1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
* vim: set ts=8 sts=2 et sw=2 tw=80:
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef vm_GuardFuse_h
#define vm_GuardFuse_h
#include "mozilla/Array.h"
#include "mozilla/Assertions.h"
#include <stddef.h>
#include "jstypes.h"
struct JS_PUBLIC_API JSContext;
namespace js {
// [SMDOC] Fuses
// A Fuse is a data structure in memory that asserts some property of the
// system.
//
// A fuse may be popped; this indicates that the property the fuse was asserting
// no longer holds.
//
// There are two models of Fuse:
// 1. Guard fuses are used as guards at various points through the engine to
// allow dynamic choice of a fallback path vs. fast path. A guard is checked
// explicitly before each action.
// 2. An Invalidating Fuse instead performs some cleanup actions invalidating
// Ion compiled under the assumption the fuse is intact.
//
// Fuses are designed to be checked easily for validity -- a single load and
// compare should suffice.
//
//
// In order to try make bugs in Fuses fuzzable, each fuse has a
// `checkInvariants` callback. This callback should return `true` iff the
// invariant the fuse asserts still holds. We can then assert that if a fuse is
// intact, then its invariant should hold. This can be triggered by a shell
// testing function, or (not implemented) triggered on a regular basis ala
// JS_GC_ZEAL.
//
// Fuses are agnostic about how they are popped. To support watching for a few
// operations we expect to be important to fuses, see:
//
// - Watchtower::watchPropertyModification
// - Watchtower::watchProtoChange
// - Watchtower::watchPropertyModification.
//
// and ObjectFlags::HasFuseProperty. As well, see MGuardFuse::aliasSet, which
// should be updated if there is any modification to the possible set of places
// fuses could be popped.
//
// In order to support relationships, the popFuse method is virtual and can be
// overridden by subclasses. See RealmFuses.h for examples of how RealmScoped
// fuses are implemented there through overrides of popFuse.
class GuardFuse {
public:
GuardFuse() = default;
GuardFuse(GuardFuse&&) = delete;
virtual const char* name() = 0;
// Basic fuse interface: Takes a JSContext argument for subclasses.
virtual void popFuse(JSContext* cx) {
MOZ_ASSERT_IF(fuse_, fuse_ == PoppedFuseValue);
fuse_ = PoppedFuseValue;
}
bool intact() {
MOZ_ASSERT_IF(fuse_, fuse_ == PoppedFuseValue);
return fuse_ == 0;
}
GuardFuse* self() { return this; }
// Code-Generation Fuse interface
size_t* fuseRef() { return &fuse_; }
static int32_t fuseOffset() { return offsetof(GuardFuse, fuse_); }
// Invariant Maintenance Interface: If an invariant doesn't hold, we should
// crash the process.
//
// Since a fuse is a statement about an invariant in the system, if the fuse
// is intact, the invariant must hold. However, the converse is not true:
// a fuse may be popped while its invariant still holds (and for testing
// purposes we explicitly require this; see popAllFusesInRealm).
virtual void assertInvariant(JSContext* cx) {
if (intact()) {
if (!checkInvariant(cx)) {
fprintf(stderr, "Fuse %s failed invariant check\n", name());
MOZ_CRASH("Failed invariant check");
}
}
}
// Return true iff the invariant asserted by a particular fuse holds; this can
// safely return false if the fuse is popped.
virtual bool checkInvariant(JSContext* cx) = 0;
private:
// Use a bit pattern to mark a popped fuse -- May be useful in the future for
// disambiguating between a real popped fuse and a bit-flip.
static constexpr size_t PoppedFuseValue = 0x808;
size_t fuse_ = 0;
};
} // namespace js
#endif // vm_GuardFuse_h
|