FreeBSD/Linux Kernel Cross Reference
sys/man/mach_msg.man
1 .\"
2 .\" Mach Operating System
3 .\" Copyright (c) 1991,1990 Carnegie Mellon University
4 .\" All Rights Reserved.
5 .\"
6 .\" Permission to use, copy, modify and distribute this software and its
7 .\" documentation is hereby granted, provided that both the copyright
8 .\" notice and this permission notice appear in all copies of the
9 .\" software, derivative works or modified versions, and any portions
10 .\" thereof, and that both notices appear in supporting documentation.
11 .\"
12 .\" CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS"
13 .\" CONDITION. CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR
14 .\" ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE.
15 .\"
16 .\" Carnegie Mellon requests users of this software to return to
17 .\"
18 .\" Software Distribution Coordinator or Software.Distribution@CS.CMU.EDU
19 .\" School of Computer Science
20 .\" Carnegie Mellon University
21 .\" Pittsburgh PA 15213-3890
22 .\"
23 .\" any improvements or extensions that they make and grant Carnegie Mellon
24 .\" the rights to redistribute these changes.
25 .\"
26 .\"
27 .\" HISTORY
28 .\" $Log: mach_msg.man,v $
29 .\" Revision 2.5 91/12/11 08:42:36 jsb
30 .\" Updated for MK62 (sequence numbers).
31 .\" [91/11/26 11:01:07 rpd]
32 .\"
33 .\" Revision 2.4 91/05/14 17:05:36 mrt
34 .\" Correcting copyright
35 .\"
36 .\" Revision 2.3 91/02/14 14:10:44 mrt
37 .\" Changed to new Mach copyright
38 .\" [91/02/12 18:10:51 mrt]
39 .\"
40 .\" Revision 2.2 90/08/07 18:35:41 rpd
41 .\" Created.
42 .\"
43 .TH mach_msg 2 9/19/86
44 .CM 4
45 .SH NAME
46 .nf
47 mach_msg \- send and receive messages
48 .SH SYNOPSIS
49 .nf
50 .ft B
51 #include <mach/port.h>
52 #include <mach/message.h>
53
54 mach_msg_return_t
55 mach_msg(msg, option, send_size, rcv_size, rcv_name, timeout, notify)
56 mach_msg_header_t *msg;
57 mach_msg_option_t option;
58 mach_msg_size_t send_size;
59 mach_msg_size_t rcv_size;
60 mach_port_t rcv_name;
61 mach_msg_timeout_t timeout;
62 mach_port_t notify;
63 .fi
64 .ft P
65 .SH ARGUMENTS
66 .TP 12
67 .B msg
68 The address of a message buffer in the caller's address space.
69 Message buffers should be aligned on long-word boundaries.
70 .TP 12
71 .B option
72 Message options are bit values, combined with bitwise-or.
73 One or both of MACH_SEND_MSG and MACH_RCV_MSG should be used.
74 Other options act as modifiers.
75 .TP 12
76 .B send_size
77 When sending a message, specifies the size of the message buffer.
78 Otherwise zero should be supplied.
79 .TP 12
80 .B rcv_size
81 When receiving a message, specifies the size of the message buffer.
82 Otherwise zero should be supplied.
83 .TP 12
84 .B rcv_name
85 When receiving a message, specifies the port or port set.
86 Otherwise MACH_PORT_NULL should be supplied.
87 .TP 12
88 .B timeout
89 When using the MACH_SEND_TIMEOUT and MACH_RCV_TIMEOUT options,
90 specifies the time in milliseconds to wait before giving up.
91 Otherwise MACH_MSG_TIMEOUT_NONE should be supplied.
92 .TP 12
93 .B notify
94 When using the MACH_SEND_NOTIFY, MACH_SEND_CANCEL, and MACH_RCV_NOTIFY
95 options, specifies the port used for the notification.
96 Otherwise MACH_PORT_NULL should be supplied.
97 .SH DESCRIPTION
98 The \fBmach_msg\fR system call sends and receives Mach messages.
99 Mach messages contain typed data, which can include port rights
100 and references to large regions of memory.
101
102 If the \fBoption\fR argument is MACH_SEND_MSG, it sends a message.
103 The \fBsend_size\fR argument specifies the size of the message to send.
104 The \fBmsgh_remote_port\fR field of the message header specifies
105 the destination of the message.
106
107 If the \fBoption\fR argument is MACH_RCV_MSG, it receives a message.
108 The \fBrcv_size\fR argument specifies the size of the message buffer
109 that will receive the message; messages larger than \fBrcv_size\fR
110 are not received. The \fBrcv_name\fR argument specifies the port
111 or port set from which to receive.
112
113 If the \fBoption\fR argument is MACH_SEND_MSG|MACH_RCV_MSG,
114 then \fBmach_msg\fR does both send and receive operations.
115 If the send operation encounters an error (any return code
116 other than MACH_MSG_SUCCESS), then the call returns immediately
117 without attempting the receive operation. Semantically
118 the combined call is equivalent to separate send and receive calls,
119 but it saves a system call and enables other internal optimizations.
120
121 If the \fBoption\fR argument specifies neither MACH_SEND_MSG nor
122 MACH_RCV_MSG, then \fBmach_msg\fR does nothing.
123
124 Some options, like MACH_SEND_TIMEOUT and MACH_RCV_TIMEOUT,
125 share a supporting argument. If these options are used together,
126 they make independent use of the supporting argument's value.
127 .SH MAJOR CONCEPTS
128 The Mach kernel provides message-oriented, capability-based
129 interprocess communication. The interprocess communication (IPC)
130 primitives efficiently support many different styles of
131 interaction, including remote procedure calls,
132 object-oriented distributed programming, streaming of data,
133 and sending very large amounts of data.
