mfbt/NonDereferenceable.h
author Andrea Marchesini <amarchesini@mozilla.com>
Wed, 31 Oct 2018 18:30:18 +0100
changeset 500246 544498045a9cfe55968fa6500bffbc3181869fce
parent 470586 d97b8efcbc044a3998c70e10459abd24a43252c5
child 505383 6f3709b3878117466168c40affa7bca0b60cf75b
permissions -rw-r--r--
Bug 1486698 - Update Fetch+Stream implementation to throw when the stream is disturbed or locked, r=bz In this patch, I went through any place in DOM fetch code, where there are ReadableStreams and update the locked, disturbed, readable checks. Because we expose streams more often, we need an extra care in the use of ErrorResult objects. JS streams can now throw exceptions and we need to handle them. This patch also fixes a bug in FileStreamReader::CloseAndRelease() which could be called in case mReader creation fails.

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#ifndef mozilla_NonDereferenceable_h
#define mozilla_NonDereferenceable_h

/* A pointer wrapper indicating that the pointer should not be dereferenced. */

#include "mozilla/Attributes.h"
#include "mozilla/TypeTraits.h"

#include <cstdint>

// Macro indicating that a function manipulates a pointer that will not be
// dereferenced, and therefore there is no need to check the object.
#if defined(__clang__)
#define NO_POINTEE_CHECKS __attribute__((no_sanitize("vptr")))
#else
#define NO_POINTEE_CHECKS /* nothing */
#endif

namespace mozilla {

// NonDereferenceable<T> wraps a raw pointer value of type T*, but prevents
// dereferencing.
//
// The main use case is for pointers that referencing memory that may not
// contain a valid object, either because the object has already been freed, or
// is under active construction or destruction (and hence parts of it may be
// uninitialized or destructed.)
// Such a pointer may still be useful, e.g., for its numeric value for
// logging/debugging purposes, which may be accessed with `value()`.
// Using NonDereferenceable with such pointers will make this intent clearer,
// and prevent misuses.
//
// Note that NonDereferenceable is only a wrapper and is NOT an owning pointer,
// i.e., it will not release/free the object.
//
// NonDereferenceable allows conversions between compatible pointer types, e.g.,
// to navigate a class hierarchy and identify parent/sub-objects. Note that the
// converted pointers stay safely NonDereferenceable.
//
// Use of NonDereferenceable is required to avoid errors from sanitization tools
// like `clang++ -fsanitize=vptr`, and should prevent false positives while
// pointers are manipulated within NonDereferenceable objects.
//
template<typename T>
class NonDereferenceable
{
public:
  // Default construction with a null value.
  NonDereferenceable()
    : mPtr(nullptr)
  {
  }

  // Default copy construction and assignment.
  NO_POINTEE_CHECKS
  NonDereferenceable(const NonDereferenceable&) = default;
  NO_POINTEE_CHECKS
  NonDereferenceable<T>& operator=(const NonDereferenceable&) = default;
  // No move operations, as we're only carrying a non-owning pointer, so
  // copying is most efficient.

  // Construct/assign from a T* raw pointer.
  // A raw pointer should usually point at a valid object, however we want to
  // leave the ability to the user to create a NonDereferenceable from any
  // pointer. Also, strictly speaking, in a constructor or destructor, `this`
  // points at an object still being constructed or already partially
  // destructed, which some very sensitive sanitizers could complain about.
  NO_POINTEE_CHECKS
  explicit NonDereferenceable(T* aPtr)
    : mPtr(aPtr)
  {
  }
  NO_POINTEE_CHECKS
  NonDereferenceable& operator=(T* aPtr)
  {
    mPtr = aPtr;
    return *this;
  }

  // Construct/assign from a compatible pointer type.
  template<typename U>
  NO_POINTEE_CHECKS explicit NonDereferenceable(U* aOther)
    : mPtr(static_cast<T*>(aOther))
  {
  }
  template<typename U>
  NO_POINTEE_CHECKS NonDereferenceable& operator=(U* aOther)
  {
    mPtr = static_cast<T*>(aOther);
    return *this;
  }

  // Construct/assign from a NonDereferenceable with a compatible pointer type.
  template<typename U>
  NO_POINTEE_CHECKS MOZ_IMPLICIT
  NonDereferenceable(const NonDereferenceable<U>& aOther)
    : mPtr(static_cast<T*>(aOther.mPtr))
  {
  }
  template<typename U>
  NO_POINTEE_CHECKS NonDereferenceable& operator=(
    const NonDereferenceable<U>& aOther)
  {
    mPtr = static_cast<T*>(aOther.mPtr);
    return *this;
  }

  // Explicitly disallow dereference operators, so that compiler errors point
  // at these lines:
  T& operator*() = delete;  // Cannot dereference NonDereferenceable!
  T* operator->() = delete; // Cannot dereference NonDereferenceable!

  // Null check.
  NO_POINTEE_CHECKS
  explicit operator bool() const { return !!mPtr; }

  // Extract the pointer value, untyped.
  NO_POINTEE_CHECKS
  uintptr_t value() const { return reinterpret_cast<uintptr_t>(mPtr); }

private:
  // Let other NonDereferenceable templates access mPtr, to permit construction/
  // assignment from compatible pointer types.
  template<typename> friend class NonDereferenceable;

  T* MOZ_NON_OWNING_REF mPtr;
};

} // namespace mozilla

#undef NO_POINTEE_CHECKS

#endif /* mozilla_NonDereferenceable_h */