.. mode: -*- rst -*-

Signatures in the MPS
=====================

:Tag: design.mps.sig
:Author: Richard Brooksby
:Organization: Ravenbrook Limited
:Date: 2013-05-09
:Revision: $Id: //info.ravenbrook.com/project/mps/version/1.114/design/sig.txt#1 $
:Copyright: See section `Copyright and License`_.
:Index terms:
   pair: structure signatures; design
   single: signatures


Introduction
------------
Integrity of data structures is absolutely critical to the cost of
deploying the Memory Pool System.  Memory corruption and memory
management bugs are incredibly hard to detect and debug, often
manifesting themselves hours or days after they occur.  One of the key
ways the MPS detects corruption or the passing of illegal data is using
*signatures*.  This simple technique has proved invaluable at catching
defects early.


Overview
--------
Signatures are `magic numbers`_ which are written into structures when
they are created and invalidated (by overwriting with ``SigInvalid``)
when they are destroyed. They provide a limited form of run-time type
checking and dynamic scope checking. They are a simplified form of
"Structure Marking", a technique used in the Multics filesystem
[THVV_1995]_.

.. _`magic numbers`: http://en.wikipedia.org/wiki/Magic_number_(programming)


Definitions
-----------
Nearly every structure should start with a field of type ``Sig`` with the name
``sig``.  For example::

    typedef struct mps_message_s {
      Sig sig;                      /* <design/sig/> */
      Arena arena;                  /* owning arena */
      MessageClass class;           /* Message Class Structure */
      Clock postedClock;            /* mps_clock() at post time, or 0 */
      RingStruct queueRing;         /* Message queue ring */
    } MessageStruct;

There must also be a definition for the valid value for that signature::

    #define MessageSig      ((Sig)0x5193e559) /* SIG MESSaGe */

This is a 32-bit hex constant, spelled according to guide.hex.trans_::

    ABCDEFGHIJKLMNOPQRSTUVWXYZ
    ABCDEF9811C7340BC6520F3812

.. _guide.hex.trans: guide.hex.trans

This allows the structure to be recognised when looking at memory in a hex
dump or memory window, or found using memory searches.


Init and Finish
---------------
When the structure is initialised, the signature is initialised as the
*last* action, just before validating it.  (Think of it as putting your
signature at the bottom of a document to say it's done.)  This ensures
that the structure will appear invalid until it is completely initialized
and ready to use.  For example::

    void MessageInit(...) {
      ... 
      message->arena = arena;
      message->class = class;
      RingInit(&message->queueRing);
      message->postedClock = 0;
      message->sig = MessageSig;
      AVERT(Message, message);
    }

When the structure is finished, the signature is invalidated as the
*first* action, ensuring that the structure appears invalid while it is
being torn down.  For example::

    void MessageFinish(Message message)
    {
      AVERT(Message, message);
      AVER(RingIsSingle(&message->queueRing));

      message->sig = SigInvalid;
      RingFinish(&message->queueRing);
    }

Do not do anything else with signatures.  See `.rule.purpose`_.


Checking
--------
The signature is checked in various ways.  Every function that takes a
(pointer to) a signed structure should check its argument using the
``AVERT`` macro.  This macro has different definitions depending on how
the MPS is compiled (see design.mps.config.def.var_).  It may simply check
the signature directly, or call the full checking function for the
structure.

.. _design.mps.config.def.var: config#def-var

The checking function for the structure should also validate the
signature as its first step using the ``CHECKS()`` macro (see
check.h_). For example::

    Bool MessageCheck(Message message)
    {
      CHECKS(Message, message);
      CHECKU(Arena, message->arena);
      CHECKD(MessageClass, message->class);
      ...

This combination makes it extremely difficult to get an object of the
wrong type, an uninitialized object, or a dead object, or a random
pointer into a function.

.. _check.h: ../code/check.h

Rules
-----
_`.rule.purpose`: **Do not** use signatures for any other purpose.  For
example, don't use them to make any actual decisions within the code. 
They must not be used to discriminate between structure variants (or
union members). They must not be used to try to detect *whether* a
structure has been initialised or finished.  They are there to
double-check whether these facts are true. They lose their value as a
consistency check if the code uses them as well.


Tools
-----
_`.test.uniq`: The Unix command::

    sed -n '/^#define [a-zA-Z]*Sig/s/[^(]*(/(/p' code/*.[ch] | sort | uniq -c

will display all signatures defined in the MPS along with a count of how
many times they are defined.  If any counts are greater than 1, then the
same signature value is being used for different signatures.  This is
undesirable and the problem should be investigated.


References
----------
.. [RB_1995-08-25] "design.mps.sig: The design of the Memory Pool System
   Signature System"; Richard Brooksby; Harlequin; 1995-08-25;
   <https://info.ravenbrook.com/project/mps/doc/2002-06-18/obsolete-mminfo/mminfo/design/mps/sig/>.

.. [THVV_1995] "Structure Marking"; Tom Van Vleck; 1995;
   <http://www.multicians.org/thvv/marking.html>.


Document History
----------------
- 2013-05-09  RB  Created based on scanty MM document [RB_1995-08-25]_.

.. _RB: http://www.ravenbrook.com/consultants/rb/


Copyright and License
---------------------

Copyright © 2013-2014 Ravenbrook Limited. All rights reserved.
<http://www.ravenbrook.com/>. This is an open source license. Contact
Ravenbrook for commercial licensing options.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:

#. Redistributions of source code must retain the above copyright
   notice, this list of conditions and the following disclaimer.

#. Redistributions in binary form must reproduce the above copyright
   notice, this list of conditions and the following disclaimer in the
   documentation and/or other materials provided with the distribution.

#. Redistributions in any form must be accompanied by information on
   how to obtain complete source code for this software and any
   accompanying software that uses this software. The source code must
   either be included in the distribution or be available for no more
   than the cost of distribution plus a nominal fee, and must be
   freely redistributable under reasonable conditions. For an
   executable file, complete source code means the source code for all
   modules it contains. It does not include source code for modules or
   files that typically accompany the major components of the
   operating system on which the executable file runs.

**This software is provided by the copyright holders and contributors
"as is" and any express or implied warranties, including, but not
limited to, the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement, are disclaimed.  In no event
shall the copyright holders and contributors be liable for any direct,
indirect, incidental, special, exemplary, or consequential damages
(including, but not limited to, procurement of substitute goods or
services; loss of use, data, or profits; or business interruption)
however caused and on any theory of liability, whether in contract,
strict liability, or tort (including negligence or otherwise) arising in
any way out of the use of this software, even if advised of the
possibility of such damage.**