134
135 The IPC primitives operate on three abstractions: messages,
136 ports, and port sets. User tasks access all other kernel
137 services and abstractions via the IPC primitives.
138
139 The message primitives let tasks send and receive messages. Tasks
140 send messages to ports. Messages sent to a port are delivered
141 reliably (messages may not be lost) and are received in the order in
142 which they were sent. Messages contain a fixed-size header and a
143 variable amount of typed data following the header. The header
144 describes the destination and size of the message.
145
146 The IPC implementation makes use of the VM system to efficiently
147 transfer large amounts of data. The message
148 body can contain the address of a region in the sender's address space
149 which should be transferred as part of the message. When a task
150 receives a message containing an out-of-line region of data, the data
151 appears in an unused portion of the receiver's address space. This
152 transmission of out-of-line data is optimized so that sender and
153 receiver share the physical pages of data copy-on-write, and no actual
154 data copy occurs unless the pages are written. Regions of memory up
155 to the size of a full address space may be sent in this manner.
156
157 Ports hold a queue of messages. Tasks operate on a port
158 to send and receive messages by exercising capabilities
159 for the port. Multiple tasks can hold send capabilities,
160 or rights, for a port. Tasks can also hold send-once rights,
161 which grant the ability to send a single message.
162 Only one task can hold
163 the receive capability, or receive right, for a port.
164 Port rights can be transferred between tasks
165 via messages. The sender of a message can specify in
166 the message body that the message contains a port right.
167 If a message contains a receive right for a port, then
168 the receive right is removed from the sender of the
169 message and the right is transferred to the receiver
170 of the message. While the receive right is in transit,
171 tasks holding send rights can still send messages
172 to the port, and they are queued until a task acquires
173 the receive right and uses it to receive the messages.
174
175 Tasks can receive messages from ports and port sets. The port set
176 abstraction allows a single thread to wait for a message from any of
177 several ports. Tasks manipulate port sets with a capability, or
178 port-set right, which is taken from the same space as the port
179 capabilities. The port-set right may not be transferred in a message.
180 A port set holds receive rights, and a receive
181 operation on a port set blocks waiting for a message sent to any of
182 the constituent ports. A port may not belong to more than one port
183 set, and if a port is a member of a port set, the holder of the
184 receive right can't receive directly from the port.
185
186 Port rights are a secure, location-independent way
187 of naming ports. The port queue is a protected data structure,
188 only accessible via the kernel's exported message
189 primitives. Rights are also protected by the kernel;
190 there is no way for a malicious user task to guess a port name
191 and send a message to a port to which it shouldn't have access.
192 Port rights do not carry any location information. When
193 a receive right for a port moves from task to task, and even
194 between tasks on different machines, the send rights for
195 the port remain unchanged and continue to function.
196 .SH MESSAGE FORMAT
197 A Mach message consists of a fixed size message header,
198 a \fBmach_msg_header_t\fR, followed by zero or more data items.
199 Data items are typed. Each item has a type descriptor
200 followed by the actual data (or the address of the data, for out-of-line
201 memory regions).
202
203 .nf
204 .in +5n
205 .ft B
206 typedef unsigned int mach_port_t;
207 typedef unsigned int mach_port_seqno_t;
208
209 typedef unsigned int mach_msg_bits_t;
210 typedef unsigned int mach_msg_size_t;
211 typedef int mach_msg_id_t;
212
213 typedef struct {
214 mach_msg_bits_t msgh_bits;
215 mach_msg_size_t msgh_size;
216 mach_port_t msgh_remote_port;
217 mach_port_t msgh_local_port;
218 mach_port_seqno_t msgh_seqno;
219 mach_msg_id_t msgh_id;
220 } mach_msg_header_t;
221 .fi
222 .in -5n
223 .ft R
224
225 The \fBmsgh_size\fR field
226 in the header of a received message contains the message's size.
227 The message size, a byte quantity, includes the message header,
228 type descriptors, and in-line data. For out-of-line memory regions,
229 the message size includes the size of the in-line address, not
230 the size of the actual memory region. There are no arbitrary limits
231 on the size of a Mach message, the number of data items in a message,
232 or the size of the data items.
233
234 The \fBmsgh_remote_port\fR field specifies
235 the destination port of the message. The field must carry a legitimate
236 send or send-once right for a port.
237
238 The \fBmsgh_local_port\fR field specifies
239 an auxiliary port right, which is conventionally used as a reply port
240 by the recipient of the message. The field must carry
241 a send right, a send-once right, MACH_PORT_NULL, or MACH_PORT_DEAD.
242
243 The \fBmsgh_bits\fR field has the following bits defined:
244 .nf
245 .in +5n
246 .ta 4i
247 .ft B
248 #define MACH_MSGH_BITS_REMOTE_MASK 0x000000ff
249 #define MACH_MSGH_BITS_LOCAL_MASK 0x0000ff00
250 #define MACH_MSGH_BITS_COMPLEX 0x80000000
251
252 #define MACH_MSGH_BITS_REMOTE(bits)
253 #define MACH_MSGH_BITS_LOCAL(bits)
254 #define MACH_MSGH_BITS(remote, local)
255 .fi
256 .in -5n
257 .ft R
258 The remote and local bits encode \fBmach_msg_type_name_t\fR values
259 that specify the port rights in the \fBmsgh_remote_port\fR and
260 \fBmsgh_local_port\fR fields. The remote value must specify
261 a send or send-once right for the destination of the message.
262 If the local value doesn't specify a send or send-once right
263 for the message's reply port, it must be zero and \fBmsgh_local_port\fR
264 must be MACH_PORT_NULL.
