1// Copyright 2014 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5// Functions to help with verifying various |Mojo...Options| structs from the
6// (public, C) API. These are "extensible" structs, which all have |struct_size|
7// as their first member. All fields (other than |struct_size|) are optional,
8// but any |flags| specified must be known to the system (otherwise, an error of
9// |MOJO_RESULT_UNIMPLEMENTED| should be returned).
10
11#ifndef MOJO_EDK_SYSTEM_OPTIONS_VALIDATION_H_
12#define MOJO_EDK_SYSTEM_OPTIONS_VALIDATION_H_
13
14#include <stddef.h>
15#include <stdint.h>
16
17#include <algorithm>
18
19#include "base/logging.h"
20#include "base/macros.h"
21#include "mojo/edk/system/system_impl_export.h"
22#include "mojo/public/c/system/types.h"
23
24namespace mojo {
25namespace edk {
26
27template <class Options>
28class UserOptionsReader {
29 public:
30  // Constructor from a |const* Options| (which it checks -- this constructor
31  // has side effects!).
32  // Note: We initialize |options_reader_| without checking, since we do a check
33  // in |GetSizeForReader()|.
34  explicit UserOptionsReader(const Options* options) {
35    CHECK(options && IsAligned<MOJO_ALIGNOF(Options)>(options));
36    options_ = GetSizeForReader(options) == 0 ? nullptr : options;
37    static_assert(offsetof(Options, struct_size) == 0,
38                  "struct_size not first member of Options");
39    // TODO(vtl): Enable when MSVC supports this (C++11 extended sizeof):
40    //   static_assert(sizeof(Options::struct_size) == sizeof(uint32_t),
41    //                 "Options::struct_size not a uint32_t");
42    // (Or maybe assert that its type is uint32_t?)
43  }
44
45  bool is_valid() const { return !!options_; }
46
47  const Options& options() const {
48    DCHECK(is_valid());
49    return *options_;
50  }
51
52  // Checks that the given (variable-size) |options| passed to the constructor
53  // (plausibly) has a member at the given offset with the given size. You
54  // probably want to use |OPTIONS_STRUCT_HAS_MEMBER()| instead.
55  bool HasMember(size_t offset, size_t size) const {
56    DCHECK(is_valid());
57    // We assume that |offset| and |size| are reasonable, since they should come
58    // from |offsetof(Options, some_member)| and |sizeof(Options::some_member)|,
59    // respectively.
60    return options().struct_size >= offset + size;
61  }
62
63 private:
64  static inline size_t GetSizeForReader(const Options* options) {
65    uint32_t struct_size = *reinterpret_cast<const uint32_t*>(options);
66    if (struct_size < sizeof(uint32_t))
67      return 0;
68
69    return std::min(static_cast<size_t>(struct_size), sizeof(Options));
70  }
71
72  template <size_t alignment>
73  static bool IsAligned(const void* pointer) {
74    return reinterpret_cast<uintptr_t>(pointer) % alignment == 0;
75  }
76
77  const Options* options_;
78
79  DISALLOW_COPY_AND_ASSIGN(UserOptionsReader);
80};
81
82// Macro to invoke |UserOptionsReader<Options>::HasMember()| parametrized by
83// member name instead of offset and size.
84//
85// (We can't just give |HasMember()| a member pointer template argument instead,
86// since there's no good/strictly-correct way to get an offset from that.)
87//
88// TODO(vtl): With C++11, use |sizeof(Options::member)| instead of (the
89// contortion below). We might also be able to pull out the type |Options| from
90// |reader| (using |decltype|) instead of requiring a parameter.
91#define OPTIONS_STRUCT_HAS_MEMBER(Options, member, reader) \
92  reader.HasMember(offsetof(Options, member), sizeof(reader.options().member))
93
94}  // namespace edk
95}  // namespace mojo
96
97#endif  // MOJO_EDK_SYSTEM_OPTIONS_VALIDATION_H_
98