* Increase the matching timeout to 5s (there are some hints the failures
on Travis are timing related)
* Replace the relative timeout in the waitset by a timestamp so that it
gives up after the specified timeout regardless of the number of
events that occur
Signed-off-by: Erik Boasson <eb@ilities.com>
* Compute the time at which the handshake must have completed from the
initial timeout specification, rather than using it as a timeout for
the individual steps of the handshake
* If the handshake fails because an expected message is not present,
print this, including whether the timeout occured because the message
queue was empty or because the expected message could not be found in
a non-empty queue.
* Replace the 0.5s per-step timeout to a single 2s timeout.
Signed-off-by: Erik Boasson <eb@ilities.com>
When defining a new topic, typically the serializer instructions that
are usually in constant memory and generated by the IDL compiler are
copied into memory managed by the Cyclone implementation. For this it
needs to compute the size of the serializer, which the IDL compiler
doesn't provide. It does this by effectively dry-running the
program. (Note that it doesn't validate the program.)
All but the JSR operations move the program counter forward, but the JSR
operation can cause it to go backward instead and allows implementing
recursive types (the IDL compiler doesn't support them, but one might
decide to work around that limitation). When dry-running the program,
following a backwards jump can cause a non-terminating loop.
The jump could potentially be to an unexplored address and so ignoring
all backwards jumps potentially means it skips part of the program. As
this is not a validator and the program can always be arranged so that a
following a backwards jump is not relevant to computing the size
correctly, this is reasonable approximation.
Signed-off-by: Erik Boasson <eb@ilities.com>
The dds_wait_for_acks function follows the DCPS specification and allows
waiting for all matching readers to have acknowledged all data written
prior to that point. This commit leaves the API unchanged but extends
the implementation to make it possible to wait until a specific reader
has acknowledged everything, as this is a useful device in testing with
deliberate one-way disconnections using dds_domain_set_deafmute.
Signed-off-by: Erik Boasson <eb@ilities.com>
In particular, this means instances published by a transient-local
writer will go back to ALIVE following a disconnect and reconnect.
Signed-off-by: Erik Boasson <eb@ilities.com>
This leaves the argument pointer in the destination unchanged, rather
than resetting it to an irrelevant value.
Signed-off-by: Erik Boasson <eb@ilities.com>
The memory allocation in deserializing property lists within the crypto
code should not trust the deserialized length and try to allocate that
much memory but should first verify that the length is consistent with
the number of bytes remaining in the input. (Noted by Coverity as use
of tainted data.)
Signed-off-by: Erik Boasson <eb@ilities.com>
Sending a heartbeat to all matched readers for the P2P builtin
participant volatile secure writer unlocks the writer before pushing
each individual message out, and so determining the time of the next
heartbeat event before writing and updating it afterwards means the
state may have changed. While this is appears benign, it is better to
do the update atomically.
Signed-off-by: Erik Boasson <eb@ilities.com>
The security plugins currently use the standardized representations of
octet sequences, unlike the DDSI stack's internal representation. A
shallow copy is therefore not simply a memcpy.
Signed-off-by: Erik Boasson <eb@ilities.com>
Coverity has difficulty observering that dds_entity_pin /
ddsrt_mutex_lock / dds_entity_unlock is correct. It is perhaps a bit
confusing, so change it.
Signed-off-by: Erik Boasson <eb@ilities.com>
A few failures to signal DATA_AVAILABLE (as well as some where it was
signalled unnecessarily) were discovered while refactoring the RHC
despite the tests all passing. Clearly the tests were inadequate.
The enormous amount of boilerplate in the tests prompted a small rewrite
to a programmable listener invocation tester that one simply feeds a
noise-like one-liner in a string. This trades the boilerplate for
somewhat inscrutable code.
Signed-off-by: Erik Boasson <eb@ilities.com>
One cannot create writers for built-in topics, therefore one generally
does not create samples for them. However, one can lookup an instance
handle from a sample with just a key value in it, and so the function is
needed.
Signed-off-by: Erik Boasson <eb@ilities.com>
The standard defines GUIDs as an array of 16 uint8_t and so they are
presented on the network and in built-in topic samples. Internally they
are arrays of 4 uint32_t, requiring byte-order conversion.
