Signatures in the MPS
=====================
:Tag: design.mps.sig
:Author: Richard Brooksby
:Organization: Ravenbrook Limited
:Date: 2013-05-09
:Revision: $Id: //info.ravenbrook.com/project/mps/branch/2013-05-01/keyword-arguments/design/sig.txt#1 $
:Copyright: See section `C. Copyright and License`_.
1. Introduction
---------------
Integrity of data structures is absolutely critical to the cost of
deploying the Memory Pool System. Memory corruption and memory
management bugs are incredibly hard to detect and debug, often
manifesting themselves hours or days after they occur. One of the key
ways the MPS detects corruption or the passing of illegal data is using
*signatures*. This simple technique has proved invaluable at catching
defects early.
2. Overview
-----------
Signatures are magic numbers which are written into structures when they
are created and invalidated (by overwriting with ``SigInvalid``) when
they are destroyed. They provide a limited form of run-time type
checking and dynamic scope checking. They are a simplified form of
"Structure Marking", a technique used in the Multics filesystem [THVV_1995]_.
3. Definitions
--------------
Nearly every structure should start with a field of type ``Sig`` with the name
``sig``. For example::
typedef struct mps_message_s {
Sig sig; /* <design/sig/> */
Arena arena; /* owning arena */
MessageClass class; /* Message Class Structure */
Clock postedClock; /* mps_clock() at post time, or 0 */
RingStruct queueRing; /* Message queue ring */
} MessageStruct;
There must also be a definition for the valid value for that signature::
#define MessageSig ((Sig)0x5193e559) /* SIG MESSaGe */
This is a 32-bit hex constant, spelled according to guide.hex.trans_::
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ABCDEF9811C7340BC6520F3812
.. _guide.hex.trans: ./guide.hex.trans.txt
This allows the structure to be recognised when looking at memory in a hex
dump or memory window, or found using memory searches.
4. Init and Finish
------------------
When the structure is initialised, the signature is initialised as the
*last* action, just before validating it. (Think of it as putting your
signature at the bottom of a document to say it's done.) This ensures
that the structure will appear invalid until it is completely initialized
and ready to use. For example::
void MessageInit(...) {
...
message->arena = arena;
message->class = class;
RingInit(&message->queueRing);
message->postedClock = 0;
message->sig = MessageSig;
AVERT(Message, message);
}
When the structure is finished, the signature is invalidated as the
*first* action, ensuring that the structure appears invalid while it is
being torn down. For example::
void MessageFinish(Message message)
{
AVERT(Message, message);
AVER(RingIsSingle(&message->queueRing));
message->sig = SigInvalid;
RingFinish(&message->queueRing);
}
Do not do anything else with signatures. See `.rule.purpose`_.
5. Checking
-----------
The signature is checked in various ways. Every function that takes a
(pointer to) a signed structure should check its argument using the ``AVERT``
macro. This macro has different definitions depending on how the MPS is
compiled. It may simply check the signature directly, or call the full
checking function for the structure.
The checking function for the structure should also validate the signature
as its first step using the ``CHECKS`` macro (see check.h_). For example::
Bool MessageCheck(Message message)
{
CHECKS(Message, message);
CHECKU(Arena, message->arena);
CHECKD(MessageClass, message->class);
...
This combination makes it extremely difficult to get an object of the
wrong type, an uninitialized object, or a dead object, or a random
pointer into a function.
.. _check.h: ../code/check.h
6. Rules
--------
_`.rule.purpose`: **Do not** use signatures for any other purpose. For
example, don't use them to make any actual decisions within the code.
They must not be used to discriminate between structure variants (or
union members). They must not be used to try to detect *whether* a
structure has been initialised or finished. They are there to
double-check whether these facts are true. They lose their value as a
consistency check if the code uses them as well.
7. Tools
--------
_`.test.uniq`: The Unix command::
sed -n '/^#define [a-zA-Z]*Sig/s/[^(]*(/(/p' code/*.[ch] | sort | uniq -c
will display all signatures defined in the MPS along with a count of how
many times they are defined. If any counts are greater than 1, then the
same signature value is being used for different signatures. This is
undesirable and the problem should be investigated.
A. References
-------------
.. [RB_1995-08-25] "design.mps.sig: The design of the Memory Pool System
Signature System"; Richard Brooksby; Harlequin; 1995-08-25.
.. [THVV_1995] "Structure Marking"; Tom Van Vleck; 1995;
<http://www.multicians.org/thvv/marking.html>.
B. Document History
-------------------
2013-05-09 RB Created based on scanty MM document [RB_1995-08-25]_.
C. Copyright and License
------------------------
Copyright (C) 2013 Ravenbrook Limited. All rights reserved.
<http://www.ravenbrook.com/>. This is an open source license. Contact
Ravenbrook for commercial licensing options.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Redistributions in any form must be accompanied by information on how
to obtain complete source code for this software and any
accompanying software that uses this software. The source code must
either be included in the distribution or be available for no more than
the cost of distribution plus a nominal fee, and must be freely
redistributable under reasonable conditions. For an executable file,
complete source code means the source code for all modules it contains.
It does not include source code for modules or files that typically
accompany the major components of the operating system on which the
executable file runs.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NON-INFRINGEMENT, ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT HOLDERS AND CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
$Id: //info.ravenbrook.com/project/mps/branch/2013-05-01/keyword-arguments/design/sig.txt#1 $