Mojo: Specify/check alignment of pointers more carefully.

mojo/system/core.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "mojo/system/core.h"
 
 #include <vector>
 
 #include "base/logging.h"
 #include "base/time/time.h"
+#include "mojo/public/c/system/macros.h"
 #include "mojo/system/constants.h"
 #include "mojo/system/data_pipe.h"
 #include "mojo/system/data_pipe_consumer_dispatcher.h"
 #include "mojo/system/data_pipe_producer_dispatcher.h"
 #include "mojo/system/dispatcher.h"
 #include "mojo/system/local_data_pipe.h"
 #include "mojo/system/memory.h"
 #include "mojo/system/message_pipe.h"
 #include "mojo/system/message_pipe_dispatcher.h"
 #include "mojo/system/raw_shared_buffer.h"
@@ skipping 98 matching lines @@
 MojoResult Core::Wait(MojoHandle handle,
                       MojoWaitFlags flags,
                       MojoDeadline deadline) {
   return WaitManyInternal(&handle, &flags, 1, deadline);
 }
 
 MojoResult Core::WaitMany(const MojoHandle* handles,
                           const MojoWaitFlags* flags,
                           uint32_t num_handles,
                           MojoDeadline deadline) {
-  if (!VerifyUserPointer<MojoHandle>(handles, num_handles))
+  if (!VerifyUserPointerWithCount<MojoHandle>(handles, num_handles))
     return MOJO_RESULT_INVALID_ARGUMENT;
-  if (!VerifyUserPointer<MojoWaitFlags>(flags, num_handles))
+  if (!VerifyUserPointerWithCount<MojoWaitFlags>(flags, num_handles))
     return MOJO_RESULT_INVALID_ARGUMENT;
   if (num_handles < 1)
     return MOJO_RESULT_INVALID_ARGUMENT;
   if (num_handles > kMaxWaitManyNumHandles)
     return MOJO_RESULT_RESOURCE_EXHAUSTED;
   return WaitManyInternal(handles, flags, num_handles, deadline);
 }
 
 MojoResult Core::CreateMessagePipe(MojoHandle* message_pipe_handle0,
                                    MojoHandle* message_pipe_handle1) {
-  if (!VerifyUserPointer<MojoHandle>(message_pipe_handle0, 1))
+  if (!VerifyUserPointer<MojoHandle>(message_pipe_handle0))
     return MOJO_RESULT_INVALID_ARGUMENT;
-  if (!VerifyUserPointer<MojoHandle>(message_pipe_handle1, 1))
+  if (!VerifyUserPointer<MojoHandle>(message_pipe_handle1))
     return MOJO_RESULT_INVALID_ARGUMENT;
 
   scoped_refptr<MessagePipeDispatcher> dispatcher0(new MessagePipeDispatcher());
   scoped_refptr<MessagePipeDispatcher> dispatcher1(new MessagePipeDispatcher());
 
   std::pair<MojoHandle, MojoHandle> handle_pair;
   {
     base::AutoLock locker(handle_table_lock_);
     handle_pair = handle_table_.AddDispatcherPair(dispatcher0, dispatcher1);
   }
@@ skipping 36 matching lines @@
     return dispatcher->WriteMessage(bytes, num_bytes, NULL, flags);
 
   // We have to handle |handles| here, since we have to mark them busy in the
   // global handle table. We can't delegate this to the dispatcher, since the
   // handle table lock must be acquired before the dispatcher lock.
   //
   // (This leads to an oddity: |handles|/|num_handles| are always verified for
   // validity, even for dispatchers that don't support |WriteMessage()| and will
   // simply return failure unconditionally. It also breaks the usual
   // left-to-right verification order of arguments.)
-  if (!VerifyUserPointer<MojoHandle>(handles, num_handles))
+  if (!VerifyUserPointerWithCount<MojoHandle>(handles, num_handles))
     return MOJO_RESULT_INVALID_ARGUMENT;
   if (num_handles > kMaxMessageNumHandles)
     return MOJO_RESULT_RESOURCE_EXHAUSTED;
 