A keyhash is also an array of 16 uint8_t, and used almost exclusively on
the network. The exception is the generation of built-in topic samples,
which relies on the "from_keyhash" function. One would expect the
keyhash here to contain the GUID in the external representation, and
this commit adds the byte-order conversions to conform to the
expectation.
Signed-off-by: Erik Boasson <eb@ilities.com>
Disposing an instance would only add an invalid sample if the instance
is empty, but it should also do so when the latest sample is read.
Otherwise reading all NOT_READ samples gives nothing or nonsensical
output.
Signed-off-by: Erik Boasson <eb@ilities.com>
Use of an auto-dispose writer meant the NO_WRITERS case did not actually
get tested. The behaviour of the implementation was to generate
deadline missed notifications for such instances, but the test expected
otherwise.
There is a disagreement between different DDS implementations on the
desirability of generating deadline missed notifications for NOT_ALIVE
instances. Deadline notifications on DISPOSED instances seems silly, as
it means end-of-life. Deadline notifications on a NO_WRITERS instance
are certainly valuable for applications that don't pay attention to the
number of writers (otherwise one has to monitor both liveliness changed
and deadline missed notifications to be be sure to get some
notification).
Different usage patterns definitely affect what is desirable and I doubt
one-size-fits-all is the right approach. This commit changes the test
and retains the behaviour, and if it errs, it at least errs on the side
of caution.
Signed-off-by: Erik Boasson <eb@ilities.com>
The entire point of this test program is to exercise the RHC while
checking its internal state. The likelihood of (at least some)
forgetting to enable the "expensive" checks has been proven to be
significant.
Signed-off-by: Erik Boasson <eb@ilities.com>
This changes the behaviour of auto-dispose writers: instead of always
disposing when the writer disposes the data, it now only disposes the
data when the instance would otherwise go to the "no writers" state.
This only affects the behaviour when there are multiple writers for the
same instance.
In case the writers use a different value for the auto-dispose setting,
it now tracks whether an instance has ever been touched by an writer
with auto-dispose enabled, and treats auto-disposes the instance when
the last writer leaves if this is the case. This way, if an instance is
registered by one auto-dispose and one non-auto-dispose writer, the
order of unregistering does not matter.
Signed-off-by: Erik Boasson <eb@ilities.com>
Deadline registration, renewal and deregistration was somewhat spread
through the code and relied on the "isdisposed" flag as a proxy for
whether it was registered or not. This consolidates the deadline
handling code in a final step of updating the instance and uses a
separate flag to track whether the instance is currently registered in
the deadline administration or not.
This also makes it possible to trivially change the rules for when
deadline notifications are required, and so allows for, e.g., adding a
mode in which instances in the "no writers" state do not trigger any
deadline missed notifications, or just once (both of which seem useful
modes).
Signed-off-by: Erik Boasson <eb@ilities.com>
Do not pass a dangling pointer to update_conditions_locked after
dropping an instance. The dangling pointer did not actually get
dereferenced because of the state changes caused by dropping the
samples, but that is cutting a bit fine.
Signed-off-by: Erik Boasson <eb@ilities.com>
Scanning all instances was never good for anything: the RHC is organised
as hash table on instance id (which is an alias for "instance handle")
and it was always designed to do this with a fast lookup.
Signed-off-by: Erik Boasson <eb@ilities.com>
* Add a flag to indicate signed integral values and one to indicate
floating-point values
* Set these flags in the output of idlc
* Use them when printing sample contents to the trace
By encoding the information as flags in reserved bits the actual
serialization and deserialization is unaffected.
Signed-off-by: Erik Boasson <eb@ilities.com>
Introduced a test that checks for the correct matching behavious for combinations
of the read/write access control settings in the governance xml (enable read/write
access control in the topic rules) and in the permissions xml (the publish/subscribe
grants for a topic).
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Add validate_local_permissions to the set of access control plugin
hooks tests, and add discovery_protection_enabled as an additional
parameter for the access control hook tests.
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Add testing liveness protection to the existing discovery protection
test. The test checks if the P2P_BUILTIN_PARTICIPANT_MESSAGE_SECURE_WRITER
is using the encode_decode_submessage function of the crypto plugin
to secure liveliness messages.
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
A test that checks that the security handshake fails in case of non-matching
encoding settings in the governance xml. All combinations of values for
rtps, discovery and liveliness protection are checked. For meta-data and
payload encoding, this test checks that a reader and writer do not connect
in case of non-matching values.
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
