Mojo 2 Guide

[Slikk Huisenga]

Mojois Chrome's new IPC system and provides lots of useful abstractions. These abstractions can make it easier to write code that makes interprocess calls, but can also add significant complexity. Below are some recommendation from Mojo and IPC reviewers for best practices.

This is the overriding principle for all guidelines in this section. When receiving data from a less trusted process, treat the data as if it were generated by a malicious adversary. Message handlers cannot assume that offsets are valid, calculations won't overflow, et cetera.

For example, the browser process must not (fully) trust the renderer's claims about origins. The browser process should already know what origin the renderer is evaluating, and thus should already have this data (for example, see RenderFrameHost::GetLastCommittedOrigin()). Thus, a method that requires passing an origin from the renderer to the browser process has a conceptual error, and quite possibly, a vulnerability.

Mojo interfaces often cross privilege boundaries. Having well-defined interfaces that don't contain stubbed out methods or unused parameters makes it easier to understand and evaluate the implications of crossing these boundaries. Several common areas to watch out for:

Platform-specific functionality should only be defined on the platforms where it is implemented. Use the Mojo EnableIf annotation to guard definitions that should only be visible in certain build configurations.

Reviewing IPC requires reviewing a concrete implementation of the Mojo interface, to evaluate how the (possibly untrustworthy) inputs are used, what outputs are produced, et cetera. If a method is not yet implemented, do not define it in the interface.

Using a kCount sentinel complicates switch statements and makes it harder to enforce invariants: code needs to actively enforce that the otherwise invalid kCount sentinel value is not incorrectly passed around.

When creating new Mojo services in the browser process (exposed to the renderer via BrowserInterfaceBrokers in a host object like RenderFrameHostImpl, DedicatedWorkerHost, etc.), one approach is to have the interface implementation be owned by the Receiver using mojo::MakeSelfOwnedReceiver. From the mojo::MakeSelfOwnedReceiver declaration:

A common mistake based on the last assumption above is to store and use a raw pointer to the RenderFrameHostImpl object in the interface implementation. If the Receiver outlives the RenderFrameHostImpl and uses the pointer to it, a Use-After-Free will occur. One way a malicious site or compromised renderer could make this happen is to generate lots of messages to the interface and then close the frame. The Receiver might have a backlog of messages to process before it gets the message indicating that the renderer's Remote was closed, and the RenderFrameHostImpl can be destroyed in the meantime.

Similarly, it's not safe to assume that the Profile object (and objects owned by it; StoragePartitionImpl, for instance) will outlive the Receiver. This has been observed to be true for at least incognito windows, where a renderer can generate messages, close the page, and cause the entire window to close (assuming no other pages are open), ultimately causing the OffTheRecordProfileImpl object to be destroyed before the Receiver object.

Using DocumentService or DocumentUserData instead of mojo::MakeSelfOwnedReceiver for document-based interfaces where the interface implementation needs access to a RenderFrameHostImpl object. See the DocumentService declaration for more details.

Having the Receiver and/or interface implementation be owned by the object it relies on (for instance, store the Receiver in a private member or use a mojo::UniqueReceiverSet for storing multiple Receiver / interface implementation pairs).

Note that using the callback wrappers in the renderer is often unnecessary. Message pipes are typically closed as part of a Document shutting down; since many Blink objects already inherit blink::ContextLifecycleObserver, it is usually more idiomatic to use this signal to perform any needed cleanup work.

Creating a typemap and defining a StructTraits specialization moves the complexity of serialization, deserialization, and validation into a central location. We universally recommend this over defining TypeConverter specializations: when a value fails deserialization, the receiver method will never even be invoked. As a bonus, it also reduces the number of copies during serialization and deserialization. ?

Where possible, StructTraits should be returning const references or simple read-only views of the data. Having to create temporary data structures during serialization should be rare, and it should be even rarer to mutate the input argument.

A StructTraits specialization is almost always fully specialized. Only define StructTraits methods inline in the header if the method is a simple getter that returns a reference, pointer, or other simple POD. Define all other methods out-of-line to avoid code bloat.