265 The complex bit must be specified if the message body contains
266 port rights or out-of-line memory regions. If it is not specified,
267 then the message body carries no port rights or memory, no matter
268 what the type descriptors may seem to indicate.
269
270 The MACH_MSGH_BITS_REMOTE and MACH_MSGH_BITS_LOCAL macros
271 return the appropriate \fBmach_msg_type_name_t\fR values,
272 given a \fBmsgh_bits\fR value.
273 The MACH_MSGH_BITS macro constructs
274 a value for \fBmsgh_bits\fR, given two \fBmach_msg_type_name_t\fR values.
275
276 The \fBmsgh_seqno\fR field provides a sequence number for the
277 message. It is only valid in received messages; its value in sent
278 messages is overwritten. The "MESSAGE RECEIVE" section discusses
279 message sequence numbers.
280
281 The \fBmach_msg\fR call doesn't use the \fBmsgh_id\fR field, but it
282 conventionally conveys an operation or function id.
283
284 Each data item has a type descriptor, a \fBmach_msg_type_t\fR or a
285 \fBmach_msg_type_long_t\fR. The \fBmach_msg_type_long_t\fR type
286 descriptor allows larger values for some fields. The
287 \fBmsgtl_header\fR field in the long descriptor is only used for its
288 inline, longform, and deallocate bits.
289
290 .nf
291 .in +5n
292 .ta 2.5i
293 .ft B
294 typedef unsigned int mach_msg_type_name_t;
295 typedef unsigned int mach_msg_type_size_t;
296 typedef unsigned int mach_msg_type_number_t;
297
298 typedef struct {
299 unsigned int msgt_name : 8,
300 msgt_size : 8,
301 msgt_number : 12,
302 msgt_inline : 1,
303 msgt_longform : 1,
304 msgt_deallocate : 1,
305 msgt_unused : 1;
306 } mach_msg_type_t;
307
308 typedef struct {
309 mach_msg_type_t msgtl_header;
310 unsigned short msgtl_name;
311 unsigned short msgtl_size;
312 unsigned int msgtl_number;
313 } mach_msg_type_long_t;
314 .fi
315 .in -5n
316 .ft R
317
318 The \fBmsgt_name\fR (\fBmsgtl_name\fR) field specifies
319 the data's type. The following types are predefined:
320 .nf
321 .in +5n
322 MACH_MSG_TYPE_UNSTRUCTURED
323 MACH_MSG_TYPE_BIT
324 MACH_MSG_TYPE_BOOLEAN
325 MACH_MSG_TYPE_INTEGER_16
326 MACH_MSG_TYPE_INTEGER_32
327 MACH_MSG_TYPE_CHAR
328 MACH_MSG_TYPE_BYTE
329 MACH_MSG_TYPE_INTEGER_8
330 MACH_MSG_TYPE_REAL
331 MACH_MSG_TYPE_STRING
332 MACH_MSG_TYPE_STRING_C
333 MACH_MSG_TYPE_PORT_NAME
334
335 MACH_MSG_TYPE_MOVE_RECEIVE
336 MACH_MSG_TYPE_MOVE_SEND
337 MACH_MSG_TYPE_MOVE_SEND_ONCE
338 MACH_MSG_TYPE_COPY_SEND
339 MACH_MSG_TYPE_MAKE_SEND
340 MACH_MSG_TYPE_MAKE_SEND_ONCE
341 .fi
342 .in -5n
343 The last six types specify port rights, and receive special treatment.
344 The next section discusses these types in detail. The type
345 MACH_MSG_TYPE_PORT_NAME describes port right names, when no rights
346 are being transferred, but just names. For this purpose, it should be used
347 in preference to MACH_MSG_TYPE_INTEGER_32.
348
349 The \fBmsgt_size\fR (\fBmsgtl_size\fR) field specifies
350 the size of each datum, in bits. For example, the \fBmsgt_size\fR
351 of MACH_MSG_TYPE_INTEGER_32 data is 32.
352
353 The \fBmsgt_number\fR (\fBmsgtl_number\fR) field specifies
354 how many data elements comprise the data item.
355 Zero is a legitimate number.
356
357 The total length specified by a type descriptor is
358 (\fBmsgt_size\fR * \fBmsgt_number\fR), rounded up
359 to an integral number of bytes. In-line data is then
360 padded to an integral number of long-words.
361 This ensures that type descriptors always start on
362 long-word boundaries. It implies that message sizes
363 are always an integral multiple of a long-word's size.
364
365 The \fBmsgt_longform\fR bit specifies, when TRUE, that this type descriptor
366 is a \fBmach_msg_type_long_t\fR instead of a \fBmach_msg_type_t\fR.
367 The \fBmsgt_name\fR, \fBmsgt_size\fR,
368 and \fBmsgt_number\fR fields should be zero. Instead, \fBmach_msg\fR
369 uses the following \fBmsgtl_name\fR, \fBmsgtl_size\fR,
370 and \fBmsgtl_number\fR fields.
371
372 The \fBmsgt_inline\fR bit specifies, when FALSE, that the data
373 actually resides in an out-of-line region.
374 The address of the memory region (a \fBvm_offset_t\fR or \fBvm_address_t\fR)
375 follows the type descriptor
376 in the message body. The \fBmsgt_name\fR, \fBmsgt_size\fR,
377 and \fBmsgt_number\fR fields describe the memory region, not the address.
378
379 The \fBmsgt_deallocate\fR bit is used with out-of-line regions.
380 When TRUE, it specifies that the memory region should be deallocated
381 from the sender's address space (as if with \fBvm_deallocate\fR)
382 when the message is sent.
