32. Signatures in the MPS

32.1. Introduction

Integrity of data structures is absolutely critical to the cost of deploying the Memory Pool System. Memory corruption and memory management bugs are incredibly hard to detect and debug, often manifesting themselves hours or days after they occur. One of the key ways the MPS detects corruption or the passing of illegal data is using signatures. This simple technique has proved invaluable at catching defects early.

This is based on [RB_1995-08-25].

32.2. Overview

Signatures are magic numbers which are written into structures when they are created and invalidated (by overwriting with SigInvalid) when they are destroyed. They provide a limited form of run-time type checking and dynamic scope checking. They are a simplified form of “Structure Marking”, a technique used in the Multics filesystem [THVV_1995].

32.3. Definitions

Nearly every structure should start with a field of type Sig with the name sig. For example:

typedef struct mps_message_s {
  Sig sig;                      /* <design/sig/> */
  Arena arena;                  /* owning arena */
  MessageClass class;           /* Message Class Structure */
  Clock postedClock;            /* mps_clock() at post time, or 0 */
  RingStruct queueRing;         /* Message queue ring */
} MessageStruct;

There must also be a definition for the valid value for that signature:

#define MessageSig      ((Sig)0x5193e559) /* SIG MESSaGe */

This is a 32-bit hex constant, spelled according to guide.hex.trans:

ABCDEFGHIJKLMNOPQRSTUVWXYZ
ABCDEF9811C7340BC6520F3812

This allows the structure to be recognised when looking at memory in a hex dump or memory window, or found using memory searches.

32.4. Init and Finish

When the structure is initialised, the signature is initialised as the last action, just before validating it. (Think of it as putting your signature at the bottom of a document to say it’s done.) This ensures that the structure will appear invalid until it is completely initialized and ready to use. For example:

void MessageInit(...) {
  ...
  message->arena = arena;
  message->class = class;
  RingInit(&message->queueRing);
  message->postedClock = 0;
  message->sig = MessageSig;
  AVERT(Message, message);
}

When the structure is finished, the signature is invalidated as the first action, ensuring that the structure appears invalid while it is being torn down. For example:

void MessageFinish(Message message)
{
  AVERT(Message, message);
  AVER(RingIsSingle(&message->queueRing));

  message->sig = SigInvalid;
  RingFinish(&message->queueRing);
}

Do not do anything else with signatures. See .rule.purpose.

32.5. Checking

.check.arg: Every function that takes a pointer to a signed structure should check its argument.

.check.arg.unlocked: A function that does not hold the arena lock should check the argument using AVER(TESTT(type, val)), which checks that val->sig is the correct signature for type.

.check.arg.locked: A function that holds the arena lock should check the argument using the AVERT macro. This macro has different definitions depending on how the MPS is compiled (see design.mps.config.def.var). It may simply check the signature, or call the full checking function for the structure.

.check.sig: The checking function for the structure should also validate the signature as its first step using the CHECKS() macro (see check.h). For example:

Bool MessageCheck(Message message)
{
  CHECKS(Message, message);
  CHECKU(Arena, message->arena);
  CHECKD(MessageClass, message->class);
  ...

This combination makes it extremely difficult to get an object of the wrong type, an uninitialized object, or a dead object, or a random pointer into a function.

32.6. Rules

.rule.purpose: Do not use signatures for any other purpose. For example, don’t use them to make any actual decisions within the code. They must not be used to discriminate between structure variants (or union members). They must not be used to try to detect whether a structure has been initialised or finished. They are there to double-check whether these facts are true. They lose their value as a consistency check if the code uses them as well.

32.7. Tools

.test.uniq: The Unix command:

sed -n '/^#define [a-zA-Z]*Sig/s/[^(]*(/(/p' code/*.[ch] | sort | uniq -c

will display all signatures defined in the MPS along with a count of how many times they are defined. If any counts are greater than 1, then the same signature value is being used for different signatures. This is undesirable and the problem should be investigated.

32.8. References

RB_1995-08-25

Richard Brooksby. Harlequin. 1995-08-25. “design.mps.sig: The design of the Memory Pool System Signature System”.

THVV_1995

Tom Van Vleck. 1995. “Structure Marking”.