PPAPI/NaCl: Support Handle passing in ipc_channel_nacl

ipc/ipc_channel_nacl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "ipc/ipc_channel_nacl.h"
 
 #include <errno.h>
 #include <stddef.h>
 #include <sys/nacl_imc_api.h>
 #include <sys/nacl_syscalls.h>
 #include <sys/types.h>
 
 #include <algorithm>
 
 #include "base/bind.h"
 #include "base/file_util.h"
 #include "base/logging.h"
 #include "base/message_loop_proxy.h"
 #include "base/process_util.h"
 #include "base/synchronization/lock.h"
 #include "base/task_runner_util.h"
 #include "base/threading/simple_thread.h"
 #include "ipc/file_descriptor_set_posix.h"
 #include "ipc/ipc_logging.h"
 
 namespace IPC {
+
+struct MessageContents {
+  std::vector<char> data;
+  std::vector<int> fds;
+};
+
 namespace {
 
-scoped_ptr<std::vector<char> > ReadDataOnReaderThread(int pipe) {
+bool ReadDataOnReaderThread(int pipe, MessageContents* contents) {
   DCHECK(pipe >= 0);
+  if (pipe < 0)
+    return false;
 
-  if (pipe < 0)
-    return scoped_ptr<std::vector<char> >();
+  contents->data.resize(Channel::kReadBufferSize);
+  contents->fds.resize(FileDescriptorSet::kMaxDescriptorsPerMessage);
 
-  scoped_ptr<std::vector<char> > buffer(
-      new std::vector<char>(Channel::kReadBufferSize));
-  struct NaClImcMsgHdr msg = {0};
-  struct NaClImcMsgIoVec iov = {&buffer->at(0), buffer->size()};
-  msg.iov = &iov;
-  msg.iov_length = 1;
+  NaClImcMsgIoVec iov = { &contents->data[0], contents->data.size() };
+  NaClImcMsgHdr msg = { &iov, 1, &contents->fds[0], contents->fds.size() };
 
   int bytes_read = imc_recvmsg(pipe, &msg, 0);
 
   if (bytes_read <= 0) {
     // NaClIPCAdapter::BlockingReceive returns -1 when the pipe closes (either
     // due to error or for regular shutdown).
-    return scoped_ptr<std::vector<char> >();
+    return false;

[brettw, 2012/07/10 05:04:07]

I might feel a little better if you cleared out the two vectors in this case. Or
maybe set bytes_read and msg.desc_length to 0 and fall through below?

   }
   DCHECK(bytes_read);
-  buffer->resize(bytes_read);
-  return buffer.Pass();
+  // Resize the buffers down to the number of bytes and fds we actually read.
+  contents->data.resize(bytes_read);
+  contents->fds.resize(msg.desc_length);
+  return true;
 }
 
 }  // namespace
 
 class Channel::ChannelImpl::ReaderThreadRunner
     : public base::DelegateSimpleThread::Delegate {
  public:
   // |pipe|: A file descriptor from which we will read using imc_recvmsg.
   // |data_read_callback|: A callback we invoke (on the main thread) when we
-  //                       have read data. The callback is passed a buffer of
-  //                       data that was read.
+  //                       have read data.
   // |failure_callback|: A callback we invoke when we have a failure reading
   //                     from |pipe|.
   // |main_message_loop|: A proxy for the main thread, where we will invoke the
   //                      above callbacks.
   ReaderThreadRunner(
       int pipe,
-      base::Callback<void (scoped_ptr<std::vector<char> >)> data_read_callback,
+      base::Callback<void (scoped_ptr<MessageContents>)> data_read_callback,
       base::Callback<void ()> failure_callback,
-      base::MessageLoopProxy* main_message_loop);
+      scoped_refptr<base::MessageLoopProxy> main_message_loop);
 
   // DelegateSimpleThread implementation. Reads data from the pipe in a loop
   // until either we are told to quit or a read fails.
   virtual void Run() OVERRIDE;
 
  private:
   int pipe_;
-  base::Callback<void (scoped_ptr<std::vector<char> >)> data_read_callback_;
+  base::Callback<void (scoped_ptr<MessageContents>)> data_read_callback_;
   base::Callback<void ()> failure_callback_;
   scoped_refptr<base::MessageLoopProxy> main_message_loop_;
 
   DISALLOW_COPY_AND_ASSIGN(ReaderThreadRunner);
 };
 
 Channel::ChannelImpl::ReaderThreadRunner::ReaderThreadRunner(
     int pipe,
-    base::Callback<void (scoped_ptr<std::vector<char> >)> data_read_callback,
+    base::Callback<void (scoped_ptr<MessageContents>)> data_read_callback,
     base::Callback<void ()> failure_callback,
-    base::MessageLoopProxy* main_message_loop)
+    scoped_refptr<base::MessageLoopProxy> main_message_loop)
     : pipe_(pipe),
       data_read_callback_(data_read_callback),
       failure_callback_(failure_callback),
       main_message_loop_(main_message_loop) {
 }
 
 void Channel::ChannelImpl::ReaderThreadRunner::Run() {
   while (true) {
-    scoped_ptr<std::vector<char> > buffer(ReadDataOnReaderThread(pipe_));
-    if (buffer.get()) {
+    scoped_ptr<MessageContents> msg_contents(new MessageContents);
+    bool success = ReadDataOnReaderThread(pipe_, msg_contents.get());
+    if (success) {
       main_message_loop_->PostTask(FROM_HERE,
-          base::Bind(data_read_callback_, base::Passed(buffer.Pass())));
+          base::Bind(data_read_callback_, base::Passed(msg_contents.Pass())));
     } else {
       main_message_loop_->PostTask(FROM_HERE, failure_callback_);
       // Because the read failed, we know we're going to quit. Don't bother
       // trying to read again.
       return;
     }
   }
 }
 