383
384 The \fBmsgt_unused\fR bit should be zero.
385 .SH PORT RIGHTS
386 Each task has its own space of port rights.
387 Port rights are named with positive integers.
388 Except for the reserved
389 values MACH_PORT_NULL (0) and MACH_PORT_DEAD (~0), this is a full 32-bit
390 name space. When the kernel chooses a name for a new right, it
391 is free to pick any unused name (one which denotes no right) in the space.
392
393 There are five basic kinds of rights: receive rights, send rights,
394 send-once rights, port-set rights, and dead names.
395 Dead names are not capabilities. They act as place-holders
396 to prevent a name from being otherwise used.
397
398 A port is destroyed, or dies, when its receive right is deallocated.
399 When a port dies, send and send-once rights for the port turn into
400 dead names. Any messages queued at the port are destroyed,
401 which deallocates the port rights and out-of-line memory in the messages.
402
403 Tasks may hold multiple user-references for send rights and dead names.
404 When a task receives a send right
405 which it already holds, the kernel increments the right's user-reference count.
406 When a task deallocates a send right, the kernel decrements its user-reference
407 count, and the task only loses the send right when the count goes to zero.
408
409 Send-once rights always have a user-reference count of one, although
410 a port can have multiple send-once rights, because each send-once right
411 held by a task has a different name. In contrast, when a task holds
412 send rights or a receive right for a port, the rights share
413 a single name.
414
415 A message body can carry port rights;
416 the \fBmsgt_name\fR (\fBmsgtl_name\fR) field in a
417 type descriptor specifies the type of port right and how the port
418 right is to be extracted from the caller. The values MACH_PORT_NULL and
419 MACH_PORT_DEAD are
420 always valid in place of a port right in a message body.
421 In a sent message, the following \fBmsgt_name\fR
422 values denote port rights:
423 .TP 12
424 MACH_MSG_TYPE_MAKE_SEND
425 The message will carry
426 a send right, but the caller must supply a receive right. The send
427 right is created from the receive right, and the receive right's
428 make-send count is incremented.
429 .TP 12
430 MACH_MSG_TYPE_COPY_SEND
431 The message will carry
432 a send right, and the caller should supply a send right. The user
433 reference count for the supplied send right is not changed. The caller
434 may also supply a dead name and the receiving task will get MACH_PORT_DEAD.
435 .TP 12
436 MACH_MSG_TYPE_MOVE_SEND
437 The message will carry
438 a send right, and the caller should supply a send right. The user
439 reference count for the supplied send right is decremented, and the
440 right is destroyed if the count becomes zero. Unless a receive right
441 remains, the name becomes available for recycling. The caller may also
442 supply a dead name, which loses a user reference, and the receiving
443 task will get MACH_PORT_DEAD.
444 .TP 12
445 MACH_MSG_TYPE_MAKE_SEND_ONCE
446 The message will carry
447 a send-once right, but the caller must supply a receive right. The
448 send-once right is created from the receive right.
449 .TP 12
450 MACH_MSG_TYPE_MOVE_SEND_ONCE
451 The message will carry
452 a send-once right, and the caller should supply a send-once right.
453 The caller loses the supplied send-once right. The caller may also
454 supply a dead name, which loses a user reference, and the receiving
455 task will get MACH_PORT_DEAD.
456 .TP 12
457 MACH_MSG_TYPE_MOVE_RECEIVE
458 The message will carry
459 a receive right, and the caller should supply a receive right.
460 The caller loses the supplied receive right, but retains any send rights
461 with the same name.
462 .PP
463 If a message
464 carries a send or send-once right, and the port dies while the
465 message is in transit, then the receiving task will get MACH_PORT_DEAD
466 instead of a right. The following \fBmsgt_name\fR values in
467 a received message indicate that it carries port rights:
468 .TP 12
469 MACH_MSG_TYPE_PORT_SEND
470 This name is an alias for MACH_MSG_TYPE_MOVE_SEND.
471 The message carried a send right.
472 If the receiving task already has send and/or receive rights for the port,
473 then that name for the port will be reused. Otherwise, the new right
474 will have a new name. If the task already has send
475 rights, it gains a user reference for the right (unless this
476 would cause the user-reference count to overflow). Otherwise, it acquires
477 the send right, with a user-reference count of one.
478 .TP 12
479 MACH_MSG_TYPE_PORT_SEND_ONCE
480 This name is an alias for MACH_MSG_TYPE_MOVE_SEND_ONCE.
481 The message carried a send-once right.
482 The right will have a new name.
483 .TP 12
484 MACH_MSG_TYPE_PORT_RECEIVE
485 This name is an alias for MACH_MSG_TYPE_MOVE_RECEIVE.
486 The message carried a receive right.
487 If the receiving task already has send rights for
488 the port, then that name for the port will be reused. Otherwise, the
489 right will have a new name. The make-send count
490 of the receive right is reset to zero, but the port retains other
491 attributes like queued messages, extant send and send-once rights,
492 and requests for port-destroyed and no-senders notifications.
493 .PP
494 When the kernel chooses a new name for a port right, it can choose any
495 name, other than MACH_PORT_NULL and MACH_PORT_DEAD, which is not
496 currently being used for a port right or dead name. It might choose a
497 name which at some previous time denoted a port right, but is
498 currently unused.
499 .SH MEMORY
500 A message body can contain the address of a region in the sender's
501 address space which should be transferred as part of the message.
502 The message carries a logical copy of the memory, but the kernel
503 uses VM techniques to defer any actual page copies. Unless
504 the sender or the receiver modifies the data, the physical
505 pages remain shared.
