IPC: Generalize FileDescriptorSet to MessageAttachmentSet

ipc/file_descriptor_set_posix.cc

Index: ipc/file_descriptor_set_posix.cc
diff --git a/ipc/file_descriptor_set_posix.cc b/ipc/file_descriptor_set_posix.cc
deleted file mode 100644
index 568fee3323c7d0d3f8db7cbe1db8019df21c722d..0000000000000000000000000000000000000000
--- a/ipc/file_descriptor_set_posix.cc
+++ /dev/null
@@ -1,162 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "ipc/file_descriptor_set_posix.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-
-#include "base/logging.h"
-#include "base/posix/eintr_wrapper.h"
-
-FileDescriptorSet::FileDescriptorSet()
-    : consumed_descriptor_highwater_(0) {
-}
-
-FileDescriptorSet::~FileDescriptorSet() {
-  if (consumed_descriptor_highwater_ == size())
-    return;
-
-  // We close all the owning descriptors. If this message should have
-  // been transmitted, then closing those with close flags set mirrors
-  // the expected behaviour.
-  //
-  // If this message was received with more descriptors than expected
-  // (which could a DOS against the browser by a rogue renderer) then all
-  // the descriptors have their close flag set and we free all the extra
-  // kernel resources.
-  LOG(WARNING) << "FileDescriptorSet destroyed with unconsumed descriptors: "
-               << consumed_descriptor_highwater_ << "/" << size();
-}
-
-bool FileDescriptorSet::AddToBorrow(base::PlatformFile fd) {
-  DCHECK_EQ(consumed_descriptor_highwater_, 0u);
-
-  if (size() == kMaxDescriptorsPerMessage) {
-    DLOG(WARNING) << "Cannot add file descriptor. FileDescriptorSet full.";
-    return false;
-  }
-
-  descriptors_.push_back(fd);
-  return true;
-}
-
-bool FileDescriptorSet::AddToOwn(base::ScopedFD fd) {
-  DCHECK_EQ(consumed_descriptor_highwater_, 0u);
-
-  if (size() == kMaxDescriptorsPerMessage) {
-    DLOG(WARNING) << "Cannot add file descriptor. FileDescriptorSet full.";
-    return false;
-  }
-
-  descriptors_.push_back(fd.get());
-  owned_descriptors_.push_back(new base::ScopedFD(fd.Pass()));
-  DCHECK(size() <= kMaxDescriptorsPerMessage);
-  return true;
-}
-
-base::PlatformFile FileDescriptorSet::TakeDescriptorAt(unsigned index) {
-  if (index >= size()) {
-    DLOG(WARNING) << "Accessing out of bound index:"
-                  << index << "/" << size();
-    return -1;
-  }
-
-
-  // We should always walk the descriptors in order, so it's reasonable to
-  // enforce this. Consider the case where a compromised renderer sends us
-  // the following message:
-  //
-  //   ExampleMsg:
-  //     num_fds:2 msg:FD(index = 1) control:SCM_RIGHTS {n, m}
-  //
-  // Here the renderer sent us a message which should have a descriptor, but
-  // actually sent two in an attempt to fill our fd table and kill us. By
-  // setting the index of the descriptor in the message to 1 (it should be
-  // 0), we would record a highwater of 1 and then consider all the
-  // descriptors to have been used.
-  //
-  // So we can either track of the use of each descriptor in a bitset, or we
-  // can enforce that we walk the indexes strictly in order.
-  //
-  // There's one more wrinkle: When logging messages, we may reparse them. So
-  // we have an exception: When the consumed_descriptor_highwater_ is at the
-  // end of the array and index 0 is requested, we reset the highwater value.
-  // TODO(morrita): This is absurd. This "wringle" disallow to introduce clearer
-  // ownership model. Only client is NaclIPCAdapter. See crbug.com/415294
-  if (index == 0 && consumed_descriptor_highwater_ == descriptors_.size())
-    consumed_descriptor_highwater_ = 0;
-
-  if (index != consumed_descriptor_highwater_)
-    return -1;
-
-  consumed_descriptor_highwater_ = index + 1;
-
-  base::PlatformFile file = descriptors_[index];
-
-  // TODO(morrita): In production, descriptors_.size() should be same as
-  // owned_descriptors_.size() as all read descriptors are owned by Message.
-  // We have to do this because unit test breaks this assumption. It should be
-  // changed to exercise with own-able descriptors.
-  for (ScopedVector<base::ScopedFD>::const_iterator i =
-           owned_descriptors_.begin();
-       i != owned_descriptors_.end();
-       ++i) {
-    if ((*i)->get() == file) {
-      ignore_result((*i)->release());
-      break;
-    }
-  }
-
-  return file;
-}
-
-void FileDescriptorSet::PeekDescriptors(base::PlatformFile* buffer) const {
-  std::copy(descriptors_.begin(), descriptors_.end(), buffer);
-}
-
-bool FileDescriptorSet::ContainsDirectoryDescriptor() const {
-  struct stat st;
-
-  for (std::vector<base::PlatformFile>::const_iterator i = descriptors_.begin();
-       i != descriptors_.end();
-       ++i) {
-    if (fstat(*i, &st) == 0 && S_ISDIR(st.st_mode))
-      return true;
-  }
-
-  return false;
-}
-
-void FileDescriptorSet::CommitAll() {
-  descriptors_.clear();
-  owned_descriptors_.clear();
-  consumed_descriptor_highwater_ = 0;
-}
-
-void FileDescriptorSet::ReleaseFDsToClose(
-    std::vector<base::PlatformFile>* fds) {
-  for (ScopedVector<base::ScopedFD>::iterator i = owned_descriptors_.begin();
-       i != owned_descriptors_.end();
-       ++i) {
-    fds->push_back((*i)->release());
-  }
-
-  CommitAll();
-}
-
-void FileDescriptorSet::AddDescriptorsToOwn(const base::PlatformFile* buffer,
-                                            unsigned count) {
-  DCHECK(count <= kMaxDescriptorsPerMessage);
-  DCHECK_EQ(size(), 0u);
-  DCHECK_EQ(consumed_descriptor_highwater_, 0u);
-
-  descriptors_.reserve(count);
-  owned_descriptors_.reserve(count);
-  for (unsigned i = 0; i < count; ++i) {
-    descriptors_.push_back(buffer[i]);
-    owned_descriptors_.push_back(new base::ScopedFD(buffer[i]));
-  }
-}