Stabilize core Mojo ABI

Removes the last dubious API surface (size_t usage) in the core ABI and
documents the ABI as stable.

Bug: 822034,819046
Change-Id: I60438dd6613d45738514a92ce8c21777b859bfee
Reviewed-on: https://chromium-review.googlesource.com/1062932Reviewed-by: Jay Civelli <jcivelli@chromium.org>
Commit-Queue: Ken Rockot <rockot@chromium.org>
Cr-Commit-Position: refs/heads/master@{#559348}

mojo/edk/embedder/entrypoints.cc

@@ -122,7 +122,7 @@ MojoResult MojoGetMessageContextImpl(
 MojoResult MojoNotifyBadMessageImpl(
     MojoMessageHandle message,
     const char* error,
-    size_t error_num_bytes,
+    uint32_t error_num_bytes,
     const MojoNotifyBadMessageOptions* options) {
   return g_core->NotifyBadMessage(message, error, error_num_bytes, options);
 }

mojo/edk/system/multiprocess_message_pipe_unittest.cc

@@ -1373,16 +1373,19 @@ TEST_F(MultiprocessMessagePipeTest, NotifyBadMessage) {
       MojoMessageHandle message;
       ASSERT_EQ(MOJO_RESULT_OK, ::MojoReadMessage(a, nullptr, &message));
       EXPECT_EQ(MOJO_RESULT_OK,
-                MojoNotifyBadMessage(message, kFirstErrorMessage.data(),
-                                     kFirstErrorMessage.size(), nullptr));
+                MojoNotifyBadMessage(
+                    message, kFirstErrorMessage.data(),
+                    static_cast<uint32_t>(kFirstErrorMessage.size()), nullptr));
       EXPECT_EQ(MOJO_RESULT_OK, MojoDestroyMessage(message));
 
       // Read a message from the pipe we sent to child2 and flag it as bad.
       ASSERT_EQ(MOJO_RESULT_OK, WaitForSignals(c, MOJO_HANDLE_SIGNAL_READABLE));
       ASSERT_EQ(MOJO_RESULT_OK, ::MojoReadMessage(c, nullptr, &message));
-      EXPECT_EQ(MOJO_RESULT_OK,
-                MojoNotifyBadMessage(message, kSecondErrorMessage.data(),
-                                     kSecondErrorMessage.size(), nullptr));
+      EXPECT_EQ(
+          MOJO_RESULT_OK,
+          MojoNotifyBadMessage(
+              message, kSecondErrorMessage.data(),
+              static_cast<uint32_t>(kSecondErrorMessage.size()), nullptr));
       EXPECT_EQ(MOJO_RESULT_OK, MojoDestroyMessage(message));
 
       WriteMessage(child2, "bye");

mojo/public/c/system/message_pipe.h

@@ -591,7 +591,7 @@ MojoGetMessageContext(MojoMessageHandle message,
 MOJO_SYSTEM_EXPORT MojoResult
 MojoNotifyBadMessage(MojoMessageHandle message,
                      const char* error,
-                     size_t error_num_bytes,
+                     uint32_t error_num_bytes,
                      const struct MojoNotifyBadMessageOptions* options);
 
 #ifdef __cplusplus

mojo/public/c/system/thunks.cc

@@ -307,7 +307,7 @@ MojoResult MojoGetMessageContext(MojoMessageHandle message,
 
 MojoResult MojoNotifyBadMessage(MojoMessageHandle message,
                                 const char* error,
-                                size_t error_num_bytes,
+                                uint32_t error_num_bytes,
                                 const MojoNotifyBadMessageOptions* options) {
   return g_thunks.NotifyBadMessage(message, error, error_num_bytes, options);
 }

mojo/public/c/system/thunks.h

@@ -13,13 +13,24 @@
 #include "mojo/public/c/system/core.h"
 #include "mojo/public/c/system/system_export.h"
 
-// Structure used to bind the basic Mojo Core functions to an embedder
-// implementation. This is intended to eventually be used as a stable ABI
-// between a Mojo embedder and some loaded application code, but for now it is
-// still effectively safe to rearrange entries as needed.
+// This defines the *stable*, foward-compatible ABI for the Mojo Core C library.
+// As such, the following types of changes are DISALLOWED:
+//
+//   - DO NOT delete or re-order any of the fields in this structure
+//   - DO NOT modify any function signatures defined here
+//   - DO NOT alter the alignment of the stucture
+//
+// Some changes are of course permissible:
+//
+//   - DO feel free to rename existing fields if there's a good reason to do so,
+//     e.g. deprecation of a function for all future applications.
+//   - DO add new functions to the end of this structure, but ensure that they
+//     have a signature which lends itself to reasonably extensible behavior
+//     (e.g. an optional "Options" structure as many functions here have).
+//
 #pragma pack(push, 8)
 struct MojoSystemThunks {
-  size_t size;  // Should be set to sizeof(MojoSystemThunks).
+  uint32_t size;  // Should be set to sizeof(MojoSystemThunks).
 
   MojoResult (*Initialize)(const struct MojoInitializeOptions* options);
 
@@ -81,7 +92,7 @@ struct MojoSystemThunks {
   MojoResult (*NotifyBadMessage)(
       MojoMessageHandle message,
       const char* error,
-      size_t error_num_bytes,
+      uint32_t error_num_bytes,
       const struct MojoNotifyBadMessageOptions* options);
 
   // Data pipe API.

mojo/public/cpp/system/message.h

@@ -9,6 +9,7 @@
 #include <vector>
 
 #include "base/macros.h"
+#include "base/numerics/safe_conversions.h"
 #include "base/strings/string_piece.h"
 #include "mojo/public/c/system/message_pipe.h"
 #include "mojo/public/cpp/system/handle.h"
@@ -90,8 +91,9 @@ inline MojoResult GetMessageData(MessageHandle message,
 inline MojoResult NotifyBadMessage(MessageHandle message,
                                    const base::StringPiece& error) {
   DCHECK(message.is_valid());
-  return MojoNotifyBadMessage(message.value(), error.data(), error.size(),
-                              nullptr);
+  DCHECK(base::IsValueInRangeForNumericType<uint32_t>(error.size()));
+  return MojoNotifyBadMessage(message.value(), error.data(),
+                              static_cast<uint32_t>(error.size()), nullptr);
 }
 
 }  // namespace mojo