Value and size constraints in DBus Introspection XML
Matthew Bromley-Barratt
matthew at twobravo.org.uk
Wed Aug 21 19:14:18 UTC 2019
>> Whenever I've found myself having interdependencies between message
>> fields ... I've often found that that's an indication that I'm not
>> constructing a very good schema.
>Consider a simple example, where I have the heating in my office controlled by a Raspberry π, and the server process accepts control messages via D-Bus. I can >send it a temperature at which to switch on, and another temperature at which to switch off. The first temperature must be lower than the second one. Getting >these the wrong way round could lead to a thermal runaway situation that makes my office a rather unpleasant place to be in.
Well now, we wouldn't want that!
In that example I'd say that alternative parameters might be the first temperature with a constrained range, and a delta temperature which must be positive and also with a constrained range. That takes care of the second temperature having to be higher than the first.
Though of course this is imperfect. If there's a maximum that the second temperature must not exceed and if the system allows the first temperature to be closer to that than the largest permitted delta, simple value constraints don't fully enforce the rules. Whether one is actually better off as a developer is questionable; one would end up with heating that doesn't run away, but never switches off. You'd be in just as unpleasant a situation, but at least it was because you'd asked to be; the first temperature has to be close to system maximum temperature.
So this is indeed an easy example on the limitations on what I'm suggesting. However, I contend that an option to constrain values / sizes is worth it as there's plenty of situations where that simple approach is sufficiently exact.
Do you think it'd be worth the bother of implementing all that would be necessary (principally, changing the code generators, etc.)? I've no idea of the bug rate actually encountered in Dbus servers due to a failure to validate parameters / lengths properly. Have services been broken by sending arrays that are too large, or out of spec values? Is such an event of any real consequence if all the services one is typically permitted to interact with are all running at the same user privileges?
I'm quite happy if the consensus is "not worth it" :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/dbus/attachments/20190821/a4e8abe7/attachment.html>
More information about the dbus
mailing list