# A sketch of Mu-style handles or kinda-safe pointers, that add a modicum of # checking to dynamically allocated memory. # # This approach avoids using 'allocate' directly in favor of two primitives: # - 'new', which allocates some space (the 'payload'), stores the address # along with an opaque 'alloc id' in a 'handle', and prepends the same # alloc id to the payload. # - 'lookup', which checks that the alloc id at the start of a handle matches # the alloc id at the start of the payload before returning the address. # # Layout of a handle: # offset 0: alloc id # offset 4: address # # To run: # $ ./subx translate init.linux 0*.subx apps/handle.subx -o apps/handle # $ ./subx run apps/handle # Expected result is a successful lookup followed by a hard abort: # lookup succeeded # lookup failed # (This file is a prototype. The 'tests' in it aren't real; failures are # expected.) == code # instruction effective address register displacement immediate # . op subop mod rm32 base index scale r32 # . 1-3 bytes 3 bits 2 bits 3 bits 3 bits 3 bits 2 bits 2 bits 0/1/2/4 bytes 0/1/2/4 bytes Entry: # initialize heap # . Heap = new-segment(Heap-size) # . . push args 68/push Heap/imm32 ff 6/subop/push 0/mod/indirect 5/rm32/.disp32 . . . Heap-size/disp32 # push *Heap-size # . . call e8/call new-segment/disp32 # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 8/imm32 # add to esp e8/call run-tests/disp32 # 'run-tests' is a function created automatically by SubX. It calls all functions that start with 'test-'. $handle-main:end: # syscall(exit, Num-test-failures) 8b/copy 0/mod/indirect 5/rm32/.disp32 . . 3/r32/ebx Num-test-failures/disp32 # copy *Num-test-failures to ebx b8/copy-to-eax 1/imm32/exit cd/syscall 0x80/imm8 new: # ad : (addr allocation-descriptor), n : int, out : (handle _) # . prologue 55/push-ebp 89/copy 3/mod/direct 5/rm32/ebp . . . 4/r32/esp . . # copy esp to ebp # . save registers 50/push-eax 51/push-ecx 52/push-edx # ecx = n+4 8b/copy 1/mod/*+disp8 5/rm32/ebp . . . 1/r32/ecx 0xc/disp8 . # copy *(ebp+12) to ecx 81 0/subop/add 3/mod/direct 1/rm32/ecx . . . . . 4/imm32 # add to ecx # var eax : (handle _) = allocate(ad, ecx) # . . push args 51/push-ecx ff 6/subop/push 1/mod/*+disp8 5/rm32/ebp . . . . 8/disp8 . # push *(ebp+8) # . . call e8/call allocate/disp32 # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 8/imm32 # add to esp # edx = out 8b/copy 1/mod/*+disp8 5/rm32/ebp . . . 2/r32/edx 0x10/disp8 . # copy *(ebp+16) to edx # out->address = eax 89/copy 1/mod/*+disp8 2/rm32/edx . . . 0/r32/eax 4/disp8 . # copy eax to *(edx+4) # if (eax == 0) out->alloc_id = 0, return 3d/compare-eax-and 0/imm32 75/jump-if-not-equal $new:continue/disp8 c7 0/subop/copy 0/mod/indirect 2/rm32/edx . . . . . 0/imm32 # copy to *edx eb/jump $new:end/disp8 $new:continue: # otherwise: # ecx = *Next-alloc-id 8b/copy 0/mod/indirect 5/rm32/.disp32 . . 1/r32/ecx Next-alloc-id/disp32 # copy *Next-alloc-id to ecx # *eax = *Next-alloc-id/ecx 89/copy 0/mod/indirect 0/rm32/eax . . . 1/r32/ecx . . # copy ecx to *eax # out->alloc_id = *Next-alloc-id 89/copy 0/mod/indirect 2/rm32/edx . . . 1/r32/ecx . . # copy ecx to *edx # increment *Next-alloc-id ff 0/subop/increment 0/mod/indirect 5/rm32/.disp32 . . . Next-alloc-id/disp32 # increment *Next-alloc-id $new:end: # . restore registers 5a/pop-to-edx 59/pop-to-ecx 58/pop-to-eax # . epilogue 89/copy 3/mod/direct 4/rm32/esp . . . 5/r32/ebp . . # copy ebp to esp 5d/pop-to-ebp c3/return test-new: # . prologue 55/push-ebp 89/copy 3/mod/direct 5/rm32/ebp . . . 