diff options
| author | dalecurtis@chromium.org <dalecurtis@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-05-31 22:08:59 +0000 |
|---|---|---|
| committer | dalecurtis@chromium.org <dalecurtis@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-05-31 22:08:59 +0000 |
| commit | 7af3c912836b8d5c02be0059a76a64ad46263fb2 (patch) | |
| tree | 44e013cfee99182af1f5356e44767dbd30323c27 /mojo | |
| parent | 0d64cc7d00448f4854ab58cde2c62274bef2bf18 (diff) | |
| download | chromium_src-7af3c912836b8d5c02be0059a76a64ad46263fb2.zip chromium_src-7af3c912836b8d5c02be0059a76a64ad46263fb2.tar.gz chromium_src-7af3c912836b8d5c02be0059a76a64ad46263fb2.tar.bz2 | |
Revert of Mojo: Specify/check alignment of pointers more carefully. (https://codereview.chromium.org/304303006/)
Reason for revert:
Broke the windows bots:
http://build.chromium.org/p/chromium.win/builders/Vista%20Tests%20%283%29/builds/40269
http://build.chromium.org/p/chromium.win/builders/Win7%20Tests%20%28dbg%29%284%29/builds/26580
Original issue's description:
> Mojo: Specify/check alignment of pointers more carefully.
>
> Improve the verification routines especially in the case that no count
> is necessary.
>
> Also add a test.
>
> R=darin@chromium.org
>
> Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=273936
TBR=darin@chromium.org,viettrungluu@chromium.org
NOTREECHECKS=true
NOTRY=true
Review URL: https://codereview.chromium.org/312463002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@274062 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'mojo')
| -rw-r--r-- | mojo/mojo.gyp | 1 | ||||
| -rw-r--r-- | mojo/system/core.cc | 35 | ||||
| -rw-r--r-- | mojo/system/core_test_base.cc | 4 | ||||
| -rw-r--r-- | mojo/system/data_pipe_consumer_dispatcher.cc | 8 | ||||
| -rw-r--r-- | mojo/system/data_pipe_producer_dispatcher.cc | 8 | ||||
| -rw-r--r-- | mojo/system/memory.cc | 54 | ||||
| -rw-r--r-- | mojo/system/memory.h | 55 | ||||
| -rw-r--r-- | mojo/system/memory_unittest.cc | 136 | ||||
| -rw-r--r-- | mojo/system/message_pipe_dispatcher.cc | 6 | ||||
| -rw-r--r-- | mojo/system/shared_buffer_dispatcher.cc | 6 |
10 files changed, 62 insertions, 251 deletions
diff --git a/mojo/mojo.gyp b/mojo/mojo.gyp index 0224100..bc71705 100644 --- a/mojo/mojo.gyp +++ b/mojo/mojo.gyp @@ -243,7 +243,6 @@ 'system/data_pipe_unittest.cc', 'system/dispatcher_unittest.cc', 'system/local_data_pipe_unittest.cc', - 'system/memory_unittest.cc', 'system/message_pipe_dispatcher_unittest.cc', 'system/message_pipe_unittest.cc', 'system/multiprocess_message_pipe_unittest.cc', diff --git a/mojo/system/core.cc b/mojo/system/core.cc index f35284b..6c8cb83 100644 --- a/mojo/system/core.cc +++ b/mojo/system/core.cc @@ -8,7 +8,6 @@ #include "base/logging.h" #include "base/time/time.h" -#include "mojo/public/c/system/macros.h" #include "mojo/system/constants.h" #include "mojo/system/data_pipe.h" #include "mojo/system/data_pipe_consumer_dispatcher.h" @@ -127,9 +126,9 @@ MojoResult Core::WaitMany(const MojoHandle* handles, const MojoWaitFlags* flags, uint32_t num_handles, MojoDeadline deadline) { - if (!VerifyUserPointerWithCount<MojoHandle>(handles, num_handles)) + if (!VerifyUserPointer<MojoHandle>(handles, num_handles)) return MOJO_RESULT_INVALID_ARGUMENT; - if (!VerifyUserPointerWithCount<MojoWaitFlags>(flags, num_handles)) + if (!VerifyUserPointer<MojoWaitFlags>(flags, num_handles)) return MOJO_RESULT_INVALID_ARGUMENT; if (num_handles < 1) return MOJO_RESULT_INVALID_ARGUMENT; @@ -140,9 +139,9 @@ MojoResult Core::WaitMany(const MojoHandle* handles, MojoResult Core::CreateMessagePipe(MojoHandle* message_pipe_handle0, MojoHandle* message_pipe_handle1) { - if (!VerifyUserPointer<MojoHandle>(message_pipe_handle0)) + if (!VerifyUserPointer<MojoHandle>(message_pipe_handle0, 1)) return MOJO_RESULT_INVALID_ARGUMENT; - if (!VerifyUserPointer<MojoHandle>(message_pipe_handle1)) + if (!VerifyUserPointer<MojoHandle>(message_pipe_handle1, 1)) return MOJO_RESULT_INVALID_ARGUMENT; scoped_refptr<MessagePipeDispatcher> dispatcher0(new MessagePipeDispatcher()); @@ -199,7 +198,7 @@ MojoResult Core::WriteMessage(MojoHandle message_pipe_handle, // validity, even for dispatchers that don't support |WriteMessage()| and will // simply return failure unconditionally. It also breaks the usual // left-to-right verification order of arguments.) - if (!VerifyUserPointerWithCount<MojoHandle>(handles, num_handles)) + if (!VerifyUserPointer<MojoHandle>(handles, num_handles)) return MOJO_RESULT_INVALID_ARGUMENT; if (num_handles > kMaxMessageNumHandles) return MOJO_RESULT_RESOURCE_EXHAUSTED; @@ -252,9 +251,9 @@ MojoResult Core::ReadMessage(MojoHandle message_pipe_handle, return MOJO_RESULT_INVALID_ARGUMENT; if (num_handles) { - if (!VerifyUserPointer<uint32_t>(num_handles)) + if (!VerifyUserPointer<uint32_t>(num_handles, 1)) return MOJO_RESULT_INVALID_ARGUMENT; - if (!VerifyUserPointerWithCount<MojoHandle>(handles, *num_handles)) + if (!VerifyUserPointer<MojoHandle>(handles, *num_handles)) return MOJO_RESULT_INVALID_ARGUMENT; } @@ -295,16 +294,15 @@ MojoResult Core::CreateDataPipe(const MojoCreateDataPipeOptions* options, MojoHandle* data_pipe_consumer_handle) { if (options) { // The |struct_size| field must be valid to read. - if (!VerifyUserPointer<uint32_t>(&options->struct_size)) + if (!VerifyUserPointer<uint32_t>(&options->struct_size, 1)) return MOJO_RESULT_INVALID_ARGUMENT; // And then |options| must point to at least |options->struct_size| bytes. - if (!VerifyUserPointerWithSize<MOJO_ALIGNOF(int64_t)>(options, - options->struct_size)) + if (!VerifyUserPointer<void>(options, options->struct_size)) return MOJO_RESULT_INVALID_ARGUMENT; } - if (!VerifyUserPointer<MojoHandle>(data_pipe_producer_handle)) + if (!VerifyUserPointer<MojoHandle>(data_pipe_producer_handle, 1)) return MOJO_RESULT_INVALID_ARGUMENT; - if (!VerifyUserPointer<MojoHandle>(data_pipe_consumer_handle)) + if (!VerifyUserPointer<MojoHandle>(data_pipe_consumer_handle, 1)) return MOJO_RESULT_INVALID_ARGUMENT; MojoCreateDataPipeOptions validated_options = { 0 }; @@ -415,14 +413,13 @@ MojoResult Core::CreateSharedBuffer( MojoHandle* shared_buffer_handle) { if (options) { // The |struct_size| field must be valid to read. - if (!VerifyUserPointer<uint32_t>(&options->struct_size)) + if (!VerifyUserPointer<uint32_t>(&options->struct_size, 1)) return MOJO_RESULT_INVALID_ARGUMENT; // And then |options| must point to at least |options->struct_size| bytes. - if (!VerifyUserPointerWithSize<MOJO_ALIGNOF(int64_t)>(options, - options->struct_size)) + if (!VerifyUserPointer<void>(options, options->struct_size)) return MOJO_RESULT_INVALID_ARGUMENT; } - if (!VerifyUserPointer<MojoHandle>(shared_buffer_handle)) + if (!VerifyUserPointer<MojoHandle>(shared_buffer_handle, 1)) return MOJO_RESULT_INVALID_ARGUMENT; MojoCreateSharedBufferOptions