Then, use FilterExceptions to filter out any exceptions that aren't
declared in the calling method's exception spec. Note that this isn't
perfect: Java's checks for typed exceptions prevents an *extra*
exception from being thrown this way, but it's still possible to
forget to *allow* an exception using FilterExceptions.
This is 99% a mechanical change; the interesting bit is in
gen_java_decl.py and one unusual pattern in NativeErrorsTest.java. No
exception specs were changed here.
These methods wrap any unexpected checked exceptions in AssertionError
after logging them. The next commit will use this to enforce our
exception specifications for methods that wrap JNI calls.
The bridge_get! macro assumes every getter ought to be allowed to
fail, which isn't really correct but can be revisited later.
ProtocolAddress is simple enough to manually avoid that, though.
Use the class loader from the main thread to cache java.lang.Class
instances for some libsignal classes.
This enables constructing instances of libsignal classes on threads
where the classes aren't accessible via the default class loader. This
can occur on Android, where threads spawned via the native API only get
access to the system class loader, not the application loader that has
access to the application's class files. Since Tokio worker threads are
spawned via the native API, and the completion process for async tasks
converts results to Java objects, application class instances can't be
used there unless they are preloaded.
Since classes used in client code are only included in the client .jar
file, failure to load classes is a normal occurrence. If there are ever
separate builds for server and client .so library files, this could be
changed to a fatal error.
Fix a bug in validation of the Call proto: the conversationRecipientId
identifies a recipient, not a chat. Add a test case that only has a call with a
recipient, not a chat.
Run tests that call native TESTING_ functions on Android. This requires
building a separate version of libsignal_jni.so with the testing functions
included. The test code is still omitted from the published artifacts.
Clean the contents of the default target directory before switching.
This should hopefully help us to avoid running out of disk space during
the following steps (running cross-version tests).
CDSI error handling code would attempt to instantiate a nonexistent Java class.
Add the missing class and split up the handling for CDSI lookup errors to reuse
existing error types.
The device_transfer crate is very conservative about internal
failures, but there's nothing an app-level caller can do about such a
problem, so it might as well be subsumed in panic catching.
And in the bridge layer, use panics instead of Result for the
programmer error of using an encryption/decryption stream after
finalization, eliminating the need for the InvalidState error.
(By "infallible operations", I mean operations which have no possible
failure according to the specification of their associated algorithm:
AES-CTR and AES-GCM are stream ciphers that can always operate on
arbitrary buffers.)
Remove the Result types from the Rust functions that only every return Ok.
Unwrap Result<T> return types for bridge functions that only ever return Ok.
Check that timestamps in messages are within a reasonable range when converting
them from milliseconds, logging if they're not. Convert duration values
expressed in milliseconds into a native type.
Use the string bridging code introduced previously to provide string arrays to
client directly instead of joining and splitting. This eliminates the use of a
magic ',' character as a delimiter.
The Swift helper invokeFnReturningStringArray was using the wrong
indices when slicing up the concatenated strings to produce individual
values. Instead of advancing the base pointer by the N bytes read for a
given string, the base pointer was adjusted to point to LEN - N. This
wasn't detected by the bridging test case since it passed two strings
over, both of length three. For two strings with the same length, the
buggy and corrected code have the same behavior!
This patch adjusts the test case to include strings of different
lengths and fixes the now-revealed bug.
For all enum types in backup.proto that have an UNKNOWN variant, check that
fields of those types do not contain the UNKNOWN value. Add the minimum code
necessary to traverse nested messages that were previously uninspected.
Re-raise errors produced by an input stream after bubbling them through Rust
code. This makes the interface less magic and avoids unnecessary
stringification of error values.