4/r32/esp . . # copy esp to ebp # var heap/edx : (ref allocation-descriptor) 68/push 0/imm32/limit 68/push 0/imm32/curr 89/copy 3/mod/direct 2/rm32/edx . . . 4/r32/esp . . # copy esp to edx # heap = new-segment(512) # . . push args 52/push-edx 68/push 0x200/imm32 # . . call e8/call new-segment/disp32 # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 8/imm32 # add to esp # *Next-alloc-id = 0x34 c7 0/subop/copy 0/mod/indirect 5/rm32/.disp32 . . . Next-alloc-id/disp32 0x34/imm32 # copy to *Next-alloc-id # var handle/ecx : (ref handle) 68/push 0/imm32/address 68/push 0/imm32/alloc-id 89/copy 3/mod/direct 1/rm32/ecx . . . 4/r32/esp . . # copy esp to ecx # new(heap, 2, handle/ecx) # . . push args 51/push-ecx 68/push 2/imm32/size 52/push-edx # . . call e8/call new/disp32 # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 0xc/imm32 # add to esp # check-ints-equal(handle->alloc_id, 0x34, msg) # . . push args 68/push "F - test-new: alloc id of handle"/imm32 68/push 0x34/imm32 ff 6/subop/push 0/mod/indirect 1/rm32/ecx . . . . . . # push *ecx # . . call e8/call check-ints-equal/disp32 # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 0xc/imm32 # add to esp # check-ints-equal(*handle->address, 0x34, msg) # . . push args 68/push "F - test-new: alloc id of payload"/imm32 68/push 0x34/imm32 8b/copy 1/mod/*+disp8 1/rm32/ecx . . . 2/r32/edx 4/disp8 . # copy *(ecx+4) to edx ff 6/subop/push 0/mod/indirect 2/rm32/edx . . . . . . # push *edx # . . call e8/call check-ints-equal/disp32 # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 0xc/imm32 # add to esp # check-ints-equal(*Next-alloc-id, 0x35) # . . push args 68/push "F - test-new: next alloc id"/imm32 68/push 0x35/imm32 ff 6/subop/push 0/mod/indirect 5/rm32/.disp32 . . . Next-alloc-id/disp32 # copy to *Next-alloc-id # . . call e8/call check-ints-equal/disp32 # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 0xc/imm32 # add to esp # clean up # . *Next-alloc-id = 1 c7 0/subop/copy 0/mod/indirect 5/rm32/.disp32 . . . Next-alloc-id/disp32 1/imm32 # copy to *Next-alloc-id # . epilogue 89/copy 3/mod/direct 4/rm32/esp . . . 5/r32/ebp . . # copy ebp to esp 5d/pop-to-ebp c3/return _pending-test-new-failure: # . prologue 55/push-ebp 89/copy 3/mod/direct 5/rm32/ebp . . . 4/r32/esp . . # copy esp to ebp # . *Next-alloc-id = 0x34 c7 0/subop/copy 0/mod/indirect 5/rm32/.disp32 . . . Next-alloc-id/disp32 0x34/imm32 # copy to *Next-alloc-id # define an allocation-descriptor with no space left # . var ad/eax : (ref allocation-descriptor) = {0x10, 0x10} 68/push 0x10/imm32/limit 68/push 0x10/imm32/curr 89/copy 3/mod/direct 0/rm32/eax . . . 4/r32/esp . . # copy esp to eax # . var handle/ecx = {random, random} 68/push 1234/imm32/address 68/push 5678/imm32/alloc-id 89/copy 3/mod/direct 1/rm32/ecx . . . 4/r32/esp . . # copy esp to ecx # try to allocate # . new(ad, 2, handle/ecx) # . . push args 51/push-ecx 68/push 2/imm32/size 50/push-eax # . . call e8/call new/disp32 # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 0xc/imm32 # add to esp # handle should be cleared # . check-ints-equal(handle->alloc_id, 0, msg) # . . push args 68/push "F - test-new-failure: alloc id of handle"/imm32 68/push 0/imm32 ff 6/subop/push 0/mod/indirect 1/rm32/ecx . . . . . . # push *ecx # . . call e8/call check-ints-equal/disp32 # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 0xc/imm32 # add to esp # . check-ints-equal(handle->address, 0, msg) # . . push args 68/push "F - test-new-failure: address of handle"/imm32 68/push 0/imm32 ff 6/subop/push 1/mod/*+disp8 1/rm32/ecx . . . . 