JavaScript bindings for Mojo message validation

mojo/public/js/bindings/validator.js

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 define("mojo/public/js/bindings/validator", [
   "mojo/public/js/bindings/codec",
-  ], function(codec) {
+], function(codec) {
 
   var validationError = {
     NONE: 'VALIDATION_ERROR_NONE',
     MISALIGNED_OBJECT: 'VALIDATION_ERROR_MISALIGNED_OBJECT',
     ILLEGAL_MEMORY_RANGE: 'VALIDATION_ERROR_ILLEGAL_MEMORY_RANGE',
     UNEXPECTED_STRUCT_HEADER: 'VALIDATION_ERROR_UNEXPECTED_STRUCT_HEADER',
     UNEXPECTED_ARRAY_HEADER: 'VALIDATION_ERROR_UNEXPECTED_ARRAY_HEADER',
     ILLEGAL_HANDLE: 'VALIDATION_ERROR_ILLEGAL_HANDLE',
     ILLEGAL_POINTER: 'VALIDATION_ERROR_ILLEGAL_POINTER',
     MESSAGE_HEADER_INVALID_FLAG_COMBINATION:
         'VALIDATION_ERROR_MESSAGE_HEADER_INVALID_FLAG_COMBINATION',
     MESSAGE_HEADER_MISSING_REQUEST_ID:
         'VALIDATION_ERROR_MESSAGE_HEADER_MISSING_REQUEST_ID'
   };
 
+  var NULL_MOJO_POINTER = "NULL_MOJO_POINTER";
+
   function Validator(message) {
     this.message = message;
     this.offset = 0;
+    this.handleIndex = 0;
   }
 
   Object.defineProperty(Validator.prototype, "offsetLimit", {
     get: function() { return this.message.buffer.byteLength; }
   });
 
+  Object.defineProperty(Validator.prototype, "handleIndexLimit", {
+    get: function() { return this.message.handles.length; }
+  });
+
   // True if we can safely allocate a block of bytes from start to
   // to start + numBytes.
   Validator.prototype.isValidRange = function(start, numBytes) {
     // Only positive JavaScript integers that are less than 2^53
     // (Number.MAX_SAFE_INTEGER) can be represented exactly.
     if (start < this.offset || numBytes <= 0 ||
         !Number.isSafeInteger(start) ||
         !Number.isSafeInteger(numBytes))
       return false;
 
     var newOffset = start + numBytes;
     if (!Number.isSafeInteger(newOffset) || newOffset > this.offsetLimit)
       return false;
 
     return true;
   }
 
   Validator.prototype.claimRange = function(start, numBytes) {
     if (this.isValidRange(start, numBytes)) {
       this.offset = start + numBytes;
       return true;
     }
     return false;
   }
 
+  Validator.prototype.claimHandle = function(index) {
+    if (index === codec.kEncodedInvalidHandleValue)
+      return true;
+
+    if (index < this.handleIndex || index >= this.handleIndexLimit)
+      return false;
+
+    this.handleIndex = index + 1; // safe because handle indices are uint32
+    return true;
+  }
+
+  Validator.prototype.validateHandle = function(offset) {
+    var index = this.message.buffer.getUint32(offset);
+    if (!this.claimHandle(index))
+      return validationError.ILLEGAL_HANDLE;
+    return validationError.NONE;
+  }
+
   Validator.prototype.validateStructHeader =
       function(offset, minNumBytes, minNumFields) {
     if (!codec.isAligned(offset))
       return validationError.MISALIGNED_OBJECT;
 
     if (!this.isValidRange(offset, codec.kStructHeaderSize))
       return validationError.ILLEGAL_MEMORY_RANGE;
 
     var numBytes = this.message.buffer.getUint32(offset);
     var numFields = this.message.buffer.getUint32(offset + 4);
 
     if (numBytes < minNumBytes || numFields < minNumFields)
       return validationError.UNEXPECTED_STRUCT_HEADER;
 
     if (!this.claimRange(offset, numBytes))
       return validationError.ILLEGAL_MEMORY_RANGE;
 
     return validationError.NONE;
   }
 
   Validator.prototype.validateMessageHeader = function() {
+    var err = this.validateStructHeader(0, codec.kStructHeaderSize, 2);

[yzshen1, 2014/08/14 18:02:21]

Should be codec.kMessageHeaderSize?