506
507 An out-of-line transfer occurs when the data's type descriptor
508 specifies \fBmsgt_inline\fR as FALSE. The address of the memory
509 region (a \fBvm_offset_t\fR or \fBvm_address_t\fR)
510 should follow the type descriptor in the message body.
511 The type descriptor and the address contribute to the message's
512 size (\fBsend_size\fR, \fBmsgh_size\fR). The out-of-line data
513 does not contribute to the message's size.
514
515 The name, size, and number fields in the type descriptor describe
516 the type and length of the out-of-line data, not the in-line address.
517 Out-of-line memory frequently requires long type descriptors
518 (\fBmach_msg_type_long_t\fR), because the \fBmsgt_number\fR field is
519 too small to describe a page of 4K bytes.
520
521 Out-of-line memory arrives somewhere
522 in the receiver's address space as new memory.
523 It has the same inheritance and protection attributes
524 as newly \fBvm_allocate\fR'd memory.
525 The receiver
526 has the responsibility of deallocating (with \fBvm_deallocate\fR)
527 the memory when it is no longer needed.
528 Security-conscious receivers should exercise caution when using
529 out-of-line memory from untrustworthy sources, because
530 the memory may be backed by an unreliable memory manager.
531
532 Null out-of-line memory is legal. If the out-of-line region size is zero
533 (for example, because \fBmsgtl_number\fR is zero), then the region's
534 specified address is ignored. A received null out-of-line memory region
535 always has a zero address.
536
537 Unaligned addresses and region sizes that are not page multiples are legal.
538 A received message can also contain memory with unaligned addresses
539 and funny sizes.
540 In the general case, the first and last pages in the
541 new memory region in the receiver do not contain only data
542 from the sender, but are partly zero. (But see BUGS.)
543 The received address
544 points to the start of the data in the first page. This possibility
545 doesn't complicate deallocation, because \fBvm_deallocate\fR
546 does the right thing, rounding the start address down
547 and the end address up to deallocate all arrived pages.
548
549 Out-of-line memory has a deallocate option, controlled by
550 the \fBmsgt_deallocate\fR bit.
551 If it is TRUE and the out-of-line memory region is not null,
552 then the region is implicitly deallocated from
553 the sender, as if by \fBvm_deallocate\fR. In particular,
554 the start and end addresses are rounded so that every page
555 overlapped by the memory region is deallocated.
556 The use of \fBmsgt_deallocate\fR effectively changes
557 the memory copy into a memory movement.
558 In a received message, \fBmsgt_deallocate\fR is TRUE
559 in type descriptors for out-of-line memory.
560
561 Out-of-line memory can carry port rights.
562 .SH MESSAGE SEND
563 The send operation queues a message to a port.
564 The message carries a copy of the caller's data.
565 After the send, the caller can freely modify
566 the message buffer or the out-of-line memory regions
567 and the message contents will remain unchanged.
568
569 Message delivery is reliable and sequenced.
570 Messages are not lost, and messages sent to a port,
571 from a single thread,
572 are received in the order in which they were sent.
573
574 If the destination port's queue is full, then several
575 things can happen. If the message is sent to a send-once right
576 (\fBmsgh_remote_port\fR carries a send-once right), then
577 the kernel ignores the queue limit and delivers the message.
578 Otherwise the caller blocks until there is room in the queue,
579 unless the MACH_SEND_TIMEOUT or MACH_SEND_NOTIFY options are used.
580 If a port has several blocked senders, then any of them
581 may queue the next message when space in the queue becomes
582 available, with the proviso that a blocked sender will not
583 be indefinitely starved.
584
585 These options modify MACH_SEND_MSG. If MACH_SEND_MSG is not also
586 specified, they are ignored.
587 .TP 12
588 MACH_SEND_TIMEOUT
589 The \fBtimeout\fR argument should specify
590 a maximum time (in milliseconds) for the call to block before giving up.
591 If the message can't be queued before the timeout interval elapses,
592 then the call returns MACH_SEND_TIMED_OUT. A zero timeout
593 is legitimate.
594 .TP 12
595 MACH_SEND_NOTIFY
596 The \fBnotify\fR argument should specify a
597 receive right for a notify port. If the send were to block, then
598 instead the message is queued, MACH_SEND_WILL_NOTIFY is returned, and
599 a msg-accepted notification is requested. If MACH_SEND_TIMEOUT is
600 also specified, then MACH_SEND_NOTIFY doesn't take effect until
601 the timeout interval elapses.
602
603 With MACH_SEND_NOTIFY, a task can forcibly queue to a send right
604 one message at a time. A msg-accepted notification is sent to the
605 the notify port when another message can be forcibly queued.
606 If an attempt is made to use MACH_SEND_NOTIFY before then,
607 the call returns a MACH_SEND_NOTIFY_IN_PROGRESS error.
608
609 The msg-accepted notification carries the name of the send right.
610 If the send right is deallocated before the msg-accepted notification
611 is generated, then the msg-accepted notification carries the value
612 MACH_PORT_NULL. If the destination port is destroyed before
613 the notification is generated, then a
614 send-once notification is generated instead.
615 .TP 12
616 MACH_SEND_INTERRUPT
617 If specified, the \fBmach_msg\fR call will return MACH_SEND_INTERRUPTED
618 if a software interrupt aborts the call.
619 Otherwise, the send operation will be retried.
620 .TP 12
621 MACH_SEND_CANCEL
622 The \fBnotify\fR argument should specify a receive right for a notify port.
623 If the send operation removes the destination port right from the caller,
624 and the removed right had a dead-name request registered for it,
625 and \fBnotify\fR is the notify port for the dead-name request,
626 then the dead-name request may be silently canceled (instead of
627 resulting in a port-deleted notification).