4/disp8 . # push *(ecx+4) # . . call e8/call check-ints-equal/disp32 # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 0xc/imm32 # add to esp # Next-alloc-id should be unmodified # . check-ints-equal(*Next-alloc-id, 0x34) # . . push args 68/push "F - test-new-failure: next alloc id"/imm32 68/push 0x34/imm32 ff 6/subop/push 0/mod/indirect 5/rm32/.disp32 . . . Next-alloc-id/disp32 # copy to *Next-alloc-id # . . call e8/call check-ints-equal/disp32 # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 0xc/imm32 # add to esp # clean up # . *Next-alloc-id = 1 c7 0/subop/copy 0/mod/indirect 5/rm32/.disp32 . . . Next-alloc-id/disp32 1/imm32 # copy to *Next-alloc-id # . epilogue 89/copy 3/mod/direct 4/rm32/esp . . . 5/r32/ebp . . # copy ebp to esp 5d/pop-to-ebp c3/return lookup: # h : (handle T) -> eax : (addr T) # . prologue 55/push-ebp 89/copy 3/mod/direct 5/rm32/ebp . . . 4/r32/esp . . # copy esp to ebp # - as a proof of concept for future inlining, uses no general-purpose registers besides the output (eax) # eax = handle 8b/copy 1/mod/*+disp8 5/rm32/ebp . . . 0/r32/eax 8/disp8 . # copy *(ebp+8) to eax # - inline { # push handle->alloc_id ff 6/subop/push 0/mod/indirect 0/rm32/eax . . . . . . # push *eax # eax = handle->address (payload) 8b/copy 1/mod/*+disp8 0/rm32/eax . . . . 4/disp8 . # copy *(eax+4) to eax # push handle->address 50/push-eax # eax = payload->alloc_id 8b/copy 0/mod/indirect 0/rm32/eax . . . . . . # copy *eax to eax # if (eax != handle->alloc_id) abort 39/compare 1/mod/*+disp8 4/rm32/sib 4/base/esp 4/index/none . 0/r32/eax 4/disp8 . # compare *(esp+4) and eax 75/jump-if-not-equal $lookup:abort/disp8 # eax = pop handle->address 58/pop-to-eax # discard handle->alloc_id 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 4/imm32 # add to esp # add 4 05/add-to-eax 4/imm32 # - } # - alternative consuming a second register { #? # ecx = handle->alloc_id #? 8b/copy 0/mod/indirect 0/rm32/eax . . . 1/r32/ecx . . # copy *eax to ecx #? # eax = handle->address (payload) #? 8b/copy 1/mod/*+disp8 0/rm32/eax . . . 0/r32/eax 4/disp8 . # copy *(eax+4) to eax #? # if (ecx != *eax) abort #? 39/compare 0/mod/indirect 0/rm32/eax . . . 1/r32/ecx . . # compare *eax and ecx #? 75/jump-if-not-equal $lookup:abort/disp8 #? # add 4 to eax #? 05/add-to-eax 4/imm32 # - } # . epilogue 89/copy 3/mod/direct 4/rm32/esp . . . 5/r32/ebp . . # copy ebp to esp 5d/pop-to-ebp c3/return $lookup:abort: # . _write(2/stderr, msg) # . . push args 68/push "lookup failed\n"/imm32 68/push 2/imm32/stderr # . . call e8/call _write/disp32 # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 8/imm32 # add to esp # . syscall(exit, 1) bb/copy-to-ebx 1/imm32/exit-status b8/copy-to-eax 1/imm32/exit cd/syscall 0x80/imm8 test-lookup-success: # . prologue 55/push-ebp 89/copy 3/mod/direct 5/rm32/ebp . . . 4/r32/esp . . # copy esp to ebp # . save registers # var heap/ebx : (ref allocation-descriptor) 68/push 0/imm32/limit 68/push 0/imm32/curr 89/copy 3/mod/direct 3/rm32/ebx . . . 4/r32/esp . . # copy esp to ebx # heap = new-segment(512) # . . push args 53/push-ebx 68/push 0x200/imm32 # . . call e8/call new-segment/disp32 # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 8/imm32 # add to esp # var handle/ecx : (ref handle) 68/push 0/imm32/address 68/push 0/imm32/alloc-id 89/copy 3/mod/direct 1/rm32/ecx . . . 4/r32/esp . . # copy esp to ecx # var old_top/edx = heap->curr 8b/copy 0/mod/indirect 3/rm32/ebx . . . 