validated_options = { 0 }; @@ -459,7 +456,7 @@ MojoResult Core::DuplicateBufferHandle( return MOJO_RESULT_INVALID_ARGUMENT; // Don't verify |options| here; that's the dispatcher's job. - if (!VerifyUserPointer<MojoHandle>(new_buffer_handle)) + if (!VerifyUserPointer<MojoHandle>(new_buffer_handle, 1)) return MOJO_RESULT_INVALID_ARGUMENT; scoped_refptr<Dispatcher> new_dispatcher; @@ -488,7 +485,7 @@ MojoResult Core::MapBuffer(MojoHandle buffer_handle, if (!dispatcher) return MOJO_RESULT_INVALID_ARGUMENT; - if (!VerifyUserPointerWithCount<void*>(buffer, 1)) + if (!VerifyUserPointer<void*>(buffer, 1)) return MOJO_RESULT_INVALID_ARGUMENT; scoped_ptr<RawSharedBufferMapping> mapping; diff --git a/mojo/system/core_test_base.cc b/mojo/system/core_test_base.cc index 85f44ac..e4efe45 100644 --- a/mojo/system/core_test_base.cc +++ b/mojo/system/core_test_base.cc @@ -54,7 +54,7 @@ class MockDispatcher : public Dispatcher { info_->IncrementWriteMessageCallCount(); lock().AssertAcquired(); - if (!VerifyUserPointerWithSize<1>(bytes, num_bytes)) + if (!VerifyUserPointer<void>(bytes, num_bytes)) return MOJO_RESULT_INVALID_ARGUMENT; if (num_bytes > kMaxMessageNumBytes) return MOJO_RESULT_RESOURCE_EXHAUSTED; @@ -74,7 +74,7 @@ class MockDispatcher : public Dispatcher { info_->IncrementReadMessageCallCount(); lock().AssertAcquired(); - if (num_bytes && !VerifyUserPointerWithSize<1>(bytes, *num_bytes)) + if (num_bytes && !VerifyUserPointer<void>(bytes, *num_bytes)) return MOJO_RESULT_INVALID_ARGUMENT; return MOJO_RESULT_OK; diff --git a/mojo/system/data_pipe_consumer_dispatcher.cc b/mojo/system/data_pipe_consumer_dispatcher.cc index 2a2242c..409db29 100644 --- a/mojo/system/data_pipe_consumer_dispatcher.cc +++ b/mojo/system/data_pipe_consumer_dispatcher.cc @@ -56,7 +56,7 @@ MojoResult DataPipeConsumerDispatcher::ReadDataImplNoLock( MojoReadDataFlags flags) { lock().AssertAcquired(); - if (!VerifyUserPointer<uint32_t>(num_bytes)) + if (!VerifyUserPointer<uint32_t>(num_bytes, 1)) return MOJO_RESULT_INVALID_ARGUMENT; if ((flags & MOJO_READ_DATA_FLAG_DISCARD)) { @@ -75,7 +75,7 @@ MojoResult DataPipeConsumerDispatcher::ReadDataImplNoLock( } // Only verify |elements| if we're neither discarding nor querying. - if (!VerifyUserPointerWithSize<1>(elements, *num_bytes)) + if (!VerifyUserPointer<void>(elements, *num_bytes)) return MOJO_RESULT_INVALID_ARGUMENT; return data_pipe_->ConsumerReadData( @@ -88,9 +88,9 @@ MojoResult DataPipeConsumerDispatcher::BeginReadDataImplNoLock( MojoReadDataFlags flags) { lock().AssertAcquired(); - if (!VerifyUserPointerWithCount<const void*>(buffer, 1)) + if (!VerifyUserPointer<const void*>(buffer, 1)) return MOJO_RESULT_INVALID_ARGUMENT; - if (!VerifyUserPointer<uint32_t>(buffer_num_bytes)) + if (!VerifyUserPointer<uint32_t>(buffer_num_bytes, 1)) return MOJO_RESULT_INVALID_ARGUMENT; // These flags may not be used in two-phase mode. if ((flags & MOJO_READ_DATA_FLAG_DISCARD) || diff --git a/mojo/system/data_pipe_producer_dispatcher.cc b/mojo/system/data_pipe_producer_dispatcher.cc index 617f231..574a0c2 100644 --- a/mojo/system/data_pipe_producer_dispatcher.cc +++ b/mojo/system/data_pipe_producer_dispatcher.cc @@ -56,9 +56,9 @@ MojoResult DataPipeProducerDispatcher::WriteDataImplNoLock( MojoWriteDataFlags flags) { lock().AssertAcquired(); - if (!VerifyUserPointer<uint32_t>(num_bytes)) + if (!VerifyUserPointer<uint32_t>(num_bytes, 