628
629 This option is typically used to cancel a dead-name request
630 made with the MACH_RCV_NOTIFY option. It should only
631 be used as an optimization.
632 .PP
633 The send operation can generate the following return codes.
634 These return codes imply that the call did nothing:
635 .TP 12
636 MACH_SEND_MSG_TOO_SMALL
637 The specified \fBsend_size\fR was smaller than the minimum size for a message.
638 .TP 12
639 MACH_SEND_NO_BUFFER
640 A resource shortage prevented the kernel from allocating a message buffer.
641 .TP 12
642 MACH_SEND_INVALID_DATA
643 The supplied message buffer was not readable.
644 .TP 12
645 MACH_SEND_INVALID_HEADER
646 The \fBmsgh_bits\fR value was invalid.
647 .TP 12
648 MACH_SEND_INVALID_DEST
649 The \fBmsgh_remote_port\fR value was invalid.
650 .TP 12
651 MACH_SEND_INVALID_REPLY
652 The \fBmsgh_local_port\fR value was invalid.
653 .TP 12
654 MACH_SEND_INVALID_NOTIFY
655 When using MACH_SEND_CANCEL,
656 the \fBnotify\fR argument did not denote a valid receive right.
657 .PP
658 These return codes imply that some or all of the message was destroyed:
659 .TP 12
660 MACH_SEND_INVALID_MEMORY
661 The message body specified out-of-line data that was not readable.
662 .TP 12
663 MACH_SEND_INVALID_RIGHT
664 The message body specified a port right which the caller
665 didn't possess.
666 .TP 12
667 MACH_SEND_INVALID_TYPE
668 A type descriptor was invalid.
669 .TP 12
670 MACH_SEND_MSG_TOO_SMALL
671 The last data item in the message ran over the end of the message.
672 .PP
673 These return codes imply that the message was returned
674 to the caller with a pseudo-receive operation:
675 .TP 12
676 MACH_SEND_TIMED_OUT
677 The \fBtimeout\fR interval expired.
678 .TP 12
679 MACH_SEND_INTERRUPTED
680 A software interrupt occurred.
681 .TP 12
682 MACH_SEND_INVALID_NOTIFY
683 When using MACH_SEND_NOTIFY,
684 the \fBnotify\fR argument did not denote a valid receive right.
685 .TP 12
686 MACH_SEND_NO_NOTIFY
687 A resource shortage prevented the kernel from setting up
688 a msg-accepted notification.
689 .TP 12
690 MACH_SEND_NOTIFY_IN_PROGRESS
691 A msg-accepted notification was already requested,
692 and hasn't yet been generated.
693 .PP
694 These return codes imply that the message was queued:
695 .TP 12
696 MACH_SEND_WILL_NOTIFY
697 The message was forcibly queued, and a msg-accepted
698 notification was requested.
699 .TP 12
700 MACH_MSG_SUCCESS
701 The message was queued.
702 .PP
703 Some return codes, like MACH_SEND_TIMED_OUT, imply that the message
704 was almost sent, but could not be queued. In these situations,
705 the kernel tries to return the message contents to the caller with a
706 pseudo-receive operation. This prevents the loss of port rights
707 or memory which only exist in the message. For example, a receive
708 right which was moved into the message, or out-of-line memory sent
709 with the deallocate bit.
710
711 The pseudo-receive operation is very similar to a normal receive
712 operation. The pseudo-receive handles the port rights in the
713 message header as if they were in the message body. They are
714 not reversed. After the pseudo-receive, the message is ready
715 to be resent. If the message is not resent, note that out-of-line
716 memory regions may have moved and some port rights may have
717 changed names.
718
719 The pseudo-receive operation may encounter resource shortages.
720 This is similar to a MACH_RCV_BODY_ERROR return code from a receive
721 operation. When this happens, the normal send return codes are
722 augmented with the MACH_MSG_IPC_SPACE, MACH_MSG_VM_SPACE,
723 MACH_MSG_IPC_KERNEL, and MACH_MSG_VM_KERNEL bits to indicate
724 the nature of the resource shortage.
725
726 The queueing of a message carrying receive rights may create
727 a circular loop of receive rights and messages,
728 which can never be received. For example,
729 a message carrying a receive right can be sent to that receive
730 right. This situation is not an error, but the kernel
731 will garbage-collect such loops, destroying the messages
732 and ports involved.
733 .SH MESSAGE RECEIVE
734 The receive operation dequeues a message from a port.
735 The receiving task acquires the port rights and out-of-line
736 memory regions carried in the message.
737
738 The \fBrcv_name\fR argument specifies a port or port set
739 from which to receive. If a port is specified,
740 the caller must possess the receive right for the port
741 and the port must not be a member of a port set.
742 If no message is present,
743 then the call blocks, subject to the MACH_RCV_TIMEOUT option.
744
745 If a port set is specified,
746 the call will receive a message sent to any of the member ports.
747 It is permissible for the port set to have no member ports,
748 and ports may be added and removed while a receive from the port set
749 is in progress.
750 The received message can come from any of the member ports
751 which have messages, with the proviso that a member port with
752 messages will not be indefinitely starved.
753 The \fBmsgh_local_port\fR field in the received message header
754 specifies from which port in the port set the message came.
755
756 The \fBrcv_size\fR argument specifies the size of the caller's
757 message buffer. The \fBmach_msg\fR call will not receive
758 a message larger than \fBrcv_size\fR. Messages that are too large
759 are destroyed, unless the MACH_RCV_LARGE option is used.
760
761 The destination and reply ports are reversed in a received
762 message header. The \fBmsgh_local_port\fR field names
763 the destination port, from which the message was received,
764 and the \fBmsgh_remote_port\fR field names the reply port right.
