 18 matching lines @@
   // the responder) to handle the response message generated from the given
   // message. Any of the responder's methods (Accept or IsValid) may be called
   // during  AcceptWithResponder or some time after its return.
   //
   // NOTE: Upon returning true, AcceptWithResponder assumes ownership of
   // |responder| and will delete it after calling |responder->Accept| or upon
   // its own destruction.
   //
   // TODO(yzshen): consider changing |responder| to
   // std::unique_ptr<MessageReceiver>.
-  virtual bool AcceptWithResponder(Message* message,
-                                   MessageReceiverWithStatus* responder)
+  virtual Result AcceptWithResponder(Message* message,
+                                     MessageReceiverWithStatus* responder)
       WARN_UNUSED_RESULT = 0;
 };
 
 // Read a single message from the pipe. The caller should have created the
 // Message, but not called Initialize(). Returns MOJO_RESULT_SHOULD_WAIT if
 // the caller should wait on the handle to become readable. Returns
 // MOJO_RESULT_OK if the message was read successfully and should be
 // dispatched, otherwise returns an error code if something went wrong.
 //
 // NOTE: The message hasn't been validated and may be malformed!
 MojoResult ReadMessage(MessagePipeHandle handle, Message* message);
 
 }  // namespace mojo
 
 #endif  // MOJO_PUBLIC_CPP_BINDINGS_MESSAGE_H_