   // We'll need to hold on to the dispatchers so that we can pass them on to
   // |WriteMessage()| and also so that we can unlock their locks afterwards
   // without accessing the handle table. These can be dumb pointers, since their
   // entries in the handle table won't get removed (since they'll be marked as
   // busy).
   std::vector<DispatcherTransport> transports(num_handles);
@@ skipping 32 matching lines @@
                              void* bytes,
                              uint32_t* num_bytes,
                              MojoHandle* handles,
                              uint32_t* num_handles,
                              MojoReadMessageFlags flags) {
   scoped_refptr<Dispatcher> dispatcher(GetDispatcher(message_pipe_handle));
   if (!dispatcher)
     return MOJO_RESULT_INVALID_ARGUMENT;
 
   if (num_handles) {
-    if (!VerifyUserPointer<uint32_t>(num_handles, 1))
+    if (!VerifyUserPointer<uint32_t>(num_handles))
       return MOJO_RESULT_INVALID_ARGUMENT;
-    if (!VerifyUserPointer<MojoHandle>(handles, *num_handles))
+    if (!VerifyUserPointerWithCount<MojoHandle>(handles, *num_handles))
       return MOJO_RESULT_INVALID_ARGUMENT;
   }
 
   // Easy case: won't receive any handles.
   if (!num_handles || *num_handles == 0)
     return dispatcher->ReadMessage(bytes, num_bytes, NULL, num_handles, flags);
 
   DispatcherVector dispatchers;
   MojoResult rv = dispatcher->ReadMessage(bytes, num_bytes,
                                           &dispatchers, num_handles,
@@ skipping 20 matching lines @@
   }
 
   return rv;
 }
 
 MojoResult Core::CreateDataPipe(const MojoCreateDataPipeOptions* options,
                                 MojoHandle* data_pipe_producer_handle,
                                 MojoHandle* data_pipe_consumer_handle) {
   if (options) {
     // The |struct_size| field must be valid to read.
-    if (!VerifyUserPointer<uint32_t>(&options->struct_size, 1))
+    if (!VerifyUserPointer<uint32_t>(&options->struct_size))
       return MOJO_RESULT_INVALID_ARGUMENT;
     // And then |options| must point to at least |options->struct_size| bytes.
-    if (!VerifyUserPointer<void>(options, options->struct_size))
+    if (!VerifyUserPointerWithSize<MOJO_ALIGNOF(int64_t)>(options,
+                                                          options->struct_size))
       return MOJO_RESULT_INVALID_ARGUMENT;
   }
-  if (!VerifyUserPointer<MojoHandle>(data_pipe_producer_handle, 1))
+  if (!VerifyUserPointer<MojoHandle>(data_pipe_producer_handle))
     return MOJO_RESULT_INVALID_ARGUMENT;
-  if (!VerifyUserPointer<MojoHandle>(data_pipe_consumer_handle, 1))
+  if (!VerifyUserPointer<MojoHandle>(data_pipe_consumer_handle))
     return MOJO_RESULT_INVALID_ARGUMENT;
 
   MojoCreateDataPipeOptions validated_options = { 0 };
   MojoResult result = DataPipe::ValidateOptions(options, &validated_options);
   if (result != MOJO_RESULT_OK)
     return result;
 
   scoped_refptr<DataPipeProducerDispatcher> producer_dispatcher(
       new DataPipeProducerDispatcher());
   scoped_refptr<DataPipeConsumerDispatcher> consumer_dispatcher(
@@ skipping 90 matching lines @@
 