765 The bits in \fBmsgh_bits\fR are also reversed.
766 The MACH_MSGH_BITS_LOCAL bits have the value MACH_MSG_TYPE_PORT_SEND
767 if the message was sent to a send right,
768 and the value MACH_MSG_TYPE_PORT_SEND_ONCE if was sent to a send-once right.
769 The MACH_MSGH_BITS_REMOTE bits describe the reply port right.
770
771 A received message can contain port rights and out-of-line memory.
772 The \fBmsgh_local_port\fR field does not receive a port right; the act
773 of receiving the message destroys the send or send-once right for the
774 destination port. The \fBmsgh_remote_port\fR field does name a
775 received port right, the reply port right, and the message body can carry
776 port rights and memory if MACH_MSGH_BITS_COMPLEX is present in
777 \fBmsgh_bits\fR. Received port rights and memory should be consumed
778 or deallocated in some fashion.
779
780 In almost all cases, \fBmsgh_local_port\fR will specify the name
781 of a receive right, either \fBrcv_name\fR or if \fBrcv_name\fR
782 is a port set, a member of \fBrcv_name\fR. If other threads
783 are concurrently manipulating the receive right, the situation
784 is more complicated. If the receive right is renamed during
785 the call, then \fBmsgh_local_port\fR specifies the right's new name.
786 If the caller loses the receive right after the message was dequeued
787 from it, then \fBmach_msg\fR will proceed instead of returning
788 MACH_RCV_PORT_DIED. If the receive right was destroyed,
789 then \fBmsgh_local_port\fR specifies MACH_PORT_DEAD. If the receive
790 right still exists, but isn't held by the caller,
791 then \fBmsgh_local_port\fR specifies MACH_PORT_NULL.
792
793 Received messages are stamped with a sequence number, taken from the
794 port from which the message was received. (Messages received from a
795 port set are stamped with a sequence number from the appropriate
796 member port.) Newly created ports start with a zero sequence number,
797 and the sequence number is reset to zero whenever the port's receive
798 right moves between tasks. When a message is dequeued from the port,
799 it is stamped with the port's sequence number and the port's sequence
800 number is then incremented. The dequeue and increment operations are
801 atomic, so that multiple threads receiving messages from a port can
802 use the \fBmsgh_seqno\fR field to reconstruct the original order of
803 the messages.
804
805 These options modify MACH_RCV_MSG. If MACH_RCV_MSG is not also
806 specified, they are ignored.
807 .TP 12
808 MACH_RCV_TIMEOUT
809 The \fBtimeout\fR argument should specify
810 a maximum time (in milliseconds) for the call to block before giving up.
811 If no message arrives before the timeout interval elapses,
812 then the call returns MACH_RCV_TIMED_OUT. A zero timeout is legitimate.
813 .TP 12
814 MACH_RCV_NOTIFY
815 The \fBnotify\fR argument should specify a receive right for a notify port.
816 If receiving the reply port creates a new port right in the caller,
817 then the notify port is used to request a dead-name notification
818 for the new port right.
819 .TP 12
820 MACH_RCV_INTERRUPT
821 If specified, the \fBmach_msg\fR call will return MACH_RCV_INTERRUPTED
822 if a software interrupt aborts the call.
823 Otherwise, the receive operation will be retried.
824 .TP 12
825 MACH_RCV_LARGE
826 If the message is larger than \fBrcv_size\fR,
827 then the message remains queued instead of being destroyed.
828 The call returns MACH_RCV_TOO_LARGE and the actual size of
829 the message is returned in the \fBmsgh_size\fR field
830 of the message header.
831 .PP
832 The receive operation can generate the following return codes.
833 These return codes imply that the call did not dequeue a message:
834 .TP 12
835 MACH_RCV_INVALID_NAME
836 The specified \fBrcv_name\fR was invalid.
837 .TP 12
838 MACH_RCV_IN_SET
839 The specified port was a member of a port set.
840 .TP 12
841 MACH_RCV_TIMED_OUT
842 The \fBtimeout\fR interval expired.
843 .TP 12
844 MACH_RCV_INTERRUPTED
845 A software interrupt occurred.
846 .TP 12
847 MACH_RCV_PORT_DIED
848 The caller lost the rights specified by \fBrcv_name\fR.
849 .TP 12
850 MACH_RCV_PORT_CHANGED
851 \fBrcv_name\fR specified a receive right
852 which was moved into a port set during the call.
853 .TP 12
854 MACH_RCV_TOO_LARGE
855 When using MACH_RCV_LARGE, and the message was
856 larger than \fBrcv_size\fR. The message is left queued,
857 and its actual size is returned in the \fBmsgh_size\fR field
858 of the message buffer.
859 .PP
860 These return codes imply that a message was dequeued and destroyed:
861 .TP 12
862 MACH_RCV_HEADER_ERROR
863 A resource shortage prevented the reception of the port rights
864 in the message header.
865 .TP 12
866 MACH_RCV_INVALID_NOTIFY
867 When using MACH_RCV_NOTIFY,
868 the \fBnotify\fR argument did not denote a valid receive right.
869 .TP 12
870 MACH_RCV_TOO_LARGE
871 When not using MACH_RCV_LARGE, a message larger than \fBrcv_size\fR
872 was dequeued and destroyed.
873 .PP
874 In these situations, when a message is dequeued and then destroyed,
875 the reply port and all port rights and memory in the message body are
876 destroyed. However, the caller receives the message's header, with
877 all fields correct, including the destination port but excepting the
878 reply port, which is MACH_PORT_NULL.
879 .PP
880 These return codes imply that a message was received:
881 .TP 12
882 MACH_RCV_BODY_ERROR
883 A resource shortage prevented the reception of a port right
884 or out-of-line memory region in the message body.