 Channel::ChannelImpl::ChannelImpl(const IPC::ChannelHandle& channel_handle,
@@ skipping 67 matching lines @@
   Logging::GetInstance()->OnSendMessage(message_ptr.get(), "");
 #endif  // IPC_MESSAGE_LOG_ENABLED
 
   output_queue_.push_back(linked_ptr<Message>(message_ptr.release()));
   if (!waiting_connect_)
     return ProcessOutgoingMessages();
 
   return true;
 }
 
-void Channel::ChannelImpl::DidRecvMsg(scoped_ptr<std::vector<char> > buffer) {
+void Channel::ChannelImpl::DidRecvMsg(scoped_ptr<MessageContents> contents) {
   // Close sets the pipe to -1. It's possible we'll get a buffer sent to us from
   // the reader thread after Close is called. If so, we ignore it.
   if (pipe_ == -1)
     return;
 
-  read_queue_.push_back(linked_ptr<std::vector<char> >(buffer.release()));
+  linked_ptr<std::vector<char> > data(new std::vector<char>);
+  data->swap(contents->data);
+  read_queue_.push_back(data);
+
+  input_fds_.insert(input_fds_.end(),
+                    contents->fds.begin(), contents->fds.end());
+  contents->fds.clear();
 
   // In POSIX, we would be told when there are bytes to read by implementing
   // OnFileCanReadWithoutBlocking in MessageLoopForIO::Watcher. In NaCl, we
   // instead know at this point because the reader thread posted some data to
   // us.
   ProcessIncomingMessages();
 }
 
 void Channel::ChannelImpl::ReadDidFail() {
   Close();
@@ skipping 26 matching lines @@
 
   if (pipe_ == -1)
     return false;
 
   // Write out all the messages. The trusted implementation is guaranteed to not
   // block. See NaClIPCAdapter::Send for the implementation of imc_sendmsg.
   while (!output_queue_.empty()) {
     linked_ptr<Message> msg = output_queue_.front();
     output_queue_.pop_front();
 
-    struct NaClImcMsgHdr msgh = {0};
-    struct NaClImcMsgIoVec iov = {const_cast<void*>(msg->data()), msg->size()};
-    msgh.iov = &iov;
-    msgh.iov_length = 1;
+    int fds[FileDescriptorSet::kMaxDescriptorsPerMessage];
+    const int num_fds = msg->file_descriptor_set()->size();
+    DCHECK(num_fds < FileDescriptorSet::kMaxDescriptorsPerMessage);

[Mark Seaborn, 2012/07/10 15:26:44]

Nit: shouldn't this be '<='?

+    msg->file_descriptor_set()->GetDescriptors(fds);
+
+    NaClImcMsgIoVec iov = { const_cast<void*>(msg->data()), msg->size() };
+    NaClImcMsgHdr msgh = { &iov, 1, fds, num_fds };
     ssize_t bytes_written = imc_sendmsg(pipe_, &msgh, 0);
 
+    DCHECK(bytes_written);  // The trusted side shouldn't return 0.
     if (bytes_written < 0) {
       // The trusted side should only ever give us an error of EPIPE. We
       // should never be interrupted, nor should we get EAGAIN.
       DCHECK(errno == EPIPE);
       Close();
       PLOG(ERROR) << "pipe_ error on "
                   << pipe_
                   << " Currently writing message of size: "
                   << msg->size();
       return false;
+    } else {
+      msg->file_descriptor_set()->CommitAll();
     }
 
     // Message sent OK!
     DVLOG(2) << "sent message @" << msg.get() << " with type " << msg->type()
              << " on fd " << pipe_;
   }
   return true;
 }
 
 Channel::ChannelImpl::ReadState Channel::ChannelImpl::ReadData(
@@ skipping 21 matching lines @@
       std::copy(vec->begin(), vec->begin() + bytes_to_read,
                 buffer + *bytes_read);
       vec->erase(vec->begin(), vec->begin() + bytes_to_read);
       *bytes_read += bytes_to_read;
     }
   }
   return READ_SUCCEEDED;
 }
 
 bool Channel::ChannelImpl::WillDispatchInputMessage(Message* msg) {
+  uint16 header_fds = msg->header()->num_fds;
+  CHECK(header_fds == input_fds_.size());
+  if (header_fds == 0)
+    return true;  // Nothing to do.
+
+  // The shenaniganery below with &foo.front() requires input_fds_ to have
+  // contiguous underlying storage (such as a simple array or a std::vector).
+  // This is why the header warns not to make input_fds_ a deque<>.
+  msg->file_descriptor_set()->SetDescriptors(&input_fds_.front(),
+                                             header_fds);
+  input_fds_.clear();
   return true;
 }
 
 bool Channel::ChannelImpl::DidEmptyInputBuffers() {
-  return true;
+  // When the input data buffer is empty, the fds should be too.
+  return input_fds_.empty();
 }
 
 void Channel::ChannelImpl::HandleHelloMessage(const Message& msg) {
   // The trusted side IPC::Channel should handle the "hello" handshake; we
   // should not receive the "Hello" message.
   NOTREACHED();
 }
 
 //------------------------------------------------------------------------------
 // Channel's methods simply call through to ChannelImpl.
@@ skipping 35 matching lines @@
   // A random name is sufficient validation on posix systems, so we don't need
   // an additional shared secret.
   std::string id = prefix;
   if (!id.empty())
     id.append(".");
 
   return id.append(GenerateUniqueRandomChannelID());
 }
 
 }  // namespace IPC