2/r32/edx . . # copy *ebx to edx # new(heap, 2, handle) # . . push args 51/push-ecx 68/push 2/imm32/size 53/push-ebx # . . call e8/call new/disp32 # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 0xc/imm32 # add to esp # eax = lookup(handle) # . . push args 51/push-ecx # . . call e8/call lookup/disp32 # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 4/imm32 # add to esp # eax contains old top of heap, except skipping the alloc id in the payload # . check-ints-equal(eax, old_top+4, msg) # . . push args 68/push "F - test-lookup-success"/imm32 81 0/subop/add 3/mod/direct 2/rm32/edx . . . . . 4/imm32 # add to edx 52/push-edx 50/push-eax # . . call e8/call check-ints-equal/disp32 # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 0xc/imm32 # add to esp # clean up # . *Next-alloc-id = 1 c7 0/subop/copy 0/mod/indirect 5/rm32/.disp32 . . . Next-alloc-id/disp32 1/imm32 # copy to *Next-alloc-id # write(2/stderr, "lookup succeeded\n") # . . push args 68/push "lookup succeeded\n"/imm32 68/push 2/imm32/stderr # . . call e8/call write/disp32 # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 8/imm32 # add to esp # . restore registers 5a/pop-to-edx 59/pop-to-ecx # . epilogue 89/copy 3/mod/direct 4/rm32/esp . . . 5/r32/ebp . . # copy ebp to esp 5d/pop-to-ebp c3/return test-lookup-failure: # . prologue 55/push-ebp 89/copy 3/mod/direct 5/rm32/ebp . . . 4/r32/esp . . # copy esp to ebp # var heap/esi : (ref allocation-descriptor) 68/push 0/imm32/limit 68/push 0/imm32/curr 89/copy 3/mod/direct 6/rm32/esi . . . 4/r32/esp . . # copy esp to esi # heap = new-segment(512) # . . push args 56/push-esi 68/push 0x200/imm32 # . . call e8/call new-segment/disp32 # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 8/imm32 # add to esp # var h1/ecx : (ref handle) 68/push 0/imm32/address 68/push 0/imm32/alloc-id 89/copy 3/mod/direct 1/rm32/ecx . . . 4/r32/esp . . # copy esp to ecx # var old_top/ebx = heap->curr 8b/copy 0/mod/indirect 6/rm32/esi . . . 3/r32/ebx . . # copy *esi to ebx # first allocation, to h1 # . new(heap, 2, h1) # . . push args 51/push-ecx 68/push 2/imm32/size 56/push-esi # . . call e8/call new/disp32 # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 0xc/imm32 # add to esp # reset heap->curr to mimic reclamation 89/copy 0/mod/indirect 6/rm32/esi . . . 3/r32/ebx . . # copy ebx to *esi # second allocation that returns the same address as the first # var h2/edx : (ref handle) 68/push 0/imm32/address 68/push 0/imm32/alloc-id 89/copy 3/mod/direct 2/rm32/edx . . . 4/r32/esp . . # copy esp to edx # . new(heap, 2, h2) # . . push args 52/push-edx 68/push 2/imm32/size 56/push-esi # . . call e8/call new/disp32 # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 0xc/imm32 # add to esp # check-ints-equal(h1->address, h2->address, msg) # . . push args 68/push "F - test-lookup-failure"/imm32 ff 6/subop/push 1/mod/*+disp8 2/rm32/ecx . . . . 4/disp8 . # push *(edx+4) ff 6/subop/push 1/mod/*+disp8 1/rm32/ecx . . . . 4/disp8 . # push *(ecx+4) # . . call e8/call check-ints-equal/disp32 # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 0xc/imm32 # add to esp # lookup(h1) should crash # . . push args 51/push-ecx # . . call e8/call lookup/disp32 # should never get past this point # . . discard args 81 0/subop/add 3/mod/direct 4/rm32/esp . . . . . 4/imm32 # add to esp # clean up # . *Next-alloc-id = 1 c7 0/subop/copy 0/mod/indirect 5/rm32/.disp32 . . . Next-alloc-id/disp32 1/imm32 # copy to *Next-alloc-id # . epilogue 89/copy 3/mod/direct 4/rm32/esp . . . 5/r32/ebp . . # copy ebp to esp 5d/pop-to-ebp c3/return == data # Monotonically increasing counter for calls to 'new' Next-alloc-id: # int 1/imm32 # . . vim:nowrap:textwidth=0