885 The message header, including the reply port, is correct.
886 The kernel attempts to transfer all port rights
887 and memory regions in the body, and only destroys those that
888 can't be transferred.
889 .TP 12
890 MACH_RCV_INVALID_DATA
891 The specified message buffer was not writable.
892 The calling task did successfully receive the port rights
893 and out-of-line memory regions in the message.
894 .TP 12
895 MACH_MSG_SUCCESS
896 A message was received.
897 .PP
898 Resource shortages can occur after a message is dequeued,
899 while transferring port rights and out-of-line memory regions
900 to the receiving task. The \fBmach_msg\fR call returns
901 MACH_RCV_HEADER_ERROR or MACH_RCV_BODY_ERROR in this situation.
902 These return codes always carry extra bits (bitwise-ored)
903 that indicate the nature of the resource shortage:
904 .TP 12
905 MACH_MSG_IPC_SPACE
906 There was no room in the task's IPC name space for another port name.
907 .TP 12
908 MACH_MSG_VM_SPACE
909 There was no room in the task's VM address space
910 for an out-of-line memory region.
911 .TP 12
912 MACH_MSG_IPC_KERNEL
913 A kernel resource shortage prevented the reception of a port right.
914 .TP 12
915 MACH_MSG_VM_KERNEL
916 A kernel resource shortage prevented the reception
917 of an out-of-line memory region.
918 .PP
919 If a resource shortage prevents the reception of a port right, the
920 port right is destroyed and the caller sees the name MACH_PORT_NULL.
921 If a resource shortage prevents the reception of an out-of-line memory
922 region, the region is destroyed and the caller receives a zero
923 address. In addition, the \fBmsgt_size\fR (\fBmsgtl_size\fR) field in
924 the data's type descriptor is changed to zero. If a resource shortage
925 prevents the reception of out-of-line memory carrying port rights,
926 then the port rights are always destroyed if the memory region can
927 not be received. A task never receives port rights or memory regions
928 that it isn't told about.
929 .SH ATOMICITY
930 The \fBmach_msg\fR call handles port rights in a message header
931 atomically. Port rights and out-of-line memory in a message body
932 do not enjoy this atomicity guarantee. The message body may
933 be processed front-to-back, back-to-front, first out-of-line memory
934 then port rights, in some random order, or even atomically.
935
936 For example, consider sending a message with the destination port
937 specified as MACH_MSG_TYPE_MOVE_SEND and the reply port specified
938 as MACH_MSG_TYPE_COPY_SEND. The same send right,
939 with one user-reference, is supplied for both the \fBmsgh_remote_port\fR
940 and \fBmsgh_local_port\fR fields. Because \fBmach_msg\fR processes
941 the message header atomically, this succeeds. If \fBmsgh_remote_port\fR
942 were processed before \fBmsgh_local_port\fR, then \fBmach_msg\fR
943 would return MACH_SEND_INVALID_REPLY in this situation.
944
945 On the other hand, suppose the destination and reply port are
946 both specified as MACH_MSG_TYPE_MOVE_SEND, and again the same
947 send right with one user-reference is supplied for both.
948 Now the send operation fails, but because it processes the header
949 atomically, \fBmach_msg\fR can return either MACH_SEND_INVALID_DEST
950 or MACH_SEND_INVALID_REPLY.
951
952 For example, consider receiving a message at the same time another
953 thread is deallocating the destination receive right. Suppose the
954 reply port field carries a send right for the destination port. If
955 the deallocation happens before the dequeuing, then the receiver gets
956 MACH_RCV_PORT_DIED. If the deallocation happens after the receive,
957 then the \fBmsgh_local_port\fR and the \fBmsgh_remote_port\fR fields
958 both specify the same right, which becomes a dead name when the
959 receive right is deallocated. If the deallocation happens between the
960 dequeue and the receive, then the \fBmsgh_local_port\fR and
961 \fBmsgh_remote_port\fR fields both specify MACH_PORT_DEAD. Because
962 the header is processed atomically, it is not possible for just one of
963 the two fields to hold MACH_PORT_DEAD.
964
965 The MACH_RCV_NOTIFY option provides a more likely example.
966 Suppose a message carrying a send-once right reply port is received
967 with MACH_RCV_NOTIFY at the same time the reply port is destroyed.
968 If the reply port is destroyed first, then \fBmsgh_remote_port\fR
969 specifies MACH_PORT_DEAD and the kernel does not generate
970 a dead-name notification. If the reply port is destroyed after
971 it is received, then \fBmsgh_remote_port\fR specifies a dead name
972 for which the kernel generates a dead-name notification.
973 It is not possible to receive the reply port right and have it
974 turn into a dead name before the dead-name notification is requested;
975 as part of the message header the reply port is received atomically.
976 .SH BUGS
977 Sending out-of-line memory with a non-page-aligned address,
978 or a size which is not a page multiple, works but with a caveat.
979 The extra bytes in the first and last page of the received memory
980 are not zeroed, so the receiver can peek at more data than
981 the sender intended to transfer. This might be a security problem
982 for the sender.
983
984 If MACH_RCV_TIMEOUT is used without MACH_RCV_INTERRUPT,
985 then the timeout duration might not be accurate.
986 When the call is interrupted and automatically retried,
987 the original timeout is used. If interrupts occur frequently enough,
988 the timeout interval might never expire. MACH_SEND_TIMEOUT without
989 MACH_SEND_INTERRUPT suffers from the same problem.
990 .SH FILES
991 <mach/port.h>, <mach/message.h>, <mach/notify.h>.
Cache object: 951600126f4eea0769a65eb0348e0c73
|