   return dispatcher->EndReadData(num_bytes_read);
 }
 
 MojoResult Core::CreateSharedBuffer(
     const MojoCreateSharedBufferOptions* options,
     uint64_t num_bytes,
     MojoHandle* shared_buffer_handle) {
   if (options) {
     // The |struct_size| field must be valid to read.
-    if (!VerifyUserPointer<uint32_t>(&options->struct_size, 1))
+    if (!VerifyUserPointer<uint32_t>(&options->struct_size))
       return MOJO_RESULT_INVALID_ARGUMENT;
     // And then |options| must point to at least |options->struct_size| bytes.
-    if (!VerifyUserPointer<void>(options, options->struct_size))
+    if (!VerifyUserPointerWithSize<MOJO_ALIGNOF(int64_t)>(options,
+                                                          options->struct_size))
       return MOJO_RESULT_INVALID_ARGUMENT;
   }
-  if (!VerifyUserPointer<MojoHandle>(shared_buffer_handle, 1))
+  if (!VerifyUserPointer<MojoHandle>(shared_buffer_handle))
     return MOJO_RESULT_INVALID_ARGUMENT;
 
   MojoCreateSharedBufferOptions validated_options = { 0 };
   MojoResult result =
       SharedBufferDispatcher::ValidateOptions(options, &validated_options);
   if (result != MOJO_RESULT_OK)
     return result;
 
   scoped_refptr<SharedBufferDispatcher> dispatcher;
   result = SharedBufferDispatcher::Create(validated_options, num_bytes,
@@ skipping 16 matching lines @@
 
 MojoResult Core::DuplicateBufferHandle(
     MojoHandle buffer_handle,
     const MojoDuplicateBufferHandleOptions* options,
     MojoHandle* new_buffer_handle) {
   scoped_refptr<Dispatcher> dispatcher(GetDispatcher(buffer_handle));
   if (!dispatcher)
     return MOJO_RESULT_INVALID_ARGUMENT;
 
   // Don't verify |options| here; that's the dispatcher's job.
-  if (!VerifyUserPointer<MojoHandle>(new_buffer_handle, 1))
+  if (!VerifyUserPointer<MojoHandle>(new_buffer_handle))
     return MOJO_RESULT_INVALID_ARGUMENT;
 
   scoped_refptr<Dispatcher> new_dispatcher;
   MojoResult result = dispatcher->DuplicateBufferHandle(options,
                                                         &new_dispatcher);
   if (result != MOJO_RESULT_OK)
     return result;
 
   MojoHandle new_handle = AddDispatcher(new_dispatcher);
   if (new_handle == MOJO_HANDLE_INVALID) {
     LOG(ERROR) << "Handle table full";
     dispatcher->Close();
     return MOJO_RESULT_RESOURCE_EXHAUSTED;
   }
 
   *new_buffer_handle = new_handle;
   return MOJO_RESULT_OK;
 }
 
 MojoResult Core::MapBuffer(MojoHandle buffer_handle,
                            uint64_t offset,
                            uint64_t num_bytes,
                            void** buffer,
                            MojoMapBufferFlags flags) {
   scoped_refptr<Dispatcher> dispatcher(GetDispatcher(buffer_handle));
   if (!dispatcher)
     return MOJO_RESULT_INVALID_ARGUMENT;
 
-  if (!VerifyUserPointer<void*>(buffer, 1))
+  if (!VerifyUserPointerWithCount<void*>(buffer, 1))
     return MOJO_RESULT_INVALID_ARGUMENT;
 
   scoped_ptr<RawSharedBufferMapping> mapping;
   MojoResult result = dispatcher->MapBuffer(offset, num_bytes, flags, &mapping);
   if (result != MOJO_RESULT_OK)
     return result;
 
   DCHECK(mapping);
   void* address = mapping->base();
   {
@@ skipping 55 matching lines @@
   // |Wait()|/|WaitMany()| call. (Only after doing this can |waiter| be
   // destroyed, but this would still be required if the waiter were in TLS.)
   for (i = 0; i < num_added; i++)
     dispatchers[i]->RemoveWaiter(&waiter);
 
   return rv;
 }
 
 }  // namespace system
 }  // namespace mojo