There are some instances where it is simply not possible to define a StructTraits for type mapping: this commonly occurs with Blink IDL and Oilpan types. In these instances, add a TypeConverter specialization rather than defining a one-off conversion function. This makes it easier to search for and audit code that does potentially risky type conversions.

mojo::ReceiverSet implies multiple clients may connect. If this actually isn't the case, please do not use it. For example, if an interface can be rebound, then use the singular mojo::Receiver and simply reset() the existing receiver before reusing it.

While validation should be done inside StructTraits specializations when possible, there are situations where additional checks, e.g. overflow checks, are needed outside of StructTraits specializations. Use mojo::ReportBadMessage() or mojo::GetBadMessageCallback() to reject bad input in these situations. Under the hood, this may record UMAs, kill the process sending bad input, et cetera.

Unfortunately, there are no strongly established conventions here. Most code tends to write manual conversion helpers and throw an exception on conversion failure. See NfcTypeConverter.java as one example of how to write conversion code.

EnumTraits generally do not add much value: incoming Mojo enum values are already validated before typemapping, so it is guaranteed that the input value to EnumTraits::FromMojom() is already a valid enum value, so the method itself is just a bunch of boilerplate to map between two very similarly named, yet slightly different, enums.

Message pipes are fairly inexpensive, but they are not free either: it takes 6 control messages to establish a message pipe. Keep this in mind: if the interface is used relatively frequently, connecting once and reusing the interface pointer is probably a good idea.

BigBuffer uses shared memory to make passing large messages fast. When shmem is backing the message, it may be writable in the sending process while being read in the receiving process. If a BigBuffer is received from an untrustworthy process, you should make a copy of the data before processing it to avoid time-of-check time-of-use (TOCTOU) bugs. The size() of the data cannot be manipulated.

WebUI renderers sometimes need to call special, powerful IPC endpoints in a privileged process. It is important to enforce the constraint that the privileged callee previously created and blessed the calling process as a WebUI process, and not as a (potentially compromised) web renderer or other low-privilege process.

Sometimes, there will be powerful new features that are not yet turned on by default, such as behind a flag, Finch trial, or origin trial. It is not safe to check for the feature's availability on the renderer side (or in another low-privilege process type). Instead, ensure that the check is done in the process that has power to actually enact the feature. Otherwise, a compromised renderer could opt itself in to the feature! If the feature might not yet be fully developed and safe, vulnerabilities could arise.

What're you doing to the rod? Your leader knot is probably too big with tag ends, or reeling a swivel through. The low riders on the mojos are nice guides, all three guys I fish with have them, and put them through hell and haven't had any issues with them. The blanks themselves, yes but not the guides. May be covered under the warranty, or just take it to a tackle shop, easy fix.

Are these really glued in or are they press fit? I have another brand of rod with press fit rings and it is impossible to get the popped ring back inside the frame on that one. Manufacturer says the whole guide needs replacing.

I have epoxied rings back in guides and had no problems for years. The guide was originally put together with epoxy. As long as the guide frame is not bent a slow cure 2 part waterproof epoxy will work. The hardest part is getting the ring back into the guide. I have used clamps with plastic/rubber jaws on ones that are very tight, most of the time it works sometimes it does not and the ring breaks. I have seen people sand the frame to make it fit a little easier. I usually just clean it good, a light sanding to get a good clean surface for the epoxy to bond to. I know people who have repaired rods this way as an emergency fix and years later the guide is fine. I Have done it on heavers casting 80lb shock leaders and not had a problem with the knot knocking the ring out. Sounds like something is wrong if you had a couple pop out. I would contact St. Croix before doing anything yourself. They are a great company to work with and should take care of you. Let us know what happens.

They may send you a guide but they will not send you just the insert. The only reason I mentioned the method of using epoxy to replace the ring was that I thought you had the ring. Putting the guide on is a little more of a job, you will need thread and rod finish. If I were you I would send it back to St Croix.

i had a guide problem with my St. Croix which was a year old. When i called them they said it might not be covered and it would be cheaper to get it fixed at a local tackle shop. It was a cheaper option then shipping it back to St Croix. Also the shop only had it for the night.

3a8082e126