1)) return MOJO_RESULT_INVALID_ARGUMENT; - if (!VerifyUserPointerWithSize<1>(elements, *num_bytes)) + if (!VerifyUserPointer<void>(elements, *num_bytes)) return MOJO_RESULT_INVALID_ARGUMENT; return data_pipe_->ProducerWriteData( @@ -71,9 +71,9 @@ MojoResult DataPipeProducerDispatcher::BeginWriteDataImplNoLock( MojoWriteDataFlags flags) { lock().AssertAcquired(); - if (!VerifyUserPointerWithCount<void*>(buffer, 1)) + if (!VerifyUserPointer<void*>(buffer, 1)) return MOJO_RESULT_INVALID_ARGUMENT; - if (!VerifyUserPointer<uint32_t>(buffer_num_bytes)) + if (!VerifyUserPointer<uint32_t>(buffer_num_bytes, 1)) return MOJO_RESULT_INVALID_ARGUMENT; return data_pipe_->ProducerBeginWriteData( diff --git a/mojo/system/memory.cc b/mojo/system/memory.cc index 6199902..dd8b3d2 100644 --- a/mojo/system/memory.cc +++ b/mojo/system/memory.cc @@ -11,62 +11,24 @@ namespace mojo { namespace system { -namespace internal { - -template <size_t size, size_t alignment> -bool MOJO_SYSTEM_IMPL_EXPORT VerifyUserPointerHelper(const void* pointer) { - // TODO(vtl): If running in kernel mode, do a full verification. For now, just - // check that it's non-null and aligned. (A faster user mode implementation is - // also possible if this check is skipped.) - return !!pointer && reinterpret_cast<uintptr_t>(pointer) % alignment == 0; -} - -// Explicitly instantiate the sizes we need. Add instantiations as needed. -template MOJO_SYSTEM_IMPL_EXPORT bool VerifyUserPointerHelper<1, 1>( - const void*); -template MOJO_SYSTEM_IMPL_EXPORT bool VerifyUserPointerHelper<4, 4>( - const void*); -template MOJO_SYSTEM_IMPL_EXPORT bool VerifyUserPointerHelper<8, 8>( - const void*); - -template <size_t size, size_t alignment> -bool VerifyUserPointerWithCountHelper(const void* pointer, size_t count) { +template <size_t size> +bool VerifyUserPointerForSize(const void* pointer, size_t count) { if (count > std::numeric_limits<size_t>::max() / size) return false; // TODO(vtl): If running in kernel mode, do a full verification. For now, just - // check that it's non-null and aligned if |count| is nonzero. (A faster user - // mode implementation is also possible if this check is skipped.) - return count == 0 || - (!!pointer && reinterpret_cast<uintptr_t>(pointer) % alignment == 0); + // check that it's non-null if |size| is nonzero. (A faster user mode + // implementation is also possible if this check is skipped.) + return count == 0 || !!pointer; } // Explicitly instantiate the sizes we need. Add instantiations as needed. -template MOJO_SYSTEM_IMPL_EXPORT bool VerifyUserPointerWithCountHelper<1, 1>( +template MOJO_SYSTEM_IMPL_EXPORT bool VerifyUserPointerForSize<1>( const void*, size_t); -template MOJO_SYSTEM_IMPL_EXPORT bool VerifyUserPointerWithCountHelper<4, 4>( +template MOJO_SYSTEM_IMPL_EXPORT bool VerifyUserPointerForSize<4>( const void*, size_t); -template MOJO_SYSTEM_IMPL_EXPORT bool VerifyUserPointerWithCountHelper<8, 8>( +template MOJO_SYSTEM_IMPL_EXPORT bool VerifyUserPointerForSize<8>( const void*, size_t); -} // nameespace internal - -template <size_t alignment> -bool VerifyUserPointerWithSize(const void* pointer, size_t size) { - // TODO(vtl): If running in kernel mode, do a full verification. For now, just - // check that it's non-null and aligned. (A faster user mode implementation is - // also possible if this check is skipped.) - return size == 0 || - (!!pointer && reinterpret_cast<uintptr_t>(pointer) % alignment == 0); -} - -// Explicitly instantiate the alignments we need. Add instantiations as needed. -template MOJO_SYSTEM_IMPL_EXPORT bool VerifyUserPointerWithSize<1>(const void*, - size_t); -template MOJO_SYSTEM_IMPL_EXPORT bool VerifyUserPointerWithSize<4>(const void*, - size_t); -template MOJO_SYSTEM_IMPL_EXPORT bool VerifyUserPointerWithSize<8>(const void*, - size_t); - } // namespace system } // namespace mojo diff --git a/mojo/system/memory.h b/mojo/system/memory.h index 21c36ea..6483e03 100644 --- a/mojo/system/memory.h +++ b/mojo/system/memory.h @@ -7,48 +7,39 @@ #include <stddef.h> -#include "mojo/public/c/system/macros.h" #include "mojo/system/system_impl_export.h" namespace mojo { namespace system { -namespace internal { - -template <size_t size, size_t alignment> -bool MOJO_SYSTEM_IMPL_EXPORT VerifyUserPointerHelper(const void* pointer); - -template <size_t size, size_t alignment> -bool MOJO_SYSTEM_IMPL_EXPORT VerifyUserPointerWithCountHelper( - const void* pointer, - size_t count); - -} // namespace internal - -// Verify (insofar as possible/necessary) that a |T| can be read from the user -// |pointer|. +// This is just forward-declared, with the definition and explicit +// instantiations in the .cc file. This is used by |VerifyUserPointer<T>()| +// below, and you should use that instead. +template <size_t size> +bool MOJO_SYSTEM_IMPL_EXPORT VerifyUserPointerForSize(const void* pointer, + size_t count); + +// Verify that |count * sizeof(T)| bytes can be read from the user |pointer| +// insofar as possible/necessary (note: this is done carefully since |count * +// sizeof(T)| may overflow a |size_t|. |count| may be zero. If |T| is |void|, +// then the size of each element is taken to be a single byte. +// +// For example, if running in kernel mode, this should be a full verification +// that the given memory is owned and readable by the user process. In user +// mode, if crashes are acceptable, this may do nothing at all (and always +// return true). template <typename T> -bool VerifyUserPointer(const T* pointer) { - return internal::VerifyUserPointerHelper<sizeof(T), MOJO_ALIGNOF(T)>(pointer); +bool VerifyUserPointer(const T* pointer, size_t count) { + return VerifyUserPointerForSize<sizeof(T)>(pointer, count); } -// Verify (insofar as possible/necessary) that |count| |T|s can be read from the -// user |pointer|; |count| may be zero. (This is done carefully since |count * -// sizeof(T)| may overflow a |size_t|.) -template <typename T> -bool VerifyUserPointerWithCount(const T* pointer, size_t count) { - return internal::VerifyUserPointerWithCountHelper<sizeof(T), - MOJO_ALIGNOF(T)>(pointer, - count); +// Special-case |T| equals |void| so that the size is in bytes, as indicated +// above. +template <> +inline bool VerifyUserPointer<void>(const void* pointer, size_t count) { + return VerifyUserPointerForSize<1>(pointer, count); } -// Verify that |size| bytes (which may be zero) can be read from the user -// |pointer|, and that |pointer| has the specified |alignment| (if |size| is -// nonzero). -template <size_t alignment> -bool MOJO_SYSTEM_IMPL_EXPORT VerifyUserPointerWithSize(const void* pointer, - size_t size); - } // namespace system } // namespace mojo diff --git a/mojo/system/memory_unittest.cc b/mojo/system/memory_unittest.cc deleted file mode 100644 index b23d50a..0000000 --- a/mojo/system/memory_unittest.cc +++ /dev/null @@ -1,136 +0,0 @@ -// Copyright 2014 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "mojo/system/memory.h" - -#include <stddef.h> -#include <stdint.h> - -#include <limits> - -#include "mojo/public/c/system/macros.h" -#include "testing/gtest/include/gtest/gtest.h" - -namespace mojo { -namespace system { -namespace { - -TEST(MemoryTest, Valid) { - char my_char; - int32_t my_int32; - int64_t my_int64; - char my_char_array[5]; - int32_t my_int32_array[5]; - int64_t my_int64_array[5]; - - // |VerifyUserPointer|: - - EXPECT_TRUE(VerifyUserPointer<char>(&my_char)); - EXPECT_TRUE(VerifyUserPointer<int32_t>(&my_int32)); - EXPECT_TRUE(VerifyUserPointer<int64_t>(&my_int64)); - - // |VerifyUserPointerWithCount|: - - EXPECT_TRUE(VerifyUserPointerWithCount<char>(my_char_array, 5)); - EXPECT_TRUE(VerifyUserPointerWithCount<int32_t>(my_int32_array, 5)); - EXPECT_TRUE(VerifyUserPointerWithCount<int64_t>(my_int64_array, 5)); - - // It shouldn't care what the pointer is if the count is zero. - EXPECT_TRUE(VerifyUserPointerWithCount<char>(NULL, 0)); - EXPECT_TRUE(VerifyUserPointerWithCount<int32_t>(NULL, 0)); - EXPECT_TRUE(VerifyUserPointerWithCount<int32_t>( - reinterpret_cast<const int32_t*>(1), 0)); - EXPECT_TRUE(VerifyUserPointerWithCount<int64_t>(NULL, 0)); - EXPECT_TRUE(VerifyUserPointerWithCount<int64_t>( - reinterpret_cast<const int64_t*>(1), 0)); - - // |VerifyUserPointerWithSize|: - - EXPECT_TRUE(VerifyUserPointerWithSize<1>(&my_char, sizeof(my_char))); - EXPECT_TRUE(VerifyUserPointerWithSize<1>(&my_int32, sizeof(my_int32))); - EXPECT_TRUE(VerifyUserPointerWithSize<MOJO_ALIGNOF(int32_t)>( - &my_int32, sizeof(my_int32))); - EXPECT_TRUE(VerifyUserPointerWithSize<1>(&my_int64, sizeof(my_int64))); - EXPECT_TRUE(VerifyUserPointerWithSize<MOJO_ALIGNOF(int64_t)>( - &my_int64, sizeof(my_int64))); - - EXPECT_TRUE(VerifyUserPointerWithSize<1>(my_char_array, - sizeof(my_char_array))); - EXPECT_TRUE(VerifyUserPointerWithSize<1>(my_int32_array, - sizeof(my_int32_array))); - EXPECT_TRUE(VerifyUserPointerWithSize<MOJO_ALIGNOF(int32_t)>( - my_int32_array, sizeof(my_int32_array))); - EXPECT_TRUE(VerifyUserPointerWithSize<1>(my_int64_array, - sizeof(my_int64_array))); - EXPECT_TRUE(VerifyUserPointerWithSize<MOJO_ALIGNOF(int64_t)>( - my_int64_array, sizeof(my_int64_array))); -} - -TEST(MemoryTest, Invalid) { - // Note: |VerifyUserPointer...()| are defined to be "best effort" checks (and - // may always return true). Thus these tests of invalid cases only reflect the - // current implementation. - - // These tests depend on |int32_t| and |int64_t| having nontrivial alignment. - MOJO_COMPILE_ASSERT(MOJO_ALIGNOF(int32_t) != 1, - int32_t_does_not_have_to_be_aligned); - MOJO_COMPILE_ASSERT(MOJO_ALIGNOF(int64_t) != 1, - int64_t_does_not_have_to_be_aligned); - - int32_t my_int32; - int64_t my_int64; - - // |VerifyUserPointer|: - - EXPECT_FALSE(VerifyUserPointer<char>(NULL)); - EXPECT_FALSE(VerifyUserPointer<int32_t>(NULL)); - EXPECT_FALSE(VerifyUserPointer<int64_t>(NULL)); - - // Unaligned: - EXPECT_FALSE(VerifyUserPointer<int32_t>(reinterpret_cast<const int32_t*>(1))); - EXPECT_FALSE(VerifyUserPointer<int64_t>(reinterpret_cast<const int64_t*>(1))); - - // |VerifyUserPointerWithCount|: - - EXPECT_FALSE(VerifyUserPointerWithCount<char>(NULL, 1)); - EXPECT_FALSE(VerifyUserPointerWithCount<int32_t>(NULL, 