[hansmuller, 2014/08/14 23:51:45]

Yes it should.

+    if (err != validationError.NONE)
+      return err;
+
     var numBytes = this.message.getHeaderNumBytes();
     var numFields = this.message.getHeaderNumFields();
 
     var validNumFieldsAndNumBytes =
         (numFields == 2 && numBytes == codec.kMessageHeaderSize) ||
         (numFields == 3 &&
          numBytes == codec.kMessageWithRequestIDHeaderSize) ||
         (numFields > 3 &&
          numBytes >= codec.kMessageWithRequestIDHeaderSize);
     if (!validNumFieldsAndNumBytes)
       return validationError.UNEXPECTED_STRUCT_HEADER;
 
     var expectsResponse = this.message.expectsResponse();
     var isResponse = this.message.isResponse();
 
     if (numFields == 2 && (expectsResponse || isResponse))
       return validationError.MESSAGE_HEADER_MISSING_REQUEST_ID;
 
     if (isResponse && expectsResponse)
       return validationError.MESSAGE_HEADER_INVALID_FLAG_COMBINATION;
 
     return validationError.NONE;
   }
 
-  Validator.prototype.validateMessage = function() {
-    var err = this.validateStructHeader(0, codec.kStructHeaderSize, 2);
-    if (err != validationError.NONE)
-      return err;
+  // Returns the message.buffer relative offset this pointer "points to",
+  // NULL_MOJO_POINTER if the pointer represents a null, or JS null if the
+  // pointer's value is not valid.
+  Validator.prototype.decodePointer = function(offset) {
+    var pointerValue = this.message.buffer.getUint64(offset);
+    if (pointerValue === 0)
+      return NULL_MOJO_POINTER;
+    var bufferOffset = offset + pointerValue;
+    return Number.isSafeInteger(bufferOffset) ? bufferOffset : null;
+  }
 
-    return this.validateMessageHeader();
+  Validator.prototype.validateArrayPointer =
+      function(offset, elementSize, elementCount, elementType) {
+    var arrayOffset = this.decodePointer(offset);
+    if (arrayOffset === null)
+      return validationError.ILLEGAL_POINTER;
+    if (arrayOffset === NULL_MOJO_POINTER)
+      return validationError.NONE;
+    return this.validateArray(
+        arrayOffset, elementSize, elementCount, elementType);
+  }
+
+  Validator.prototype.validateStructPointer = function(offset, structClass) {
+    var structOffset = this.decodePointer(offset);
+    if (structOffset === null)
+      return validationError.ILLEGAL_POINTER;
+    if (structOffset === NULL_MOJO_POINTER)
+      return validationError.NONE;
+    return structClass.validate(this, structOffset);
+  }
+
+  Validator.prototype.validateStringPointer = function(offset) {
+    return this.validateArrayPointer(offset, codec.Uint8.encodedSize, 0);

[yzshen1, 2014/08/14 18:02:21]

Is it intentional to omit the last parameter?

[hansmuller, 2014/08/14 23:51:45]

No, that's my mistake. It didn't matter in this case, but it should have been
there.  

+  }
+
+  // Similar to Array_Data<T>::Validate()
+  // mojo/public/cpp/bindings/lib/array_internal.h
+
+  Validator.prototype.validateArray =
+      function (offset, elementSize, elementCount, elementType) {

[yzshen1, 2014/08/14 18:02:21]

nit: it seems better to name it expectedElementCount.

