1 files changed, 113 insertions, 0 deletions
diff --git a/js/src/vm/GuardFuse.h b/js/src/vm/GuardFuse.h
new file mode 100644
index 0000000000..f4e07395e3
--- /dev/null
+++ b/js/src/vm/GuardFuse.h
@@ -0,0 +1,113 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ * vim: set ts=8 sts=2 et sw=2 tw=80:
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef vm_GuardFuse_h
+#define vm_GuardFuse_h
+
+#include "mozilla/Array.h"
+#include "mozilla/Assertions.h"
+
+#include <stddef.h>
+
+#include "jstypes.h"
+
+struct JS_PUBLIC_API JSContext;
+
+namespace js {
+
+// [SMDOC] Fuses
+// A Fuse is a data structure in memory that asserts some property of the
+// system.
+//
+// A fuse may be popped; this indicates that the property the fuse was asserting
+// no longer holds.
+//
+// There are two models of Fuse:
+// 1. Guard fuses are used as guards at various points through the engine to
+//    allow dynamic choice of a fallback path vs. fast path. A guard is checked
+//    explicitly before each action.
+// 2. An Invalidating Fuse instead performs some cleanup actions invalidating
+//    Ion compiled under the assumption the fuse is intact.
+//
+// Fuses are designed to be checked easily for validity -- a single load and
+// compare should suffice.
+//
+//
+// In order to try make bugs in Fuses fuzzable, each fuse has a
+// `checkInvariants` callback. This callback should return `true` iff the
+// invariant the fuse asserts still holds. We can then assert that if a fuse is
+// intact, then its invariant should hold. This can be triggered by a shell
+// testing function, or (not implemented) triggered on a regular basis ala
+// JS_GC_ZEAL.
+//
+// Fuses are agnostic about how they are popped. To support watching for a few
+// operations we expect to be important to fuses, see:
+//
+//   - Watchtower::watchPropertyModification
+//   - Watchtower::watchProtoChange
+//   - Watchtower::watchPropertyModification.
+//
+// and ObjectFlags::HasFuseProperty. As well, see MGuardFuse::aliasSet, which
+// should be updated if there is any modification to the possible set of places
+// fuses could be popped.
+//
+// In order to support relationships, the popFuse method is virtual and can be
+// overridden by subclasses. See RealmFuses.h for examples of how RealmScoped
+// fuses are implemented there through overrides of popFuse.
+class GuardFuse {
+ public:
+  GuardFuse() = default;
+  GuardFuse(GuardFuse&&) = delete;
+
+  virtual const char* name() = 0;
+
+  // Basic fuse interface: Takes a JSContext argument for subclasses.
+  virtual void popFuse(JSContext* cx) {
+    MOZ_ASSERT_IF(fuse_, fuse_ == PoppedFuseValue);
+    fuse_ = PoppedFuseValue;
+  }
+
+  bool intact() {
+    MOZ_ASSERT_IF(fuse_, fuse_ == PoppedFuseValue);
+    return fuse_ == 0;
+  }
+
+  GuardFuse* self() { return this; }
+
+  // Code-Generation Fuse interface
+  size_t* fuseRef() { return &fuse_; }
+  static int32_t fuseOffset() { return offsetof(GuardFuse, fuse_); }
+
+  // Invariant Maintenance Interface: If an invariant doesn't hold, we should
+  // crash the process.
+  //
+  // Since a fuse is a statement about an invariant in the system, if the fuse
+  // is intact, the invariant must hold. However, the converse is not true:
+  // a fuse may be popped while its invariant still holds (and for testing
+  // purposes we explicitly require this; see popAllFusesInRealm).
+  virtual void assertInvariant(JSContext* cx) {
+    if (intact()) {
+      if (!checkInvariant(cx)) {
+        fprintf(stderr, "Fuse %s failed invariant check\n", name());
+        MOZ_CRASH("Failed invariant check");
+      }
+    }
+  }
+
+  // Return true iff the invariant asserted by a particular fuse holds; this can
+  // safely return false if the fuse is popped.
+  virtual bool checkInvariant(JSContext* cx) = 0;
+
+ private:
+  // Use a bit pattern to mark a popped fuse -- May be useful in the future for
+  // disambiguating between a real popped fuse and a bit-flip.
+  static constexpr size_t PoppedFuseValue = 0x808;
+
+  size_t fuse_ = 0;
+};
+
+}  // namespace js
+#endif  // vm_GuardFuse_h