Open Bug 1478839 Opened 6 years ago Updated 2 years ago

Statically verify that objects requiring actor-specific serialization are only passed over compatible actors

Categories

(Core :: IPC, enhancement, P3)

enhancement

Tracking

()

People

(Reporter: nika, Unassigned)

References

Details

There are some types of objects which need to know information about the actor which they are being sent over. For example, `Blob` objects can only be sent over actors based on PBackground or PContent, as otherwise they cannot establish the background actors which they need to function. In addition, some of these data types require that the mechanism they're being sent over is not a synchronous reply, as the other side needs to process messages sent during serialization before processing the reply. Currently this is possible dynamically with IPDLParamTraits, which takes the actor IProtocol* object. However, we cannot statically ensure that these types are not used in methods which they are not compatible with. --- A solution I have been considering is to extend the IPDLParamTraits definition to include a "TopLevelCompat" (strawman) template member, for example: template<> struct IPDLParamTraits<mozilla::dom::Blob> { template<typename P> constexpr bool TopLevelCompat = // ... check if P is compatible // ... }; Then, for each method generated by IPDL, we would generate a static_assert that each of our possible toplevel protocols are supported, for example: static_assert( IPDLParamTraits<uint32_t>::TopLevelCompat<PContent> && IPDLParamTraits<int32_t>::TopLevelCompat<PContent>, "Type is incompatible"); Any types declared with ParamTraits<T> would be given a no-op "true" TopLevelCompat by the IPDLParamTraits specialization. Types which need to choose may use 'mozilla::IsSame<P, PContent>::value` to check, and structured types from IPDL will && the values from each of their subfields. ----- Another possible solution would be to define: template<typename T, typename P> inline constexpr bool IPDLMaySend = true; and then in files which need to restrict it we could add specializations: template<typename P> inline constexpr bool IPDLMaySend<mozilla::dom::Blob, P> = false; template<> inline constexpr bool IPDLMaySend<mozilla::dom::Blob, PContent> = true; template<> inline constexpr bool IPDLMaySend<mozilla::dom::Blob, PBackground> = true; (there may also be a nicer way to write this than my untested constexprs :-P) --- Anyway, not super important as a problem yet, but it might be nice in the future to make the Blob serialization etc. APIs nicer to use!
Oh, also a final option is to just have a list somewhere of which types are restricted and what protocol they have to use, and just check that in the IPDL typechecker...
Priority: -- → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.