[hansmuller, 2014/08/14 23:51:45]

Yes.

+    if (!codec.isAligned(offset))
+      return validationError.MISALIGNED_OBJECT;
+
+    if (!this.isValidRange(offset, codec.kArrayHeaderSize))
+      return validationError.ILLEGAL_MEMORY_RANGE;
+
+    var numBytes = this.message.buffer.getUint32(offset);
+    var numElements = this.message.buffer.getUint32(offset + 4);
+
+    // Note: this computation is "safe" because elementSize <= 8 and
+    // numElements is a uint32.
+    var elementsTotalSize = (elementType === codec.PackedBool) ?
+        Math.ceil(numElements / 8) : (elementSize * numElements);
+
+    if (numBytes < codec.kArrayHeaderSize + elementsTotalSize)
+      return validationError.UNEXPECTED_ARRAY_HEADER;
+
+    if (elementCount != 0 && numElements != elementCount)
+      return validationError.UNEXPECTED_ARRAY_HEADER;
+
+    if (!this.claimRange(offset, numBytes))
+      return validationError.ILLEGAL_MEMORY_RANGE;
+
+    var elementsOffset = offset + codec.kArrayHeaderSize;
+    if (elementType === codec.Handle)
+      return this.validateHandleElements(elementsOffset, numElements);
+    if (elementType instanceof codec.PointerTo)
+      return this.validateStructElements(
+          elementsOffset, numElements, elementType.cls);
+    if (elementType instanceof codec.ArrayOf)
+      return this.validateArrayElements(
+          elementsOffset, numElements, elementType.cls);
+

[yzshen1, 2014/08/14 18:02:21]

Is validating string elements covered by this if block?

[hansmuller, 2014/08/14 23:51:45]

No, but it should be. I will add that.

+    return validationError.NONE;
+  }
+
+  // Note: the |offset + i * elementSize| computation in the validateFooElements
+  // methods below is "safe" because elementSize <= 8, offset and
+  // numElements are uint32, and 0 <= i < numElements.
+
+  Validator.prototype.validateHandleElements = function(offset, numElements) {
+    var elementSize = codec.Handle.encodedSize;
+    for (var i = 0; i < numElements; i++) {
+      var index = this.message.buffer.getUint32(offset + i * elementSize);
+      if (!this.claimHandle(index))
+        return validationError.ILLEGAL_HANDLE;
+    }
+    return validationError.NONE;
+  }
+
+  Validator.prototype.validateArrayElements =
+      function(offset, numElements, elementClass) {
+    var elementSize = codec.PointerTo.prototype.encodedSize;
+    for (var i = 0; i < numElements; i++) {
+      var elementOffset = offset + i * elementSize;
+      var err = this.validateArrayPointer(
+          elementOffset, elementClass.encodedSize, 0, elementClass);

[yzshen1, 2014/08/14 18:02:21]

The last argument: should it be element type of the element arrays? (I.e., one
level deeper)

[hansmuller, 2014/08/14 23:51:45]

I believe this is correct because the caller is already providing the element
type of the element arrays - elementType.cls does that. I think the codec
ArrayOf type would be somewhat less confusing if its "cls" field was called
elementClass.

I've added a comment above validateArrayElements() that explains what the
elementClass parameter means. 

+      if (err != validationError.NONE)
+        return err;
+    }
+    return validationError.NONE;
+  }
+
+  Validator.prototype.validateStructElements =
+      function(offset, numElements, structClass) {
+    var elementSize = codec.PointerTo.prototype.encodedSize;
+    for (var i = 0; i < numElements; i++) {
+      var elementOffset = offset + i * elementSize;
+      var err = this.validateStructPointer(elementOffset, structClass);
+      if (err != validationError.NONE)
+        return err;
+    }
+    return validationError.NONE;
   }
 
   var exports = {};
   exports.validationError = validationError;
   exports.Validator = Validator;
   return exports;
 });