1)); - EXPECT_FALSE(VerifyUserPointerWithCount<int64_t>(NULL, 1)); - - // Unaligned: - EXPECT_FALSE(VerifyUserPointerWithCount<int32_t>( - reinterpret_cast<const int32_t*>(1), 1)); - EXPECT_FALSE(VerifyUserPointerWithCount<int64_t>( - reinterpret_cast<const int64_t*>(1), 1)); - - // Count too big: - EXPECT_FALSE(VerifyUserPointerWithCount<int32_t>( - &my_int32, std::numeric_limits<size_t>::max())); - EXPECT_FALSE(VerifyUserPointerWithCount<int64_t>( - &my_int64, std::numeric_limits<size_t>::max())); - - // |VerifyUserPointerWithSize|: - - EXPECT_FALSE(VerifyUserPointerWithSize<1>(NULL, 1)); - EXPECT_FALSE(VerifyUserPointerWithSize<4>(NULL, 1)); - EXPECT_FALSE(VerifyUserPointerWithSize<4>(NULL, 4)); - EXPECT_FALSE(VerifyUserPointerWithSize<8>(NULL, 1)); - EXPECT_FALSE(VerifyUserPointerWithSize<8>(NULL, 4)); - EXPECT_FALSE(VerifyUserPointerWithSize<8>(NULL, 8)); - - // Unaligned: - EXPECT_FALSE(VerifyUserPointerWithSize<4>(reinterpret_cast<const int32_t*>(1), - 1)); - EXPECT_FALSE(VerifyUserPointerWithSize<4>(reinterpret_cast<const int32_t*>(1), - 4)); - EXPECT_FALSE(VerifyUserPointerWithSize<8>(reinterpret_cast<const int32_t*>(1), - 1)); - EXPECT_FALSE(VerifyUserPointerWithSize<8>(reinterpret_cast<const int32_t*>(1), - 4)); - EXPECT_FALSE(VerifyUserPointerWithSize<8>(reinterpret_cast<const int32_t*>(1), - 8)); -} - -} // namespace -} // namespace system -} // namespace mojo diff --git a/mojo/system/message_pipe_dispatcher.cc b/mojo/system/message_pipe_dispatcher.cc index 89bc16a..22bb3b3 100644 --- a/mojo/system/message_pipe_dispatcher.cc +++ b/mojo/system/message_pipe_dispatcher.cc @@ -150,7 +150,7 @@ MojoResult MessagePipeDispatcher::WriteMessageImplNoLock( lock().AssertAcquired(); - if (!VerifyUserPointerWithSize<1>(bytes, num_bytes)) + if (!VerifyUserPointer<void>(bytes, num_bytes)) return MOJO_RESULT_INVALID_ARGUMENT; if (num_bytes > kMaxMessageNumBytes) return MOJO_RESULT_RESOURCE_EXHAUSTED; @@ -168,9 +168,9 @@ MojoResult MessagePipeDispatcher::ReadMessageImplNoLock( lock().AssertAcquired(); if (num_bytes) { - if (!VerifyUserPointer<uint32_t>(num_bytes)) + if (!VerifyUserPointer<uint32_t>(num_bytes, 1)) return MOJO_RESULT_INVALID_ARGUMENT; - if (!VerifyUserPointerWithSize<1>(bytes, *num_bytes)) + if (!VerifyUserPointer<void>(bytes, *num_bytes)) return MOJO_RESULT_INVALID_ARGUMENT; } diff --git a/mojo/system/shared_buffer_dispatcher.cc b/mojo/system/shared_buffer_dispatcher.cc index 841c659..29f1de5 100644 --- a/mojo/system/shared_buffer_dispatcher.cc +++ b/mojo/system/shared_buffer_dispatcher.cc @@ -8,7 +8,6 @@ #include "base/logging.h" #include "base/memory/scoped_ptr.h" -#include "mojo/public/c/system/macros.h" #include "mojo/system/constants.h" #include "mojo/system/memory.h" #include "mojo/system/raw_shared_buffer.h" @@ -150,11 +149,10 @@ MojoResult SharedBufferDispatcher::DuplicateBufferHandleImplNoLock( lock().AssertAcquired(); if (options) { // The |struct_size| field must be valid to read. - if (!VerifyUserPointer<uint32_t>(&options->struct_size)) + if (!VerifyUserPointer<uint32_t>(&options->struct_size, 1)) return MOJO_RESULT_INVALID_ARGUMENT; // And then |options| must point to at least |options->struct_size| bytes. - if (!VerifyUserPointerWithSize<MOJO_ALIGNOF(int64_t)>(options, - options->struct_size)) + if (!VerifyUserPointer<void>(options, options->struct_size)) return MOJO_RESULT_INVALID_ARGUMENT; if (options->struct_size < sizeof(*options)) |