Mojo: Change how we handle invalid pointer arguments (at the system layer).

Mojo: Change how we handle invalid pointer arguments (at the system layer).

This changes the semantics of the public system API: instead of
(attempting) to returning "invalid argument" (e.g., when you pass a null
pointer for a required argument), we'll crash/trap/kill you.

The reason for this is that it's not really sensible to check pointers
up front in the face of threads doing different things (e.g., memory
that is valid to read to/write from at the beginning of a call may not
be valid later).

As such, we wrap "user" pointers in a (new) |UserPointer<>| class, and
provide ways of accessing the memory that they refer to. We should never
pass around user pointers as plain pointers. (This careful treatment
will probably already be needed to properly support NaCl, for example.)

Still to do (but this change is already too big):
* Update comments (in mojo/public/c/system).
* Properly convert the remaining user pointers being passed around as
  plain pointers. This includes:
  * Getting rid of |GetPointerUnsafe()| and also the existing
    |VerifyUserPointer...()| functions.
  * Changing how we handle the various options structs.
  * Changing some of the |Dispatcher| interface.
* Write tests for |UserPointer<>|, etc.

R=darin@chromium.org

Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=285350

[darin (slow to review), 2014-07-24 16:55:38]

LGTM

https://codereview.chromium.org/418033005/diff/1/mojo/system/memory.h
File mojo/system/memory.h (right):

https://codereview.chromium.org/418033005/diff/1/mojo/system/memory.h#newcode22
mojo/system/memory.h:22: // Removes |const| from |T| (available as
|remove_const<T>::type|):
Add a TODO about removing these once we can assume C++11?

https://codereview.chromium.org/418033005/diff/1/mojo/system/memory.h#newcode27
mojo/system/memory.h:27: template <typename T> struct void_to_char { typedef T
type; };
Should this be VoidToChar? The lower_case name is usually a hint that this
should be replaced once we adopt C++11 (or some other future version of the
standard).

https://codereview.chromium.org/418033005/diff/1/mojo/system/memory.h#newcode209
mojo/system/memory.h:209: namespace internal {
hmm... do these really belong in the internal namespace? you have to read these
classes in order to understand the public API. that seems to indicate that these
classes aren't just internal implementation details.

[viettrungluu, 2014-07-24 17:09:05]

Thanks.

https://codereview.chromium.org/418033005/diff/1/mojo/system/memory.h
File mojo/system/memory.h (right):

https://codereview.chromium.org/418033005/diff/1/mojo/system/memory.h#newcode22
mojo/system/memory.h:22: // Removes |const| from |T| (available as
|remove_const<T>::type|):
On 2014/07/24 16:55:38, darin wrote:
> Add a TODO about removing these once we can assume C++11?

Done.

https://codereview.chromium.org/418033005/diff/1/mojo/system/memory.h#newcode27
mojo/system/memory.h:27: template <typename T> struct void_to_char { typedef T
type; };
On 2014/07/24 16:55:38, darin wrote:
> Should this be VoidToChar? The lower_case name is usually a hint that this
> should be replaced once we adopt C++11 (or some other future version of the
> standard).

Done.

https://codereview.chromium.org/418033005/diff/1/mojo/system/memory.h#newcode209
mojo/system/memory.h:209: namespace internal {
On 2014/07/24 16:55:38, darin wrote:
> hmm... do these really belong in the internal namespace? you have to read
these
> classes in order to understand the public API. that seems to indicate that
these
> classes aren't just internal implementation details.

Yeah, I wasn't sure. Done, since you're probably right.

[viettrungluu, 2014-07-24 19:51:51]

Committed patchset #2 manually as r285350 (presubmit successful).